Judge Says Don't Sweat The Data Leaks

from the thanks-for-looking-out dept

Fri, Apr 14th 2006 1:30pm — Carlo Longino

A judge in Minnesota ruled last month that Wells Fargo wasn't negligent in a recent data leak when a contractors' laptop was stolen -- not because they took adequate precautions to prevent the leak, but rather because the thieves never used any of the data. The bank was sued by two customers, whose claim for damages was rejected because they couldn't show they'd actually been harmed, which on one level, makes sense. But to say that Wells Fargo or its contractor wasn't negligent in storing customer data unencrypted on a laptop is a stretch. A court ruled in a similar case earlier in the year (also in US District Court in Minnesota) that a company wasn't liable because it had taken "reasonable" precautions to protect data, which, in the case, included storing unencrypted information on a laptop. So with that standard, and this new ruling that says companies are negligent not when unencrypted information is stolen, but only if it's used, do legal consequences give companies much motivation to actually bother to protect customer information in a meaningful way? Of course not. So basically, if customer information gets stolen by a thief that just wants to hawk the laptop, companies have nothing to worry about -- but why should their negligence be defined by the actions of the thief, and not on the actual theft itself?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

23 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

mercifuljes, 14 Apr 2006 @ 2:36pm

it dosent matter if the data was used against customers or not, that type of data should not have been stored on a laptop to begin with.
Wells fargo is obiviusly negligent.
[ link to this | view in chronology ]
- aixkami, 15 Apr 2006 @ 1:02pm
  
  Re:
  I would agree that they were negligent, but data like that *can* be stored on a laptop, provided the drive is encrypted - we use Pointsec which encrypts the entire contents of a drive as you work, so that if the laptop is lost or stolen, you don't have to worry what was stored on it. Given the relative low cost of encryption software, compared with the value of the data contained on the laptop, I think this just exacerbates their irresponsibility and negligence. Another example of consumers being screwed at the hand of big business. The consumer data may not have been used, but it is probably only a matter of time. Many identity thefts don't occurr right away.
  [ link to this | view in chronology ]
- The Serenity, 17 Apr 2006 @ 6:43am
  
  Harumph
  Well, I would like to know what they are defining as customer data. Are they talking about a customer upload IP, are they talking about a spreadsheet of networks available in wells, WAN interfaces things of that nature. Or. Are we talking about real customer information such as SSN, DOB, CC# and so on.. I would think that the type of information that is defined combined with how it was used after the fact would determine this.
  
  That being said.... Worst case if they get bob's info is that bob my suffer identity theft. Now if they have a network computer (probably with VPN) and use something like an LSA cracker or some other canned toy.... well now that would be something to kick someone in the ****s for...
  Most companies do not encrypt laptops though most companies usually keep mapped drives on the network for the purpose of storing that kind of data in a place less easy to access.
  [ link to this | view in chronology ]
Jezsik, 14 Apr 2006 @ 2:54pm

Hmmm
I have to admit that I can see the judges point (although I disagree with him). Imagine you build a bridge with no guard rails (there's no law stating you must have guard rails) Someone falls off the bridge but doesn't get hurt. Are you negligent? What if there was a law but it didn't indicate how big and strong the rails had to be? You put up a bit of rail but someone still falls off, but doesn't get hurt. How can you be negligent? Of course if someone DOES get hurt ... well, that's different case, isn't it?
[ link to this | view in chronology ]
- Metal Guy, 15 Apr 2006 @ 7:58pm
  
  Re: Hmmm
  Actually, there is a building code in place in most localities that states that any pedestrian walkway where there is more than a 30-inch drop-off requires a guardrail that is 42" high and won't allow a 4-inch sphere to pass through it at any point. They also specify that these rails must resist a 200-pound point load and a 50-pound-per-foot distributed load. Although failure to adhere to these codes is not a criminal act, it does not absolve a fabricator of these rails from responsibility in the event of an accident. So you don't go to jail when a kid falls through a hole in the rail, but you DO lose the lawsuit for $XX million.
  [ link to this | view in chronology ]
- Dylan, 16 Apr 2006 @ 7:33am
  
  Re: Hmmm
  Great analogy!
  [ link to this | view in chronology ]
Jazz (profile), 14 Apr 2006 @ 3:50pm

I think in Jezsik's analogy it's more accurate to say "what if someone sues the bridge builder for mental anguish from fear of falling off the bridge".
Wells Fargo are definately negligent, but I don't think that people that have not been harmed by such mitigating factors should benefit financially when they haven't actually been affected by it.
[ link to this | view in chronology ]
andy slimelicker, 14 Apr 2006 @ 3:51pm

I have to agree with the first poster, you just dont put unencryptd data ANYWHERE, especially data of this nature.
poster #2's bridge rail analogy just dosent make any sense to me.
[ link to this | view in chronology ]
mercifuljes, 14 Apr 2006 @ 3:52pm

"I don't think that people that have not been harmed by such mitigating factors should benefit financially when they haven't actually been affected by it."

Quoted for truth.
[ link to this | view in chronology ]
Fred, 14 Apr 2006 @ 4:03pm

The judge didn't rule that Wells Fargo wasn't negligent. He ruled there were no damages, so there were no grounds to bring an action. Do you really want to give our out of control trial attorneys the ability to sue for potential damage?
[ link to this | view in chronology ]
EsotericWombat, 14 Apr 2006 @ 4:51pm

There is such a thing as punitive damages-- the jury handing back a number that will make it too expensive for the given party, in this case Wells Fargo, to continue it's negligent behavior.
[ link to this | view in chronology ]
Levent, 14 Apr 2006 @ 6:17pm

They haven't been harmed so far. But what if the data was actually circulated and will cause a harm in the future. How can the future damage is guaranteed by this decision. Do the plaintiffs have a recourse to come back to court again. And why should they have to bear the burden of linking such possible future damage to the actions of WF?
[ link to this | view in chronology ]
donald Robertson, 14 Apr 2006 @ 7:42pm

The word Negligence has two meanings in court
In court the word negligence means two things. Negligence the claim (what you get sued for) requires that your negligence(screwing something up) caused the plaintiff damage. Wells fargo certainly seems like they acted negligently, but in order to get sued for that their negligence would have actually had to cause damages.
[ link to this | view in chronology ]
Late Bum, 15 Apr 2006 @ 1:11am

Donald has the right of it. Even though the company acted in an inappropriate manner by storing sensitive data in an insecure environment, it DOES matter if the customers were harmed or not. You can't just assume an arbitrary amount of harm given the worst-case scenario. To what extent does the harm go?

Unfortunately, being stupid isn't against the law... although it probably should be.

I think another suit in the future could be brought if harm is shown.
[ link to this | view in chronology ]
PenguinPete, 15 Apr 2006 @ 8:16am

He doesn't bank at Wells Fargo
There are several obvious point to make here. The first is that the judge doesn't have even a basic understanding of technolog and how simple it is to encrypt data. The resolution to this situation would be to contact your state represenatives and lobby for laws on how personal and financial data is handled.

The second point is that the judge is not a Wells Fargo customer, if he was he would have to recuse himself, but also he has never had any of his financial data lost by a financial institution, otherwise he would have been a little more concerned.

My wife was one of the people who's data was on the laptop. She was contacted by Wells Fargo and they gave her free credit checks for two years. There haven't been any problems with her account (I believe the theft actually happened several years ago), but if there are how do we prove the theives got the information from the laptop. Pretty much impossible, I guess that is the problem that the plaintives had.
[ link to this | view in chronology ]
Adam, 15 Apr 2006 @ 12:30pm

How difficult is it to read data when you have access to the computer, encrypted or not? If the guy who owned the laptop could get at the data, then it's likely not overly hard for anyone who stole the laptop. Biggest risk is biometric encryption, which would put the kibosh on thieves stealing the data. Anything else could be broken with a password cracker.
[ link to this | view in chronology ]
Japan girl, 16 Apr 2006 @ 2:23am

Wells Fargo is Negligent and will not acknowledge
Yeah I think it is pure negligence. The bridge analogy isn't so compatible because he or she was not paying for the bridge service, and the agreement was not made that it would safely carry the user across the river. At Wells Fargo or any other financial institution, your privacy is paramount and an agreement is made. Having personal unencrypted data outside of the premise is straight negligence to the customer's privacy. Bottom line, the customer has placed trust in ensuring the bank manages personal finance data and information and regardless of what happens the bank should be liable. Really, what kind of bank would go, "Sorry dude, some thief just swipped your money from your account." We cannot do anything about it. That's just simply bad service and untrustworthy.

I am not exactly sure what the appropriate conclusion would be though. After all, I doubt some common thief used the personal data for his or her gain. But I would think that more appropriate and necessary measures should be taken to gain back the trust of their clients. I think the judge should have awarded some kind of penalty for a violation in the customer's privacy contract. Really that is the only way for the company to learn and where you really want the law to extend to at its maximum. It is also sad that the company didn't settle at all under some halfway point to express their apologies. However, laws should not be in place to forcefully tell the bank to encrypt their data, but they should have ruled for a violation of a contract.

I am glad it ended up here at techdirt though, because I will not use Wells Fargo after this story.
[ link to this | view in chronology ]
Rich, 16 Apr 2006 @ 5:49am

The Judge wouldn't
be thinking that if his information was on that laptop. As a secuirty professional there is a lot of risks to that. I don't agree with the judges decision on this considering mobile computing (laptops) should not be the medium for transpoting customer data. There are laws governing transport/secuirty (Sarbanes/Oxley) and FISMA regs that shul have been followed here.
[ link to this | view in chronology ]
giafly, 16 Apr 2006 @ 6:11am

By the Judge's Logic
...it's OK for Wells Fargo execs to take a dump out of their office windows, so long as the people walking below are lucky enough that the shit misses them.
[ link to this | view in chronology ]
elaine, 17 Apr 2006 @ 12:43am

I guess the judge has a point-technically. Despite of that, one should take note that companies should protect data given to them by customers because failure to do so would result to neglect and negligence. Its good news that no harm has been done to the stolen data but one could not predict the course of things in the years to come.
[ link to this | view in chronology ]
ex Wells Fargo employee, 17 Apr 2006 @ 11:22am

breathe a sigh of relief
I worked for 1 1/2 years at WF (until last fall) and in late 2004 IIRC they started putting Pointsec on every machine.
[ link to this | view in chronology ]
Dan, 6 Sep 2006 @ 8:18am

August 28 Notification of another employee data le
Wells Fargo performed an audit of employee benefits that concluded by allowing the auditor to loose the employee data for thousands of employees via the UNENCRYPTED laptop and disks of the auditor.

The letter I have received detailed the loss and offered 1 year of credit reporting paid for by Wells Fargo. HOWEVER........

Since my children's ssn and other information was available I think they should provide many more years due to the risk and their complete stupidity.
[ link to this | view in chronology ]
ACS Law Solicitors, 29 Sep 2010 @ 12:00pm

How to con you.
Mr Shaun Baker
Dr. Grasso Str. 27
33104 Paderborn
Germany

By Email and Post

Dear Shaun

File Sharing Litigation – An Overview

I thought it might help if I summarise how the file sharing arrangements work in this country, so that you can have a better overall picture of everything.
In England, the work we carry out for the copyright owner (“Claimant” or “your company”) is divided into two distinct categories: contentious and non-contentious work. A description of each, in terms of the work we do for you, is set out below :-
Non-Contentious Work
We obtain the data from the data supplier, Evidenzia, and send it to the internet service providers (“ISPs”).
ISPs will generally refuse to give the names and addresses out initially and it will therefore be necessary to apply to the court for an order to compel the ISPs to disclose those names and addresses. The work needed to do this is in fact contentious work and is therefore described in more detail below, under the heading ‘Contentious Work’ and in our separate retainer letter for contentious work (“the Contentious Retainer”).
The court will usually allow the ISPs at least twenty eight days to disclose the data (and often more, if there are a large number of IP addresses against which names and addresses need to be disclosed).
Once we have received the names and addresses from the ISPs, we then write the letters of claim (“Letters of Claim”) to the alleged infringers (or uploaders) of your company’s copyright.
Those infringers that are likely to pay normally do so within one to three months of receipt of a Letter of Claim, once they have had all of their questions answered. That leaves a hard core contingency who do not pay and in relation to which we need to consider bringing test cases in the courts.
The monies collected from the infringers will be shared out in accordance with the revenue sharing agreements described in the retainer letter for non-contentious work (“the Non-Contentious Retainer”) after the deduction of usual disbursements described below and set out in more detail in the document entitled ‘Terms of Engagement’. We will invoice you for professional fees equivalent to the share of such proceeds due to us in accordance with our usual practices and deduct those fees from monies collected from infringers (so nothing will usually be directly payable by your company). There will be a small amount of disbursements incurred by us (eg in relation to photocopying, which are charged at cost to the parties (taking into account the paper, toner and wear and tear), postal, courier and taxi charges, the court fee (currently £80) and on rare occasions, professional translation charges) and our one-off set up fee. Occasionally, there could be an expert or barrister’s fee as well, if a UK expert’s report is needed on the monitoring software or the matter became complex, but we would advise you of this in advance and agree any charges with you before incurring them. Our charges are therefore not payable in advance and, as stated above, will be deducted from the monies collected from the infringers before sharing out between the three parties (your company, Evidenzia and ourselves).
Contentious Work
There are three categories of contentious work involved in file sharing litigation:
obtaining a disclosure order from the court to compel the ISPs to release the names and addresses. This work will be covered by our Contentious Retainer.
The test cases, which need to be brought against the infringers (or “defendants”, once court proceedings have been issued) and which will be carried out on a “no win, no fee” basis under the Collective Conditional Fee Agreement (“CCFA”) (see separate document).

Any work which your company may instruct us to carry out in relation to:
challenging any order for costs made against ISPs, or the level of their charges; or
appealing any decision made by a court against the Claimant arising from a claim made against an infringer.
enforcing any costs orders made against infringers.

For further information about Contentious Work, please see the Contentious Retainer.

Once it becomes clear that some people are not going to pay, we will discuss with you how many cases we will bring on a test case basis before the court. As stated in the Contentious Retainer, we will conduct that litigation on a “no win, no fee” basis. This means that, save in the circumstances set out in on page 3 of this letter (“the Exceptions”), no fees will be due to us where (and in the unlikely event that) the case is lost. Because of the way the CCFA works, no legal fees are chargeable to the Claimant (save in the case of an Exception), but all disbursements are and must be paid by the Claimant. If the Claimant wins, the Claimant (i.e. your company) gets to keep all of the damages (subject to any agreement you may have with Evidenzia to share damages otherwise. We (as solicitors) are only entitled to keep any costs and success fee recovered (see below for more details).
The way this works is that, because we (ACS Law) are taking the risk of not being paid where a case is lost, we are entitled to be rewarded in cases which we win on your behalf with not only payment by the defendant of our charges (defined as our “Basic Charges” in the CCFA), but also a success fee (defined as the “Success Fee” therein). The risk the Claimant, therefore, takes is that one of the Exceptions apply and your company is required, by the regulations which govern CCFAs (“the Regulations”), to pay our Basic Charges, subject to such loss not being covered by a policy of insurance (see below). Note that we will not add a Success Fee to our charges in these rare circumstances.
Accordingly, where we win the case, we are entitled to claim a Success Fee from the defendant equivalent to up to one hundred percent (100%) of the time costs which will be recorded on our files. The defendant will be ordered to pay both our Basic Charges (based on our hourly rates) and the Success Fee. Where the Claimant wins the case but we do not recover our Basic Charges from the defendant, the Claimant will remain in principal liable to pay our Basic Charges, but we agree not to seek to recover either our Basic Charges or a Success Fee from your company.
Please note that, although our Basic Charges should be paid by the defendant, we are again obliged to state in the CCFA (under the heading Payment of the Legal Representative’s Charges and Disbursements), if you win your claim, you pay our Basic Charges, our disbursements and the Success Fee, owing to a rule called the ‘indemnity principle’. That rule states that the Claimant will not be able to recover any fees from the defendant unless the Claimant has initially agreed to pay our Basic Charges. In reality, the defendant will pay our Basic Charges, unless, for some reason, we are unable to recover them from him or her. In those circumstances, as stated above, we will not seek to recover these from your company, although your company is technically liable to pay them to us. Equally, where we recover our Basic Charges from the defendant, but not the Success Fee, we will not seek to claim the Success Fee from you.
The four circumstances set out in the CCFA and/or Contentious Retainer where you will be required to pay our Basic Charges, as they are not covered by the Regulations, are as follows:-
there is a counterclaim against the Claimant;
the Claimant wishes to make an appeal against a final order;
the Claimant instructs us to enforce any judgement obtained against a defendant (see below);
the defendant makes a Part 36 offer which the Claimant rejects and then recovers less damages at trial than were available under the Part 36 offer.

You should also note that, whilst the Claimant will not be liable to pay our Basic Charges and any Success Fee if it loses any case, the Claimant will still remain liable for the defendant’s costs in the unlikely event, under category (a) above, that a court order is made to that effect.

We are unfortunately unable to waive the requirement for you to make payment of our Basic Charges in any of the four circumstances set out above. This is because the Regulations do not permit it. That is part of the (small) risk your company takes in instructing us on a ‘no win, no fee’ basis. Having said that, we are presently trying to finalise a group insurance policy so that, subject to your company paying a small insurance premium for each claim brought against an infringer, the insurance company will pay any charges owing to the defendant and any disbursements paid. We will let you know once we have arranged this and will supply full details at that time. Furthermore, as stated below, these costs should in any event be recoverable from monies we will already have collected for your company from the Non-Contentious Work.

Finally, given the element of risk involved in our firm bringing litigation on your behalf on a ‘no win, no fee’ basis, we reserve the right to review and (if necessary, withdraw) our offer to act on this basis following the expiry of one year following the date of this letter.

Enforcement
It is, of course, open to your company to instruct us to enforce any judgement we obtain against any defendant who does not pay. Since we will have carried out some basic credit checks of any defendant before commencing proceedings against him or her, e.g. to ensure that he or she owns a property worth a minimum amount, is not bankrupt or hugely saddled with debt etc, the prospects should be reasonably good. Other than disbursements which are payable in order to enforce a judgement (such as sheriff’s and court issue fees), since enforcement is not covered by the CCFA, we will need to make a small fixed charge of £250 per enforcement to cover our basic costs, should you instruct us to proceed with enforcement.
Please bear in mind that, in the rare circumstances where we win a case for you but are unable to recover the costs from the defendant, you will already have built up a substantial fighting fund from the letters written to the infringers (approximately 25-30% of the infringers should have paid without recourse to litigation by then) and also in respect of those defendants who we have successfully sued and from whom we have recovered damages and costs. Accordingly, whilst it may seem like you are paying out of your company’s own pocket a small amount of legal fees for cases where we win but have not managed to recover damages and costs from the defendant and need to enforce those costs, your company will not in fact need to supply any monies in advance, since there should be more than enough money sitting in the pot and allocated to your company in order to meet the costs required to do so. Please also note that those costs would be payable out of your company share only, and not out of the joint share of all the parties, as they relate specifically to client costs and the Regulations require that these costs are payable by the client only, in order for the CCFA to remain valid. It is, of course, open to your company to agree separately with Evidenzia how these costs should be shared by both parties.
Examples
Example A: Case Dropped (Costs Insured)
Proceedings are issued against A who has never responded but there is evidence of multiple instances of infringement. Court fee is £300. A then puts in the wireless defence, making it necessary to drop the proceedings in the absence of any further incriminating evidence. Provided the insurance premium of c.£750 has been paid (which is payable by the Claimant only), the wasted court fee of £300, together with any costs incurred by the defendant (eg. his own solicitors’ costs) which a court may order the Claimant to pay (e.g. £500), will be paid by the policy of insurance (where there is no insurance in place, these would be payable by the Claimant only). Total outlay by Claimant: £750. Net gain (or loss): £50.
Example B: Default or Summary Judgement Obtained
Proceedings are issued and default judgement obtained (i.e. defendant does not put in an appearance). Insurance premium is £750 and court fees are £85. Damages of £3,000 and costs of £1,500 are awarded by the court against the defendant.
(a) Defendant Pays:
Total outlay: £835. Net gain (loss) to Claimant: £2,165.
(b) Defendant Does Not Pay:
You instruct us to enforce (£250 fee). Court issue fee is £50 and sheriffs fees are £200.
(i) Defend Pays
Total outlay for Claimant: £1,335. Net gain (loss): £2,165
(ii) Defendant Does Not Pay
Total outlay for Claimant: £585 (insurance premium credited, as insurer has said it will refund premium in these circumstances). Net gain (loss): (£585)
It is hard to guess how at this stage how many people will pay, both after obtaining default judgment and after enforcement, if they don’t pay. However, if we assume that around 50% will pay without the need for enforcement and that 60% will pay after enforcement, we have calculated that, if 100 people are sued, the damages recovered for the Claimant and Evidenzia together will amount to around £280,000, less costs outlay of around £154,000 (including court fees and insurance premiums), resulting in a net gain to the Claimant (subject to any share agreed to be paid to the data supplier, if applicable) of £127,000 (subject to verification and without any warranty on this firm’s part as to the actual amount which would be obtained). This is based on a number of factors and assumptions, further details of which can be provided to you upon request.
I trust the above clarifies any concerns or questions you may have in relation to the file sharing litigation and legal costs. However, should you have any further questions or comments, please do not hesitate to contact me directly. My direct line is +44 20 789 80572 and my email address is HYPERLINK "mailto:andrew.crossley@acs-law.co.uk" andrew.crossley@acs-law.co.uk. Please would you also supply your email address and telephone number, for ease of communication.
I look forward to hearing from you shortly.
Yours sincerely

ACS Law Solicitors
Direct tel: 020 789 80572
Direct email: andrew.crossley@acs-law.co.uk
[ link to this | view in chronology ]