The Type of Data in a Data Breach Matters
There are two cases that illustrate the disparity between settlements involving different types of data. An infamous hacker who goes by the name “Cumbajohnny” was responsible for hacking both T.J Maxx and Heartland Payment Systems. Data for approximately 130 million credit and debit cards was stolen from Heartland, and more than 45 million credit cards were affected from the T.J Maxx breach. However, the Heartland settlement was $500,000, despite involving the breach of three times the amount of data. The T.J Maxx settlement was valued at $6.1 million. The court’s value was based on the type of data breached; Cumbajohnny and his cohort stole identification information from at least 450,000 customers of T.J Maxx, including Social Security and driver’s license numbers. Although the nominal value of credit card information was larger for Heartland, considering the threat of identity theft, the real value of the 455,000 people affected from T.J Maxx was much greater. In fact, eighty-six percent of the T.J Maxx settlement was from the much smaller number of identifying information stolen, and the other fourteen percent is attributed to the 45 million stolen card records.
Although identifying information is valuable in settlements, medical records often add the most value to a data breach settlement because they contain deeply personal information. For example, the breach of Advocate Health Care included unencrypted medical records, affecting 4.03 million patients. The case settled for $5.55 million, remaining the largest HIPAA settlement to date. This case exemplifies the need to keep up with the swiftly-evolving digital landscape to protect clients’ information. It may also demonstrate legislative attention to particularly personal and sensitive data. Due to the variation and uniqueness of each data breach case, it is important to evaluate the types of compromised data.
By Searcy Denney Scarola Barnhart & Shipley