Not in the view of the Oregon Supreme Court, which said in the Providence case, "We are aware of no other jurisdiction that has allowed recovery for negligent infliction of emotional distress in circumstances where the alleged distress is based solely on concern over the increased risk that a plaintiff's personal information will, at some point in the future, be viewed or used in a manner that could cause the plaintiff harm."
Of course, the California law doesnt require proof of damages. It imposes the $1,000 simply for proof of violation of the CMIA. And Kabateck notes that the theft of digital data can be very damaging indeed. "If somebody broke into a building and stole records, thats one person looking at them," he says. "On the Internet, its the whole world. It can affect the ability of people to get jobs, insurance -- things like that."
Kabateck says he doesnt think such suits will become a long-term trend. "I dont think we will be doing this 10 years from now, because corporations will realize there is a cost to screwing up," he says.
Eric Cowperthwaite, CISO of Providence Health & Services, agrees, noting that the average cost per record breached so far has been about $150. "When it more than quintuples to $1,000, that is significant," he says. But he adds that the concern is not just monetary. "I know a lot of health-care security leaders, and every one of them is concerned with protecting patient data," he says.
Still, these cases will undoubtedly be watched closely in other states. An estimated 18 million confidential patient records have been breached in just the past two years, providing the potential for billions in damages. Cowperthwaite says a suit against Sutter Health is of particular interest, since the magnitude of the breach was 4.24 million people, with potential liability to Sutter at $4.5 billion, including attorney fees.
And Romanosky says plaintiffs are "trying everything," to succeed in data-breach suits. "We identified over 86 unique causes of action (from only 231 cases) for essentially the same event: the unauthorized disclosure of personal information," he says.
Read more about data privacy in CSOonline's Data Privacy section.