The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.
If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.
The Indiana Deception Act
The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches.
The MIE Breach and Litigation
Indiana and eleven other states sued Medical Informatics Engineering, Inc. (“MIE”) in December 2018, following a 2015 data breach. The 2015 data breach involved hackers accessing an MIE web application and stealing the patient data of nearly 4 million individuals.
The lawsuit alleges that MIE failed to implement basic industry-accepted data security measures to protect individual’s protected health information from unauthorized access. In particular, the complaint alleges eleven separate grounds by which MIE allegedly violated the administrative safeguards, technical safeguards, and implementation requirements of HIPAA. Additionally, the Indiana Attorney General also alleged that the MIE security failings were unfair or deceptive acts and violated Indiana’s Deception Act.
Although no court has ever applied the Indiana Deception Act to data breach lawsuits, if the Indiana Attorney General is successful, we could see a wave of litigation against companies who have been breached.
Whether or not this specific claim is successful, the case serves as another cautionary tale that businesses housing personally identifying information of consumers must treat data security as a priority.
Adequate data security requires, among other things, maintaining and implementing up-to-date data security policies and procedures, prioritizing the training of employees, building an incident response plan, and routinely testing and improving the plan.