'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits

from the no-blood-no-foul dept

Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it. This seemed like poor reasoning; Wells Fargo had no control whether anyone would use the data in a criminal manner, but it did have control over how it stored the data. In that case, data was lost because it was stored in an unencrypted format on a laptop. Certainly some could argue that that was negligent. But it looks like this line of reasoning is becoming standard. A recent suit brought against data broker Axciom for letting customer data slip out was dismissed since the plaintiffs couldn't prove that anything bad had been done with it. Again, either the company was negligent in letting personal data out, or it wasn't; that should be the measure upon which these cases are decided, not what was done later with the data. There is a flipside, which is that if plaintiffs started winning these cases, data breach lawsuits could easily become the latest class action charade (We can see the commercials now, "Has your personal data been leaked? Call the law offices of..."). But companies can't keep getting let off the hook just because harm can't be proven, or they'll have little incentive to protect the data.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Stu, 19 Oct 2006 @ 11:34am

    it's about damages

    In law, the word damages means money lost. A lawsuit can't be won if there are no proven "damages".

    I believe that when someone loses money because of a breach like this, they will prevail in court. (I hope)

    Don't knock class action lawsuits. You may need one some day, as your only hope for justice.

    Knock the bad lawyers who misuse them - not the tool.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 19 Oct 2006 @ 12:23pm

    This is an interesting debate. I think the lawyers may be wording the suits incorrectly. How about suing for unauthorized disclosure? If the companies didn't violate a law then it must have been a lawful disclosure so therefore they violated their own privacy guidelines and due process rights of its customers.

    For example.. If the data had been encrypted and locked in a vault and someone used force to enter the vault and steal the data then the company used due diligence to protect the data even if it was unencrypted.

    In this case the data was simply printed on paper and left on the sidewalk for anyone willing to put forth the effort to pickup the paper. This kind of disclosure, even if the person shouldn't have picked up the paper, would be a violation of the companies own privacy policies, probably a couple of laws but most certainly the customer's due process rights.

    Now.. the grey area here is to argue that unencrypted data on an unsecured laptop is akin to printing out the information and leaving it on the sidewalk. Its a tough argument but not an impossible argument.. just needs to be argued by a good attorney who can think on its toes.

    link to this | view in thread ]

  3. identicon
    Matt Bennett, 19 Oct 2006 @ 12:25pm

    It's true. You could criminalize and action, or being negligent to various degrees, but for civil suit there has to be harm done or there's no case. It really is "No harm, No foul" and it's stupid to complain about that.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 19 Oct 2006 @ 12:31pm

    > Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it.

    Then Kevin Mitnick should never have been in JAIL! And he should receive a billion dollars in compensation for the years he spent there without trial!!!

    Judges are all crooked and should be castrated.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 19 Oct 2006 @ 12:41pm

    Re:

    The "harm" is unlawful disclosure of my personal information. The question unanswered by the courts is how much is my personal information worth? Even if its $1 and the damage was done by negligence then the company should be required to pay $1 per account. If its $10 then.. again.. $10 per account.

    Its the same thing as your neighbor borrowing your lawnmower then selling it. Even if the lawnmower was never used and was later returned undamaged does not mean your neighbor isn't liable for "unlawful deprivation of property".

    In this case I may have opened an account, provided my personal information and expected the company to either return or destroy that information when it was finished. To simply "leave the door open" so anyone can take my “borrowed” stuff is, at best, an ethics violation. At worst, in my eyes, its criminal deprivation of property.

    Of course another issue for the courts to address is weather you actually own your personal information and therefore have any right to it. If we, as a society, succeed our identities for the highest bidder (or most clever hacker) then we have nobody else to blame but ourselves.

    link to this | view in thread ]

  6. identicon
    Rational Beaver, 19 Oct 2006 @ 12:58pm

    So if Wells Fargo loses $500,000 that's okay as long as whoever ends up with the money doesn't do anything evil with the cash?

    link to this | view in thread ]

  7. identicon
    sean, 19 Oct 2006 @ 1:03pm

    "plaintiffs couldn't prove that anything bad had been done with it"

    Can it be proved that anything bad has not been done with it? Or that a copy has not been made and stored for use in a few months or a year.

    I feel having a laptop that is unsecured and the data unencrypted sitting on the side walk being worse that papers sitting there with the same info. Reason being how quickly can you copy a document that is electronic and distribute it compared to paper.

    link to this | view in thread ]

  8. identicon
    Sanguine Dream, 19 Oct 2006 @ 2:02pm

    Well then...

    based on that does that mean the **AAs would have to prove how much damage a file sharer has done in order to successfully sue them?

    If I hack a banks files and "generate new money" to put in my account without affecting the accounts of other customers (i work in IT for a bank and I know this is possible) does mean the bank can't sue me and I will only face charges for the hack since not actual money was lost?

    Here's what scares me. What if a precedent is set that forces victims of identity theft to prove the thief actually did something in their name? Now imagine if a statute if limitations were placed (if there isn't already) on identity theft crimes. That combination could tie a victim up in court for years...

    link to this | view in thread ]

  9. identicon
    Judge Wapner, 20 Oct 2006 @ 5:57am

    It's about damages

    I think the legal principle here is that generally people who are claiming recompensatory damages in a suit must themselves prove that they were initially damaged. Because the point of the lawsuit is to recoup those iniital damages. If there is no initial damage, what's to recoup?

    Take the example of two cars on the off-ramp on an interstate, at the stop at the end, waiting to turn right. Both drivers are checking for traffic coming from the left, across the overpass. How many times have you been the car behind, and the car in front of you acts like he's gonna go, and so you check to the left to check traffic, see it's clear, and then turn your head to start up and go, only to find out that the idiot in front of you for whatever reason has inexplicably stopped and isn't REALLY going? Often where fender-benders occur at this point it's because the driver behind THOUGHT the first driver was going and clearing out of the way, and then the driver behind neglected to make that confirmation check of "where the heck is the guy in front of me" AFTER checking the traffic to the left but BEFORE actually putting pedal to the metal.... the result being that the driver behind negligently bumps the fender of the guy in front of him.

    Now no issue here that the guy behind is at fault, despite the fact that the guy in front is a wussy idiot for not going when it was completely clear.

    Issue being.... when the guy in front goes to court to sue the guy behind, he must prove that he had DAMAGES. Meaning, a court isn't going to say to the guy in the rear car, hey Mister, you COULD HAVE totalled this man's car if you'd been going 50 mph rather than 5 mph. He isn't going to say, hey Mister, you COULD HAVE put this guy in the hospital and caused thousands of dollars in medical bills and this guy deserves thousands more because he COULD HAVE had all this pain and suffering.

    Nope, the guy in front must prove that his car was even damaged. Must prove that he was hurt. Bring in his estimates and bills from his auto shop and his doctor. Why?

    Because in the United F***ing States of America, no one is supposed to be deprived of life liberty pursuit of happiness and all that without DUE PROCESS.

    The burden of proof is on the plaintiff -- as it should be.

    Wake the f*** up and quit being such a whiner boy.

    link to this | view in thread ]

  10. identicon
    Judge Wapner, 20 Oct 2006 @ 6:01am

    Re: It's about damages

    Oh and, to clarify what I mean about "whiner boy", I'm referring to the impulse to immediately quit reading the story for any headline which is immediately followed by "Contributed by Joe"

    link to this | view in thread ]

  11. identicon
    J Pribe, 20 Oct 2006 @ 7:18am

    WTF??!?!?!

    So, if I steal the judges car for a few days and return in without wrecking it will I be excused?

    link to this | view in thread ]

  12. identicon
    Adrian Lamo, 21 Oct 2006 @ 5:03pm

    illusion of privacy

    Personally identifying information is so widespread on the net and elsewhere, I can't possibly imagine a world where its mere existence in someones hands creates liability.

    Let me save you some trouble. ALL your information is vulnerable, every last one of you. Every damn person everywhere has their identity in the hands of someone else.

    Now that we've established that nobody is safe, can we stop with the periodic "23 million identities stolen," and accept that it's around 300 million, and get over it?

    Life is pain, highness. Anyone who tells you otherwise is selling something.

    EOT

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.