Why Bother With Data Protection?

from the thanks-for-the-help dept

We've pointed out in our coverage of companies' data leaks that there's little incentive for them to spend much time or many resources on data protection, since the repercussions and costs of leaks are minimal. An interesting piece from Security Focus has taken a closer look at a case in which a person sued their student loan company after their information -- along with 550,000 other people's -- was leaked when a contractor's laptop was stolen. The court ruled in favor of the loan company, with the decision resting on whether or not the company had taken "reasonable" precautions to protect data. It's a totally subjective standard that's superficially imposed. As the article points out, the court said that the company had security policies and "safeguards" in place, but never actually examined whether or not they were effective, enforced or proper. Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    dude, 22 Feb 2006 @ 9:19am

    No Subject Given

    Which is total BS. What they probably mean is that the laptop had a password on it and therefore was "secure." Hopefully this doesn't turn into a trend with other companies that "lose" data...

    link to this | view in thread ]

  2. identicon
    Nathan, 22 Feb 2006 @ 9:48am

    No Subject Given

    I wonder if it is possible to bill (and then sue when they don't pay) the company for your time spent cleaning up/changing your personal information, credit cards, etc after they leak the info, or you become a victim of identity theft...anyone?

    link to this | view in thread ]

  3. identicon
    L, 22 Feb 2006 @ 10:07am

    Now you tell me

    Months and years, - policy and practices - enforcement sometime at peral of my employment and now you tell me I could have just siad, yep I have a policy here someplace/

    link to this | view in thread ]

  4. identicon
    Dan Geer, 22 Feb 2006 @ 11:29am

    re: Why bother with data protection

    The reasonable standards rule is established jurisprudential precedent, specifically the "Hand Rule" for assessing liability, named after Justice Learned Hand in U.S. v. Carroll Towing Co., 159 F.2d 169, 174 (2nd Circuit 1947).

    Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL.

    But to be less legalistic, everyone should realize that the absence of liability judgements that sting is a temporary condition and, IMHO, the absence of software liability is likewise a temporary condition. The fraction of corporate wealth that is data is rising (i.e., the valuation of data is rising faster than the valuation of the companies who hold it) and thus all the rules about the prudent man, reasonable care, strict liability, tort, and so forth are all in play and must soon conform to a world in which damage to a data asset can only be treated with equivalent gravity to burning down the factory or selling a defective minivan. The larger law firms are all now fielding data liability or data protection practices and it is raining regulations (viz., new ways you can be found to be liable for someone else's hurt).

    link to this | view in thread ]

  5. identicon
    Jobe, 22 Feb 2006 @ 11:35am

    How lame

    With as often as this is happening, and to the amount of people, I am surprised that Congress hasn't gotten involved somehow (that I know of anyways), and passing some type of legislation that combats this.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 22 Feb 2006 @ 12:09pm

    Re: How lame

    And when Congress gets involved it will be to set some kind of cap on the liability that companies face due to "data exposure".

    I can see it now. If your data is "exposed", you can file a claim with the corporation responsible and, if you claim is legitimate, you will be entitled to $250.

    Now, you just have to find the "responsible" company ("Oh, wait, that was a subcontractor, not us!"), find the obscure link on their website, file your claim, have it rejected, appeal the rejection, spend hours gathering information about your claim, spend more hours on hold, have your claim approved, wait six months, receive check, deposit check in bank, while at bank find out that your identity has been stolen, threaten to sue bank, bank manager says that your "claim" has already been resolved, realize that you are completely screwed.

    Sound about right?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 22 Feb 2006 @ 2:49pm

    Re: How lame

    You forgot about having the files in the basement stuffed into the bottom of a disused lavatory with a sign on the door saying "Beware of the Leopard!"
    [nods to DNA]

    link to this | view in thread ]

  8. identicon
    Calien, 22 Apr 2009 @ 6:57am

    Respond

    And you can use tools like discryptor to make your data secure, right?

    link to this | view in thread ]

  9. identicon
    Mike, 18 Nov 2009 @ 6:52am

    It's not really fair to judge the company's security policy based on this incident. I mean, a man had his laptop stolen. It's not like their network lacked any data protection software or policy, a man was robbed. It's apples and oranges.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.