'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits
from the no-blood-no-foul dept
Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it. This seemed like poor reasoning; Wells Fargo had no control whether anyone would use the data in a criminal manner, but it did have control over how it stored the data. In that case, data was lost because it was stored in an unencrypted format on a laptop. Certainly some could argue that that was negligent. But it looks like this line of reasoning is becoming standard. A recent suit brought against data broker Axciom for letting customer data slip out was dismissed since the plaintiffs couldn't prove that anything bad had been done with it. Again, either the company was negligent in letting personal data out, or it wasn't; that should be the measure upon which these cases are decided, not what was done later with the data. There is a flipside, which is that if plaintiffs started winning these cases, data breach lawsuits could easily become the latest class action charade (We can see the commercials now, "Has your personal data been leaked? Call the law offices of..."). But companies can't keep getting let off the hook just because harm can't be proven, or they'll have little incentive to protect the data.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
it's about damages
I believe that when someone loses money because of a breach like this, they will prevail in court. (I hope)
Don't knock class action lawsuits. You may need one some day, as your only hope for justice.
Knock the bad lawyers who misuse them - not the tool.
[ link to this | view in chronology ]
For example.. If the data had been encrypted and locked in a vault and someone used force to enter the vault and steal the data then the company used due diligence to protect the data even if it was unencrypted.
In this case the data was simply printed on paper and left on the sidewalk for anyone willing to put forth the effort to pickup the paper. This kind of disclosure, even if the person shouldn't have picked up the paper, would be a violation of the companies own privacy policies, probably a couple of laws but most certainly the customer's due process rights.
Now.. the grey area here is to argue that unencrypted data on an unsecured laptop is akin to printing out the information and leaving it on the sidewalk. Its a tough argument but not an impossible argument.. just needs to be argued by a good attorney who can think on its toes.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Its the same thing as your neighbor borrowing your lawnmower then selling it. Even if the lawnmower was never used and was later returned undamaged does not mean your neighbor isn't liable for "unlawful deprivation of property".
In this case I may have opened an account, provided my personal information and expected the company to either return or destroy that information when it was finished. To simply "leave the door open" so anyone can take my “borrowed” stuff is, at best, an ethics violation. At worst, in my eyes, its criminal deprivation of property.
Of course another issue for the courts to address is weather you actually own your personal information and therefore have any right to it. If we, as a society, succeed our identities for the highest bidder (or most clever hacker) then we have nobody else to blame but ourselves.
[ link to this | view in chronology ]
Then Kevin Mitnick should never have been in JAIL! And he should receive a billion dollars in compensation for the years he spent there without trial!!!
Judges are all crooked and should be castrated.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Can it be proved that anything bad has not been done with it? Or that a copy has not been made and stored for use in a few months or a year.
I feel having a laptop that is unsecured and the data unencrypted sitting on the side walk being worse that papers sitting there with the same info. Reason being how quickly can you copy a document that is electronic and distribute it compared to paper.
[ link to this | view in chronology ]
Well then...
If I hack a banks files and "generate new money" to put in my account without affecting the accounts of other customers (i work in IT for a bank and I know this is possible) does mean the bank can't sue me and I will only face charges for the hack since not actual money was lost?
Here's what scares me. What if a precedent is set that forces victims of identity theft to prove the thief actually did something in their name? Now imagine if a statute if limitations were placed (if there isn't already) on identity theft crimes. That combination could tie a victim up in court for years...
[ link to this | view in chronology ]
It's about damages
Take the example of two cars on the off-ramp on an interstate, at the stop at the end, waiting to turn right. Both drivers are checking for traffic coming from the left, across the overpass. How many times have you been the car behind, and the car in front of you acts like he's gonna go, and so you check to the left to check traffic, see it's clear, and then turn your head to start up and go, only to find out that the idiot in front of you for whatever reason has inexplicably stopped and isn't REALLY going? Often where fender-benders occur at this point it's because the driver behind THOUGHT the first driver was going and clearing out of the way, and then the driver behind neglected to make that confirmation check of "where the heck is the guy in front of me" AFTER checking the traffic to the left but BEFORE actually putting pedal to the metal.... the result being that the driver behind negligently bumps the fender of the guy in front of him.
Now no issue here that the guy behind is at fault, despite the fact that the guy in front is a wussy idiot for not going when it was completely clear.
Issue being.... when the guy in front goes to court to sue the guy behind, he must prove that he had DAMAGES. Meaning, a court isn't going to say to the guy in the rear car, hey Mister, you COULD HAVE totalled this man's car if you'd been going 50 mph rather than 5 mph. He isn't going to say, hey Mister, you COULD HAVE put this guy in the hospital and caused thousands of dollars in medical bills and this guy deserves thousands more because he COULD HAVE had all this pain and suffering.
Nope, the guy in front must prove that his car was even damaged. Must prove that he was hurt. Bring in his estimates and bills from his auto shop and his doctor. Why?
Because in the United F***ing States of America, no one is supposed to be deprived of life liberty pursuit of happiness and all that without DUE PROCESS.
The burden of proof is on the plaintiff -- as it should be.
Wake the f*** up and quit being such a whiner boy.
[ link to this | view in chronology ]
Re: It's about damages
[ link to this | view in chronology ]
WTF??!?!?!
[ link to this | view in chronology ]
illusion of privacy
Let me save you some trouble. ALL your information is vulnerable, every last one of you. Every damn person everywhere has their identity in the hands of someone else.
Now that we've established that nobody is safe, can we stop with the periodic "23 million identities stolen," and accept that it's around 300 million, and get over it?
Life is pain, highness. Anyone who tells you otherwise is selling something.
EOT
[ link to this | view in chronology ]