Thomas Zeno and Lindsay Holmes wrote a great article over at TechRepublic. You should really dig into it because it provides excellent ammo for more IT security budget. They started out with:
Data security laws and penalties: Pay IT now or pay out later
"The federal and state laws governing data privacy exact severe penalties on organizations that do not implement appropriate data security measures. Make sure you know what's at stake.
"AvMed recently paid $3.5 million to settle a data breach lawsuit in which class members could not prove actual damage. Will your organization be next? Plaintiffs’ lawyers, as well as federal and state governments, are likely to file “unjust enrichment” claims against organizations that do not ensure safe transmission and storage of personal data. Whether your organization handles financial or medical data, the price of IT compliance may be high, but the price of non-compliance is even higher.
"In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Class action litigation began in 2010. Based on the October 2013 settlement agreement, AvMed is required to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades, and updates to security policies and procedures, all of which are set out in Health Insurance Portability and Accountability Act (HIPAA) regulations (45 CFR § 164).
"The striking part of the settlement requires that AvMed also forfeit the “unjust enrichment” it has received over the years by not spending sufficiently for the data security it should have provided. AvMed will reimburse “premium overpayments” of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.
"The AvMed settlement proves that now is the time to implement data security measures that will protect your company, your patients, and your customers in the future. Although experts predict that data losses are likely inevitable, damage to your organization does not have to occur. Lost data does not automatically become a data breach. In AvMed’s case, for instance, encryption would have rendered the stolen information unreadable and no breach would have occurred.
"By implementing data security measures already suggested or required, your organization can avoid a host of problems. Whether your organization handles personal information now, or may do so in the future, federal and state laws are likely to set the standard by which unjust enrichment claims will be made and damages calculated. Below are examples of what is expected." Read the rest of the article here