Punitive Damages SoughtBy Mel Duvall | Posted 2003-03-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
When an IBM subsidiary set out to refurbish computers storing data for clients, no one could have anticipated the drama that would follow when a pocket-sized, 30-gigabyte hard drive was reported missing in January.
"Even if that is proven to be the case, the organizations cannot be absolved of neglecting their duties to protect their clients' information," says lawyer Merchant. He plans to recover costs on behalf of clients like Taylor, who says he spent about $1,200 changing bank accounts and obtaining new personal documents. Merchant also plans to seek even heftier punitive damages from the courts.
"Here you have very large, reputable organizations like IBM, Co-operators and Investors Group, and their course of conduct has been totally unacceptable," says Merchant. "They have shown negligence in the way they simply passed off personal information about their clients to a third party, without adequately ensuring its security. The [punitive] award has to say to the corporate world, you cannot show this lack of care with personal information."
Talk of punitive damages and the resulting negative publicity are reasons why companies need strategies to deal with the loss of private information as part of their crisis plans, says Jo-Anne Polak, head of the National Crisis Practice for public relations firm Hill & Knowlton in Ottawa. "In a crisis, you don't scrimp. You spend whatever is required because it can literally mean the life or death of a company," she says.
Direct costs related to the theft of the hard drive already are substantial, but Polak says they dwarf legal and administrative costs to be amassed in the coming months and years. "When you add up all of the hard costs—the mailings, customer service representatives—multiply that by 100 to get closer to the true costs of handling this kind of crisis," she says.
For its part, ISM refuses to answer any questions about the nature of the loss of the hard drive, or what actions it is now taking to protect its customers' data.
Ira Winkler, chief security strategist for Hewlett-Packard of Palo Alto, Calif., and a prime competitor to IBM, says the firms directly involved will learn from the incident, but he's not so certain the outsourcing industry as a whole will take heed. He says companies talk a good game when it comes to protecting their clients' personal information, but when it comes to paying for that security, they're more apt to be "penny-wise and pound-foolish."
"The only unusual thing about this whole incident is that it was reported," adds Winkler. "Things like this happen all the time. It's to their credit that they were able to determine something was missing and actually track it down."