CALIFORNIA COMPUTER THEFT http://inews.berkeley.edu/articles/Apr-May2012/secure-desktop-computers

Secure your desktop computers

February 23, 2012

Ann Geyer, Chief Privacy & Information Risk Officer

Computer theft is one of the top three causes of data breach. We recently wrote about how to protect laptops from theft. It's time to focus attention on desktop computer security as well.

Desktop computers that store personally identifiable information that is confidential in nature should be kept in locked locations. If the computer is located in a work cube, then it should have a cable lock. If in an office, then the office should be locked when not occupied. The more data that is stored on the computer, the greater the importance of physical security measures. Secondly, the data itself should be encrypted. Locks and encryption software are cheap compared to the legal costs to defend against data breach lawsuits, the costs of officially notifying individuals, and the disruption to routine operations.

Computer theft leads to claim for $944 million

It used to be that when a thief stole property, the property owner was treated as the victim. Not so any longer based on the recent lawsuit filed against Sutter Health. Last year, Sutter was the victim of a burglary. The thief broke into an administrative office and stole a desktop computer. Unfortunately for Sutter, the computer contained unencrypted medical record data. Complying with the California Breach Notification Law, Sutter notified the affected individuals. The very same day, lawyers filed suit against Sutter in what is now being referred to as a "Zero Day" security breach lawsuit. More than a dozen related legal complaints followed in quick succession.

The initial complaint seeks damages under the California Confidentiality of Medical Information Act. This law includes a provision for statutory damages of $1000 to any individual whose medical information has been breached. The complaint claims that more than 944,000 individual records were maintained on the stolen computer, putting Sutter Health in the position of having to pay out almost a $1 billion in damages. Realistically, the case will likely settle for a much lower amount; nonetheless the potential value of data breach legal cases is rising dramatically.

The California $1000 statutory damage amount has worked its way into the Massachusetts legal system as well. In a recent data breach occurring in the retail industry, the resultant lawsuit cited California's $1000 damage level as setting the benchmark for any breach of personal information. This case is still pending, but if successful may well set a precedent for subsequent breach claims.