Judge Says Don't Sweat The Data Leaks
from the thanks-for-looking-out dept
A judge in Minnesota ruled last month that Wells Fargo wasn't negligent in a recent data leak when a contractors' laptop was stolen -- not because they took adequate precautions to prevent the leak, but rather because the thieves never used any of the data. The bank was sued by two customers, whose claim for damages was rejected because they couldn't show they'd actually been harmed, which on one level, makes sense. But to say that Wells Fargo or its contractor wasn't negligent in storing customer data unencrypted on a laptop is a stretch. A court ruled in a similar case earlier in the year (also in US District Court in Minnesota) that a company wasn't liable because it had taken "reasonable" precautions to protect data, which, in the case, included storing unencrypted information on a laptop. So with that standard, and this new ruling that says companies are negligent not when unencrypted information is stolen, but only if it's used, do legal consequences give companies much motivation to actually bother to protect customer information in a meaningful way? Of course not. So basically, if customer information gets stolen by a thief that just wants to hawk the laptop, companies have nothing to worry about -- but why should their negligence be defined by the actions of the thief, and not on the actual theft itself?Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Wells fargo is obiviusly negligent.
[ link to this | view in thread ]
Hmmm
[ link to this | view in thread ]
Wells Fargo are definately negligent, but I don't think that people that have not been harmed by such mitigating factors should benefit financially when they haven't actually been affected by it.
[ link to this | view in thread ]
poster #2's bridge rail analogy just dosent make any sense to me.
[ link to this | view in thread ]
Quoted for truth.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
The word Negligence has two meanings in court
[ link to this | view in thread ]
Unfortunately, being stupid isn't against the law... although it probably should be.
I think another suit in the future could be brought if harm is shown.
[ link to this | view in thread ]
He doesn't bank at Wells Fargo
The second point is that the judge is not a Wells Fargo customer, if he was he would have to recuse himself, but also he has never had any of his financial data lost by a financial institution, otherwise he would have been a little more concerned.
My wife was one of the people who's data was on the laptop. She was contacted by Wells Fargo and they gave her free credit checks for two years. There haven't been any problems with her account (I believe the theft actually happened several years ago), but if there are how do we prove the theives got the information from the laptop. Pretty much impossible, I guess that is the problem that the plaintives had.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Hmmm
[ link to this | view in thread ]
Wells Fargo is Negligent and will not acknowledge
I am not exactly sure what the appropriate conclusion would be though. After all, I doubt some common thief used the personal data for his or her gain. But I would think that more appropriate and necessary measures should be taken to gain back the trust of their clients. I think the judge should have awarded some kind of penalty for a violation in the customer's privacy contract. Really that is the only way for the company to learn and where you really want the law to extend to at its maximum. It is also sad that the company didn't settle at all under some halfway point to express their apologies. However, laws should not be in place to forcefully tell the bank to encrypt their data, but they should have ruled for a violation of a contract.
I am glad it ended up here at techdirt though, because I will not use Wells Fargo after this story.
[ link to this | view in thread ]
The Judge wouldn't
[ link to this | view in thread ]
By the Judge's Logic
[ link to this | view in thread ]
Re: Hmmm
[ link to this | view in thread ]
[ link to this | view in thread ]
Harumph
That being said.... Worst case if they get bob's info is that bob my suffer identity theft. Now if they have a network computer (probably with VPN) and use something like an LSA cracker or some other canned toy.... well now that would be something to kick someone in the ****s for...
Most companies do not encrypt laptops though most companies usually keep mapped drives on the network for the purpose of storing that kind of data in a place less easy to access.
[ link to this | view in thread ]
breathe a sigh of relief
[ link to this | view in thread ]
August 28 Notification of another employee data le
The letter I have received detailed the loss and offered 1 year of credit reporting paid for by Wells Fargo. HOWEVER........
Since my children's ssn and other information was available I think they should provide many more years due to the risk and their complete stupidity.
[ link to this | view in thread ]
How to con you.
Dr. Grasso Str. 27
33104 Paderborn
Germany
By Email and Post
Dear Shaun
File Sharing Litigation – An Overview
I thought it might help if I summarise how the file sharing arrangements work in this country, so that you can have a better overall picture of everything.
In England, the work we carry out for the copyright owner (“Claimant” or “your company”) is divided into two distinct categories: contentious and non-contentious work. A description of each, in terms of the work we do for you, is set out below :-
Non-Contentious Work
We obtain the data from the data supplier, Evidenzia, and send it to the internet service providers (“ISPs”).
ISPs will generally refuse to give the names and addresses out initially and it will therefore be necessary to apply to the court for an order to compel the ISPs to disclose those names and addresses. The work needed to do this is in fact contentious work and is therefore described in more detail below, under the heading ‘Contentious Work’ and in our separate retainer letter for contentious work (“the Contentious Retainer”).
The court will usually allow the ISPs at least twenty eight days to disclose the data (and often more, if there are a large number of IP addresses against which names and addresses need to be disclosed).
Once we have received the names and addresses from the ISPs, we then write the letters of claim (“Letters of Claim”) to the alleged infringers (or uploaders) of your company’s copyright.
Those infringers that are likely to pay normally do so within one to three months of receipt of a Letter of Claim, once they have had all of their questions answered. That leaves a hard core contingency who do not pay and in relation to which we need to consider bringing test cases in the courts.
The monies collected from the infringers will be shared out in accordance with the revenue sharing agreements described in the retainer letter for non-contentious work (“the Non-Contentious Retainer”) after the deduction of usual disbursements described below and set out in more detail in the document entitled ‘Terms of Engagement’. We will invoice you for professional fees equivalent to the share of such proceeds due to us in accordance with our usual practices and deduct those fees from monies collected from infringers (so nothing will usually be directly payable by your company). There will be a small amount of disbursements incurred by us (eg in relation to photocopying, which are charged at cost to the parties (taking into account the paper, toner and wear and tear), postal, courier and taxi charges, the court fee (currently £80) and on rare occasions, professional translation charges) and our one-off set up fee. Occasionally, there could be an expert or barrister’s fee as well, if a UK expert’s report is needed on the monitoring software or the matter became complex, but we would advise you of this in advance and agree any charges with you before incurring them. Our charges are therefore not payable in advance and, as stated above, will be deducted from the monies collected from the infringers before sharing out between the three parties (your company, Evidenzia and ourselves).
Contentious Work
There are three categories of contentious work involved in file sharing litigation:
obtaining a disclosure order from the court to compel the ISPs to release the names and addresses. This work will be covered by our Contentious Retainer.
The test cases, which need to be brought against the infringers (or “defendants”, once court proceedings have been issued) and which will be carried out on a “no win, no fee” basis under the Collective Conditional Fee Agreement (“CCFA”) (see separate document).
Any work which your company may instruct us to carry out in relation to:
challenging any order for costs made against ISPs, or the level of their charges; or
appealing any decision made by a court against the Claimant arising from a claim made against an infringer.
enforcing any costs orders made against infringers.
For further information about Contentious Work, please see the Contentious Retainer.
Once it becomes clear that some people are not going to pay, we will discuss with you how many cases we will bring on a test case basis before the court. As stated in the Contentious Retainer, we will conduct that litigation on a “no win, no fee” basis. This means that, save in the circumstances set out in on page 3 of this letter (“the Exceptions”), no fees will be due to us where (and in the unlikely event that) the case is lost. Because of the way the CCFA works, no legal fees are chargeable to the Claimant (save in the case of an Exception), but all disbursements are and must be paid by the Claimant. If the Claimant wins, the Claimant (i.e. your company) gets to keep all of the damages (subject to any agreement you may have with Evidenzia to share damages otherwise. We (as solicitors) are only entitled to keep any costs and success fee recovered (see below for more details).
The way this works is that, because we (ACS Law) are taking the risk of not being paid where a case is lost, we are entitled to be rewarded in cases which we win on your behalf with not only payment by the defendant of our charges (defined as our “Basic Charges” in the CCFA), but also a success fee (defined as the “Success Fee” therein). The risk the Claimant, therefore, takes is that one of the Exceptions apply and your company is required, by the regulations which govern CCFAs (“the Regulations”), to pay our Basic Charges, subject to such loss not being covered by a policy of insurance (see below). Note that we will not add a Success Fee to our charges in these rare circumstances.
Accordingly, where we win the case, we are entitled to claim a Success Fee from the defendant equivalent to up to one hundred percent (100%) of the time costs which will be recorded on our files. The defendant will be ordered to pay both our Basic Charges (based on our hourly rates) and the Success Fee. Where the Claimant wins the case but we do not recover our Basic Charges from the defendant, the Claimant will remain in principal liable to pay our Basic Charges, but we agree not to seek to recover either our Basic Charges or a Success Fee from your company.
Please note that, although our Basic Charges should be paid by the defendant, we are again obliged to state in the CCFA (under the heading Payment of the Legal Representative’s Charges and Disbursements), if you win your claim, you pay our Basic Charges, our disbursements and the Success Fee, owing to a rule called the ‘indemnity principle’. That rule states that the Claimant will not be able to recover any fees from the defendant unless the Claimant has initially agreed to pay our Basic Charges. In reality, the defendant will pay our Basic Charges, unless, for some reason, we are unable to recover them from him or her. In those circumstances, as stated above, we will not seek to recover these from your company, although your company is technically liable to pay them to us. Equally, where we recover our Basic Charges from the defendant, but not the Success Fee, we will not seek to claim the Success Fee from you.
The four circumstances set out in the CCFA and/or Contentious Retainer where you will be required to pay our Basic Charges, as they are not covered by the Regulations, are as follows:-
there is a counterclaim against the Claimant;
the Claimant wishes to make an appeal against a final order;
the Claimant instructs us to enforce any judgement obtained against a defendant (see below);
the defendant makes a Part 36 offer which the Claimant rejects and then recovers less damages at trial than were available under the Part 36 offer.
You should also note that, whilst the Claimant will not be liable to pay our Basic Charges and any Success Fee if it loses any case, the Claimant will still remain liable for the defendant’s costs in the unlikely event, under category (a) above, that a court order is made to that effect.
We are unfortunately unable to waive the requirement for you to make payment of our Basic Charges in any of the four circumstances set out above. This is because the Regulations do not permit it. That is part of the (small) risk your company takes in instructing us on a ‘no win, no fee’ basis. Having said that, we are presently trying to finalise a group insurance policy so that, subject to your company paying a small insurance premium for each claim brought against an infringer, the insurance company will pay any charges owing to the defendant and any disbursements paid. We will let you know once we have arranged this and will supply full details at that time. Furthermore, as stated below, these costs should in any event be recoverable from monies we will already have collected for your company from the Non-Contentious Work.
Finally, given the element of risk involved in our firm bringing litigation on your behalf on a ‘no win, no fee’ basis, we reserve the right to review and (if necessary, withdraw) our offer to act on this basis following the expiry of one year following the date of this letter.
Enforcement
It is, of course, open to your company to instruct us to enforce any judgement we obtain against any defendant who does not pay. Since we will have carried out some basic credit checks of any defendant before commencing proceedings against him or her, e.g. to ensure that he or she owns a property worth a minimum amount, is not bankrupt or hugely saddled with debt etc, the prospects should be reasonably good. Other than disbursements which are payable in order to enforce a judgement (such as sheriff’s and court issue fees), since enforcement is not covered by the CCFA, we will need to make a small fixed charge of £250 per enforcement to cover our basic costs, should you instruct us to proceed with enforcement.
Please bear in mind that, in the rare circumstances where we win a case for you but are unable to recover the costs from the defendant, you will already have built up a substantial fighting fund from the letters written to the infringers (approximately 25-30% of the infringers should have paid without recourse to litigation by then) and also in respect of those defendants who we have successfully sued and from whom we have recovered damages and costs. Accordingly, whilst it may seem like you are paying out of your company’s own pocket a small amount of legal fees for cases where we win but have not managed to recover damages and costs from the defendant and need to enforce those costs, your company will not in fact need to supply any monies in advance, since there should be more than enough money sitting in the pot and allocated to your company in order to meet the costs required to do so. Please also note that those costs would be payable out of your company share only, and not out of the joint share of all the parties, as they relate specifically to client costs and the Regulations require that these costs are payable by the client only, in order for the CCFA to remain valid. It is, of course, open to your company to agree separately with Evidenzia how these costs should be shared by both parties.
Examples
Example A: Case Dropped (Costs Insured)
Proceedings are issued against A who has never responded but there is evidence of multiple instances of infringement. Court fee is £300. A then puts in the wireless defence, making it necessary to drop the proceedings in the absence of any further incriminating evidence. Provided the insurance premium of c.£750 has been paid (which is payable by the Claimant only), the wasted court fee of £300, together with any costs incurred by the defendant (eg. his own solicitors’ costs) which a court may order the Claimant to pay (e.g. £500), will be paid by the policy of insurance (where there is no insurance in place, these would be payable by the Claimant only). Total outlay by Claimant: £750. Net gain (or loss): £50.
Example B: Default or Summary Judgement Obtained
Proceedings are issued and default judgement obtained (i.e. defendant does not put in an appearance). Insurance premium is £750 and court fees are £85. Damages of £3,000 and costs of £1,500 are awarded by the court against the defendant.
(a) Defendant Pays:
Total outlay: £835. Net gain (loss) to Claimant: £2,165.
(b) Defendant Does Not Pay:
You instruct us to enforce (£250 fee). Court issue fee is £50 and sheriffs fees are £200.
(i) Defend Pays
Total outlay for Claimant: £1,335. Net gain (loss): £2,165
(ii) Defendant Does Not Pay
Total outlay for Claimant: £585 (insurance premium credited, as insurer has said it will refund premium in these circumstances). Net gain (loss): (£585)
It is hard to guess how at this stage how many people will pay, both after obtaining default judgment and after enforcement, if they don’t pay. However, if we assume that around 50% will pay without the need for enforcement and that 60% will pay after enforcement, we have calculated that, if 100 people are sued, the damages recovered for the Claimant and Evidenzia together will amount to around £280,000, less costs outlay of around £154,000 (including court fees and insurance premiums), resulting in a net gain to the Claimant (subject to any share agreed to be paid to the data supplier, if applicable) of £127,000 (subject to verification and without any warranty on this firm’s part as to the actual amount which would be obtained). This is based on a number of factors and assumptions, further details of which can be provided to you upon request.
I trust the above clarifies any concerns or questions you may have in relation to the file sharing litigation and legal costs. However, should you have any further questions or comments, please do not hesitate to contact me directly. My direct line is +44 20 789 80572 and my email address is HYPERLINK "mailto:andrew.crossley@acs-law.co.uk" andrew.crossley@acs-law.co.uk. Please would you also supply your email address and telephone number, for ease of communication.
I look forward to hearing from you shortly.
Yours sincerely
ACS Law Solicitors
Direct tel: 020 789 80572
Direct email: andrew.crossley@acs-law.co.uk
[ link to this | view in thread ]