He says a colleague took part in a survey where 38% of companies in the medical and financial industries admitted to being knowingly out of security compliance.
But, he says, everybody knows, including judges, that 100% security on the Internet simply does not exist. Indeed, there are endless examples of breaches of companies that are in compliance, which makes it much more difficult to prove negligence.
"There is a requirement for reasonable security measures," he says, "but there is a difference in the nature of attacks between the physical and digital world. Today, they change daily, if not hourly. They can be very sophisticated."
Kabateck agrees with that much. "Im not pursuing cases where there isnt negligence," he says, "but there is disregard for security protocols in many cases. If there is an intervening criminal act, that is a different story."
There are other reasons these cases may not be the proverbial layup for the plaintiffs. The Oregon Supreme Court recently struck down a class-action suit against Providence Health Systems that had been settled six years ago, finding no evidence that any of 365,000 patients whose data had been on disks/tapes that were stolen from a Providence employee's car had suffered any financial loss or other adverse consequences.
That, Sabett says, may be a problem with the California law. "I'm not opining on whether this is good or bad," he says, "but there may be a flaw in the presumption that every single person has suffered $1,000 in damages."
He notes that virtually all companies offer mitigation to their customers. "I haven't worked on a breach case in more than four years where the company has not offered free credit monitoring," he says, "and banks and credit companies issue a new card for free."
Sasha Romanosky, of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University, is a co-author of a paper published in February titled "Empirical Analysis of Data Breach Litigation," which found that the odds of a company being sued in federal court was six times lower when it offered free credit monitoring to customers whose information was breached.
"It tends to make them less angry, and also cuts the knees out of a legal claim of damages," he says.
There may be cases where embarrassment or even professional damage from the disclosure of things like names, height, weight, smoking history, blood pressure, patient account numbers, treatment dates, lab results, diagnosis codes and billing charges could cause damages of far more than $1,000.
"But are you going to presume that for everyone?" Sabett asks.