Liability for Data Breaches are Minimal

vandon submitted a Security Focus bit about liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.

With decisions like this,

[zegebbers]

these sorts of problems will only continue. Without any sort of accountability, why should companies care?

Billions in damages

And, yet, if the person who cracked/hacked/illegally accessed the same data were caught and brought to trail the company would say that it suffered millions or billions in damages. Hmmm. Minor disconnect there.

Well

If someone breaks into my house and steals one of my guns am I liable for what they do with it? No. A locked house is reasonable protection. If that absolves me of someone's death, then surely it absolves someone of having their computer stolen.

This is unacceptable

[Dukeofshadows]

I've got six digits in loans thanks to med school and they're growing by the day. I'd like to see *any* judge with kids in college or grad school take a look at this case: any company that releases data like this should be fined $100+ for *every* person affected. Also, there needs to be state or federal laws for violations of privacy on this scale whether by the company themselves or their contractors.

Sensitive data on a laptop?

[NiteShaed]

....has taken a closer look at a case in which a person sued their student loan company after their information -- along with 550,000 other people's -- was leaked when a contractor's laptop was stolen.

What possible reason could there be to have that much, or for that matter any, confidential data on a portable machine?!?!

Maybe the company policy allowed for this kind of thing, but the question should then be 'is this a reasonable policy'. My first thought is that if the employee works remotely and needs this data, it should all be stored on a secure server, and he/she should be working on the files without ever saving any of the data to this laptop's drive, making the company liable in this case. I'll grant there may be a good reason that I'm not aware of that explains why the data was on the laptop, but for the life of me I can't think of what it would be.

subjectivity

[commodoresloat]

It's a totally subjective standard that's superficially imposed.

Unlike the slashdot summary of the decision.

Re:The number one reason companies loose lawsuits

[msbsod]

We are already victims of identity theft, because we have to constantly check if someone is misusing our information. I am talking about my time. It is just fair to punish those who leak the information. This is no different than a libel suit. Someone spreads lies about you which might harm you and you sue, and win.

Re:YOU are the first line of defense

[Qzukk]

must each person be diligent in making sure that their not being victimized.

Oh? And what's your solution to this? Should I call all the banks, jobs, and universities I've ever dealt with and beg them to tell me whether they're keeping my information safe for me? Ask them to promise, pinky swear, to destroy all the copies of my records so they can't fall into the wrong hands?

On the consumer side, there is no proactive solution to the kind of identity theft that happened in this case. All you can do is keep getting your credit reports and checking for outstanding traffic tickets issued on a phony license in your name, while hoping that nothing horrible shows up.

Absurd

[blueforce]

existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.

That's a ridiculous statement. I'm an applications manager and the company(ies) I work for are in the HR/accounting/BPO industries. I manage a team of software developers, designers, graphic artists, etc. to create BPO software. Our software processes, and we are custodians of, a lot of sensitive personal information. Nearly everything we make, implement, buy, or use affects the security of the data and applications. I spend a substantial amount of time discussing security and IP issues with our inhouse counsel. The one question he *always* asks with regard to security is "What would be reasonable for us to do to protect the data? In other words, what would a company be required to do, within reason, to protect the data that we are housing?" There is no "correct" answer to that as it's highly subjective. What he always stresses to us is "Would I be able to convince a judge or a jury that the precautions we took were inline with accepted practices, and were they reasonable enough to protect the data?". In most cases, he relies on our (my) judgement to determine whether it's enough or too little. Security is such a subjective topic - there is such thing as too much when people who need to can't access information, and of course there is such thing as not enough.

The real issues arises when determining what is reasonable. What's reasonable to a person whose HIPAA information is being stored might be absurd. Likewise, "reasonable" to a company might equate to "whatever we can afford" which may be far too little. It becomes a balancing act to reconcile the concerns of both sides to take what measures would be considered "reasonable" to protect the information in question. What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation. The minute someone tries to legislate it and define "reasonable" is the minute someone else will find loopholes and ways around it. But to say "regardless of what that policy actually is" is just plain absurd.

Follow the Money

[Doc+Ruby]

As Bruce Schneier always says, if the people responsible for exposing others to security risks don't lose more than the costs of applying the security, then they never will. And of course the people exposed will always lose.

It's called "due diligence"

[Expert+Determination]

All a company has to do is follow a minimal set of guidelines and then they can convince a judge that they carried it out, how can it be their fault?

I was involved with an IP lawyer a couple of years back. He told me to encrypt my mails to him so at a future date we could prove, if needed, that we'd made a reasonable effort to keep our R&D secret. He gave me some Norton tool with a horribly hobbled form of encryption. I was able to crack it in minutes by downloading an app from the .ru domain :-) I told the lawyer. But his response was that all we needed was to be able to prove "due diligence", not actually be secure. After all, what does some judge know about crack software downloaded off the web. The box containing the software used words like "SECURE".

And this is how the world works. Companies don't really try to make themselves secure - they just make them secure enough to convince other people that they are. I've been complicit in such things myself. One of our clients demanded we make our software development secure. We made loads of groups so we could control exactly who in the company had access to what source code. But this was braindead - people all through the company needed access to software all over the place. We couldn't partition things up in this way without hindering development. So I made all the groups and put everyone who asked in whatever groups they asked for. We could now report to the client that we had made the groups and denied permission to people outside these groups. We omitted to mention who was actually contained in each group and just said that people were in whatever groups they needed.

One decision does not the end of the world make

[Infonaut]

This was a US District Court case, at the lowest level of the federal judicial structure, and there are likely other decisions in other districts that may have come out differently.

Furthermore, the facts in this case don't look terribly good for the plaintiff. As others have pointed out, in a torts case you need to prove a harm. From the decision:

Brazos points out that the evidentiary record is completely devoid of any disputed facts indicating that Guin's personal information was actually on Wright's laptop at the time it was stolen, or that Guin's personal information is now in the possession of the burglar.

The rationale for summary judgment in this case is clear, because the plaintiff can't provide any evidence of harm.

The author of the SecurityFocus piece further muddies the waters by giving it the title "Strict liability for data breaches?" Strict liability is imposed in torts cases for activities that are abnormally dangerous. The case in question was purely about negligence.

Most court cases are very fact-specific, and in this one the facts were such that the law of torts gunned down the plaintiff. It wasn't the specifics of statute, but the plaintiff's inability to prove he'd been harmed that doomed the case. Imagine if in order to win a torts case, you didn't have to prove that you had been harmed. Even emotional harm cases require some actual evidence of damage to the plaintiff. What if you were a sysad and someone in the office where you work claimed you had illicitly entered their computer and taken their private information, but they had no proof. Would you want your accuser to prevail?