You are here: Home » In this week's e-newsletter » Who gets blamed when employee data’s hacked?

Who gets blamed when employee data’s hacked?

March 24, 2010 By Sam Narisi 3 Comments

Insurance giant Aetna was recently sued by employees after their personal data was stolen by hackers. Did the court hold the company liable?

In May 2009, Aetna’s online job application Web site was hacked. The site contained e-mail addresses of 450,000 applicants, Social Security numbers of current and former employees, and SSNs, phone numbers, addresses and employment histories of people who had received job offers from Aetna.

Aetna learned of the breach after getting complaints from applicants and employees about receiving phishing e-mails from the hackers. The e-mails claimed to be from Aetna and asked the applicants to send more personal information to complete the application process.

As soon as it learned of the breach, the company sent letters to anyone who might be affected, warning them to watch their bank statements for signs of fraud and to ignore e-mails asking for personal information. Aetna also offered to pay for a year’s worth of credit monitoring.

One employee sued the company and asked the court to approve a class action suit. But the judge dismissed the case. Why?

Because the employee didn’t suffer any injury as a result of the breach — he was only exposed to “an increased risk” of identity theft, the judge said.

To hold the company liable for a data breach, the court ruled, the employee would have to show he suffered actual financial damage.

Of course, the best legal protection would be to avoid data breaches in the first place. But in this case, Aetna helped avoid a costly lawsuit by quickly notifying potential victims and offering the credit monitoring service.

What’s the best way to respond to a data breach? The Better Business Bureau outlines these steps:

  1. Create a breach notification policy
  2. Train employees to recognize breaches
  3. Gather the facts immediately after a breach
  4. If financial info was taken, notify appropriate financial institutions
  5. Talk to outside counsel, and
  6. Notify affected employees.

Cite: Allison v. Aetna

Filed Under: In this week's e-newsletter, IT Security Tagged With: , , , ,

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy

Related Posts

  • Gary

    Actually, I am surprised it was dismissed. The company didn’t know about it until victims brought it to their attention. To then send letters warning of a breach is like the old barn doors saying. Had they used an IDS and known upfront and informed employees then I could see possibly letting them off the hook but in this case I believe it should have moved forward to win or lose on the merit of the arguements.

  • Pingback: Tweets that mention ITManagerDaily.com » Blog Archive » Who gets blamed when employee data’s hacked? -- Topsy.com

  • Joe

    There is no valid reason for an employer to require applicants provide a Social Security number until an actual offer of employment is made. Period. Employers continue to use the SS as a crutch for identification purposes, and hang onto it LONG after it’s clear that applicant is not going to be an employee.

    Add to that, there is no valid reason for a publicly-accessible site to have access to current and former employee’s personal data. Period. That information needs to be kept under lock and key, in an internally-accessed location only, and only accessible to a select few. Once the company is no longer engaging in any sort of financial transaction with that person, the records of their SS # should be destroyed.

    Perhaps the suit should have been thrown out, but the employees and applicants should get a summary judgment against Aetna for being just plain lackadaisical with its handling of such sensitive personal data. If corporations can hide behind the skirts of HIPPA and USAPATRIOT Act requirements, among others, then they should also be liable when data is breached because of their mishandling of it.