Insurance giant Aetna was recently sued by employees after their personal data was stolen by hackers. Did the court hold the company liable?
In May 2009, Aetna’s online job application Web site was hacked. The site contained e-mail addresses of 450,000 applicants, Social Security numbers of current and former employees, and SSNs, phone numbers, addresses and employment histories of people who had received job offers from Aetna.
Aetna learned of the breach after getting complaints from applicants and employees about receiving phishing e-mails from the hackers. The e-mails claimed to be from Aetna and asked the applicants to send more personal information to complete the application process.
As soon as it learned of the breach, the company sent letters to anyone who might be affected, warning them to watch their bank statements for signs of fraud and to ignore e-mails asking for personal information. Aetna also offered to pay for a year’s worth of credit monitoring.
One employee sued the company and asked the court to approve a class action suit. But the judge dismissed the case. Why?
Because the employee didn’t suffer any injury as a result of the breach — he was only exposed to “an increased risk” of identity theft, the judge said.
To hold the company liable for a data breach, the court ruled, the employee would have to show he suffered actual financial damage.
Of course, the best legal protection would be to avoid data breaches in the first place. But in this case, Aetna helped avoid a costly lawsuit by quickly notifying potential victims and offering the credit monitoring service.
What’s the best way to respond to a data breach? The Better Business Bureau outlines these steps:
- Create a breach notification policy
- Train employees to recognize breaches
- Gather the facts immediately after a breach
- If financial info was taken, notify appropriate financial institutions
- Talk to outside counsel, and
- Notify affected employees.
Cite: Allison v. Aetna