There I was last Friday morning, attending a cybersecurity conference hosted by the very venerable but also very high tech law firm of Foley and Lardner, awaiting my turn to speak, and the presenter said something about the cost of privacy breaches. At that moment, a news alert popped up on my iPhone: TRICARE Hit With $4.9 Billion Lawsuit. Yes, that's $4.9 Billion dollars with a big fat B. And if something about that number strikes you as familiar, perhaps it was the original report of the breach, which we covered here.
Just to refresh, at some point between the 7th and 14th of last month, unencrypted backup tapes containing personally identifiable information for about 4.9 million people were left in a parked car, from which they were stolen. Now take 4.9 million and multiply it by $1,000 per person and you get $4.9 billion.
Not surprisingly, the Tricare news became a topic of discussion at Friday's conference, which was attended by numerous privacy attorneys including representatives of four companies that have been on the receiving end of Federal Trade Commission scrutiny with regard to privacy and data issues. Such scrutiny can cost many millions of dollars, from the cost of defending the company against legal sanctions, to the effort to comply with a consent decree if it happens (and it has happened to some 60 companies since the landmark Eli Lilly case in 2002, you can read about them on this section of the FTC website).
These dollars are not just legal fees, there are fines, consultant costs, security hardware and software costs, employee security awareness training costs, and the cost of being audited every other year for 20 years. To round things out, consider the opportunity cost of being less adventurous as a company for the two decades during which you live with the risk of violating an FTC consent decree. But in the case of Tricare there is a factor that might outweigh even the formidable FTC: The Tricare lawsuit alleges violations of the Privacy Act of 1974, and those carry severe penalties.
The 1974 Privacy Act is a pillar of privacy law in America because it establishes "a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies." That would seem to include the Tricare tapes since they contained data from electronic health records used at military hospitals, clinics, and pharmacies in the San Antonio area from 1992 through September 7, 2011. The tapes may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions.
In bringing suit, the law firm Shulman, Rogers, Gandal, Pordy & Ecker, alleges "intentional, willful and reckless violations of the privacy rights" of the beneficiaries. Further, they claim Tricare "inexplicably failed to properly encrypt the information," and "authorized an untrained or improperly trained individual to take the highly confidential information off of government premises and to leave the unencrypted information in an unguarded car parked in a public location…"
This breach did not need to happen, but at least the lawsuit was filed during National Cybersecurity Awareness Month. If you or your company were not already aware of just how costly it can be to make mistakes when handing personally identifiable data, this big B should change that.
Footnote: CEOs, CIOs, and CPOs of large companies may have noted that the tape was lost whlie it was in the hands of a contractor–namely Science Applications International Corp., better known as SAIC–but the lawsuit does not name the contractor as a defendent, it goes after Tricare, who employed the contractor. However, SAIC could still be impacted by the suit, not least because the relief sought includes banning SAIC from accessing or transporting "any confidential information until an indpendent panel of experts finds that adequate information security has been established and implemented by SAIC." Now that could really cramp SAIC's ability to do business.
Author Stephen Cobb, We Live Security