Liability for Data Breaches are Minimal

vandon submitted a Security Focus bit about liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.

The number one reason companies loose lawsuits

[geekoid]

is a failure to follow policy.

Now the person suing the company needs to acuse the company of not following policy, and provide some sort of proof. Then the company cabn attempt to defend itself.

Re:The number one reason companies loose lawsuits

[winkydink]

Actually, I believe the person bringing suit has to show they were harmed in some way, but IANAL. So, if they lost your data and somebody used that to steal money from you via identity theft, then you've been harmed. If they merely lost the data and nothing bad has happened to you? I dunno. If I were sitting on a jury, I'd have a hard time finding in your favor.

Re:The number one reason companies loose lawsuits

[msbsod]

We are already victims of identity theft, because we have to constantly check if someone is misusing our information. I am talking about my time. It is just fair to punish those who leak the information. This is no different than a libel suit. Someone spreads lies about you which might harm you and you sue, and win.

Re:The number one reason companies loose lawsuits

[StikyPad]

is a failure to follow policy.

I would've guessed the number one reason companies loosed lawsuits was to win them. I'd venture that some companies policy, indeed the basis of their existance, is centered around loosing lawsuits.

Re:The number one reason companies loose lawsuits

[tacocat]

You have an excellent point, but I would label it being a Victim. I think this is just prudent. You don't walk down a dark alley without some expectation that you are entering a situation with a higher than normal probability of becoming a victim of something.

I live in Detroit. In Detroit we have two areas know as Cass Avenue and Woodward and Eight Mile. These places are where all the freaky shit goes on at night. Transvestites park, hookers, dealers, bangers are all pretty well represented in these two locations. Everybody who lives in or near Detroit knows that these are places you stay away from unless you are looking for one of these activities. You might consider these to be "bad places" to go. From my house, it's at least 10 miles as the crow flies to get there.

Over a decade ago companies starting promoting the sale of software designed to limit where you could go on the internet. The idea was to protect your unmonitored children from these "bad places" just like you wouldn't want your children to go to Eight Mile and Woodward.

The difference is that the distance of 10 miles is harder to cover than a mouse click and 10 seconds. But the social experience is the same in either case. You can arrive at a "bad place" and without some street smarts (or e-street smarts) you end up a victim of something "bad".

We check our credit cards and other stuff not for internet transaction fraud, we check it for any fraud. So we have an expectation that any type of transaction/business has the potential of resulting in fraud. But this isn't being a victim of anything. It's a realistic street smart awareness of what happens in the world.

On the flip side of the arguement. How could conduct any business if any resulting theft could result in millions? As a company, you couldn't manage the litigation costs of selling t-shirts over the internet. So, it's acceptable to consider that reasonable efforts and practices exist within a company to at least try. If you can't allow this, then you only hand over money to the lawyers. I have to pay overhead to insurance companies and legal retainers to accomodate risk litigation expenses, real or imagined. I have to port all those costs over to you the consumer.

So how much are you willing to pay for a t-shirt if I also have to sell you a gaurantee that nothing bad will ever happen to your credit card information? What if I can sell it to you for 30% of that cost and ask you to check your credit card for transactions? Even with that gaurantee, you will end up buying the product at 30% my price because it's cheaper and you still have some expectation that my credit information won't be posted on a website within the hour.

With decisions like this,

[zegebbers]

these sorts of problems will only continue. Without any sort of accountability, why should companies care?

Re:With decisions like this,

[rob_squared]

I think this qualifies as a "fundamental breakdown of the law." Not only do we have to get tougher on the companies when it comes to laws, we have to get tougher on the lawmakers. Maybe, just maybe, we should have a system that regulates lobbyists, since these types of companyes seem to have really good ones.

Billions in damages

And, yet, if the person who cracked/hacked/illegally accessed the same data were caught and brought to trail the company would say that it suffered millions or billions in damages. Hmmm. Minor disconnect there.

This is unacceptable

[Dukeofshadows]

I've got six digits in loans thanks to med school and they're growing by the day. I'd like to see *any* judge with kids in college or grad school take a look at this case: any company that releases data like this should be fined $100+ for *every* person affected. Also, there needs to be state or federal laws for violations of privacy on this scale whether by the company themselves or their contractors.

A reasonable man walked into a bar...

[MrNaz]

This actually makes sense, as the tort of negligence is a civil matter and where a defendant's (in this case the loan company) actions are being assessed, the law requires the standards of "the reasonable man" to be used..

Generally in cases such as this, the court will use the reasonable man test in a formulation which would likely sound like this: "would a reasonable man, in the position of the defendant with the same information and experience that the defendant can reasonably be expected to possess, have behaved in the same way".

It then comes down to the court hearing evidence from members of industry and other witnesses or even amici curi (meaning "friend of the court", which is a person who offers evidence but is not called officially by the plaintiff or defendant, and excuse me but my latin spelling is not that good). The judge then decides if the defendant acted the way a reasonable man should.

P.S., Yes i know the formulation of "reasonable man" is sexist, but hey, it's the law :P

YOU are the first line of defense

[core+plexus]

Just as you can't always rely upon the police to protect you (they come after the crime/whatever has happened), or the fire department, etc., so too must each person be diligent in making sure that their not being victimized. This case is a perfect example of why.

In fact, this case is but one example of many that we have been hearing about, and by the time the company admits it, the damage may be done. The criminals are always coming up with new ideas, scams, and tricks, such as the "You've won the lottery! Deposit this check and we'll send you your lottery winnings"

Punishment, no matter how severe or financially crippling, will not stop this.

Re:YOU are the first line of defense

[Qzukk]

must each person be diligent in making sure that their not being victimized.

Oh? And what's your solution to this? Should I call all the banks, jobs, and universities I've ever dealt with and beg them to tell me whether they're keeping my information safe for me? Ask them to promise, pinky swear, to destroy all the copies of my records so they can't fall into the wrong hands?

On the consumer side, there is no proactive solution to the kind of identity theft that happened in this case. All you can do is keep getting your credit reports and checking for outstanding traffic tickets issued on a phony license in your name, while hoping that nothing horrible shows up.

Re:YOU are the first line of defense

[welcher]

That is a ridiculous argument. Punishing a company for being negligent is exactly what stops other companies being negligent (whether the punishment is handed down by the state or from consumers). How do you suggest this guy who had a loan should have been diligent?

Star Wars referance ahead...CAUTION....

[Clockwork+Apple]

"Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data."

It's as if a million Lawyers cried out and then were suddenly silenced.

C.

Maybe an "organic"-style branding is needed.

[CyricZ]

Since the courts have failed in this matter, what we might end up seeing eventually is something along the lines of the "organic" branding of food that is common in some nations. Food which is prepared without the use of chemicals, or genetic modification, and some such, use such a label such as "organic" to differentiate themselves from other growers and manufacturers.

The obvious computing equivalent would perhaps be "Served by OpenBSD" or "Data Stored on Solaris" labels on websites which collect and store personal data. The same could even go for other firms that collect data. Banks, for instance, could advertise that they store their data on IBM systems.

While it doesn't really prevent attacks or theft outright, it does indicate to consumers that the company has their IT department in order. I, for one, would feel far more comfortable dealing with businesses who openly profess their use of OpenBSD, Solaris, or Linux. Likewise, I would do my best to avoid those who built their networks around other, potentially more vulnerable systems.

One of the questions that consumers might ask when dealing with a business that collects much personal information could become, "Do you run your database servers on HP-UX, OpenBSD, or Solaris?"

Sensitive data on a laptop?

[NiteShaed]

....has taken a closer look at a case in which a person sued their student loan company after their information -- along with 550,000 other people's -- was leaked when a contractor's laptop was stolen.

What possible reason could there be to have that much, or for that matter any, confidential data on a portable machine?!?!

Maybe the company policy allowed for this kind of thing, but the question should then be 'is this a reasonable policy'. My first thought is that if the employee works remotely and needs this data, it should all be stored on a secure server, and he/she should be working on the files without ever saving any of the data to this laptop's drive, making the company liable in this case. I'll grant there may be a good reason that I'm not aware of that explains why the data was on the laptop, but for the life of me I can't think of what it would be.

subjectivity

[commodoresloat]

It's a totally subjective standard that's superficially imposed.

Unlike the slashdot summary of the decision.

What were the damages?

[rahvin112]

Really, what were the damages? What was the monetary value of the "damage" done? Did someone lose their job? Have their identity stolen? Without real damages you don't have a suit, IMO. (Real damages don't qualify as your friends laughing at you for borrowing so much money for an art history degree.) I have a hard time imagining any real damages that would be likely or did occur from this (unless someones identity was stolen then you could sue to recover expenses and damage to your credit). Although this country is lawsuit happy thinking you can sue someone for sneering at you, I just don't think you should have a case, in a situation like this, unless you have real and _measureable_ damages.

Mod Me Troll- But It's Time to Go Postal

[RedHatLinux]

But the answer to all this corporate corruption, idiocy, and malfeasance isn't to run the pawns of our corporate feudal lords, but violence.

Seriously, the business elite has simply lost the fear of God, and someone needs to instill it back in them. If the token jail sentences, loony leftist activism, and fear of reputation lost has failed to keep them in check, than stronger measures are needed.

I am not talking about randomly going postal, ala many a mail carrier, but a campaign of precise, systematic, lethal punishment of the most blatant offenders. Outsource American jobs to India to boost your stock a 1/4 point, well then lookout. Does anyone think Ken Lay would have tanked Enron had he a reasonable fear of death? Of course, nor will any other CE jack around like that, if swift severe punishment was certain.

For those opposed to violence, can you think of a better solution?

Re:Too hard to make "iron-clad" rules

[LordNimon]

If I lose my laptop that has 18,000 valid email addresses stored in it, and somebody gets that data, should I be liable?

Yes.

Do you have any other stupid questions?

Absurd

[blueforce]

existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.

That's a ridiculous statement. I'm an applications manager and the company(ies) I work for are in the HR/accounting/BPO industries. I manage a team of software developers, designers, graphic artists, etc. to create BPO software. Our software processes, and we are custodians of, a lot of sensitive personal information. Nearly everything we make, implement, buy, or use affects the security of the data and applications. I spend a substantial amount of time discussing security and IP issues with our inhouse counsel. The one question he *always* asks with regard to security is "What would be reasonable for us to do to protect the data? In other words, what would a company be required to do, within reason, to protect the data that we are housing?" There is no "correct" answer to that as it's highly subjective. What he always stresses to us is "Would I be able to convince a judge or a jury that the precautions we took were inline with accepted practices, and were they reasonable enough to protect the data?". In most cases, he relies on our (my) judgement to determine whether it's enough or too little. Security is such a subjective topic - there is such thing as too much when people who need to can't access information, and of course there is such thing as not enough.

The real issues arises when determining what is reasonable. What's reasonable to a person whose HIPAA information is being stored might be absurd. Likewise, "reasonable" to a company might equate to "whatever we can afford" which may be far too little. It becomes a balancing act to reconcile the concerns of both sides to take what measures would be considered "reasonable" to protect the information in question. What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation. The minute someone tries to legislate it and define "reasonable" is the minute someone else will find loopholes and ways around it. But to say "regardless of what that policy actually is" is just plain absurd.

Follow the Money

[Doc+Ruby]

As Bruce Schneier always says, if the people responsible for exposing others to security risks don't lose more than the costs of applying the security, then they never will. And of course the people exposed will always lose.

GLB

[cyriustek]

The problem here lies with the application of Gramm-Leach-Bliley. The regulation merely requires financial institutions to apply reasonable protections to the customers information. Unfortunately for most consumers, this bar lis lower than one would hope. The application of GLB, and most other federal regulations does not adequately protect the individual. This is why people should ensure they communication with the congressional representatives to get privacy laws with teeth in place.

Tragically, the privacy laws that are currently being evaluated at the federal level water down the requirements of many state laws. For example, California's SB-1386 requires a company to report to you that you information may have been inappropriately disclosed. However, the proposed federal legislation requires companies to only disclose this to you if they believe you are at risk from this exposure. It is easy for a company to say they do not think a disclosure of your information would harm you. If you do expereince ID theft, you wouldn't know what company was the source, so you would not have the ability to require the offending company to disclose the information exposure.

The upshot is...You MUST get involved in this. There are very high-paid lobbyists who want this lower level of protection for your private information. Ensure your congressional representative knows you want a law with real teeth. You can find who is your rep at: http://www.congress.org/congressorg/home/

It's called "due diligence"

[Expert+Determination]

All a company has to do is follow a minimal set of guidelines and then they can convince a judge that they carried it out, how can it be their fault?

I was involved with an IP lawyer a couple of years back. He told me to encrypt my mails to him so at a future date we could prove, if needed, that we'd made a reasonable effort to keep our R&D secret. He gave me some Norton tool with a horribly hobbled form of encryption. I was able to crack it in minutes by downloading an app from the .ru domain :-) I told the lawyer. But his response was that all we needed was to be able to prove "due diligence", not actually be secure. After all, what does some judge know about crack software downloaded off the web. The box containing the software used words like "SECURE".

And this is how the world works. Companies don't really try to make themselves secure - they just make them secure enough to convince other people that they are. I've been complicit in such things myself. One of our clients demanded we make our software development secure. We made loads of groups so we could control exactly who in the company had access to what source code. But this was braindead - people all through the company needed access to software all over the place. We couldn't partition things up in this way without hindering development. So I made all the groups and put everyone who asked in whatever groups they asked for. We could now report to the client that we had made the groups and denied permission to people outside these groups. We omitted to mention who was actually contained in each group and just said that people were in whatever groups they needed.

Re:Well

[1u3hr]

A locked house is reasonable protection. If that absolves me of someone's death, then surely it absolves someone of having their computer stolen.

TFA discusses this point: what is "reasonable" protection. The data could easily have been encrypted; but it wasn't. Or was it "reasonable" for a consultant to have copies of 550,000 customer files on his laptop at his home at all? If you're allowed to have a gun at all for personal protection, you have to be able to keep it in your home, but the same doesn't go for data.

One decision does not the end of the world make

[Infonaut]

This was a US District Court case, at the lowest level of the federal judicial structure, and there are likely other decisions in other districts that may have come out differently.

Furthermore, the facts in this case don't look terribly good for the plaintiff. As others have pointed out, in a torts case you need to prove a harm. From the decision:

Brazos points out that the evidentiary record is completely devoid of any disputed facts indicating that Guin's personal information was actually on Wright's laptop at the time it was stolen, or that Guin's personal information is now in the possession of the burglar.

The rationale for summary judgment in this case is clear, because the plaintiff can't provide any evidence of harm.

The author of the SecurityFocus piece further muddies the waters by giving it the title "Strict liability for data breaches?" Strict liability is imposed in torts cases for activities that are abnormally dangerous. The case in question was purely about negligence.

Most court cases are very fact-specific, and in this one the facts were such that the law of torts gunned down the plaintiff. It wasn't the specifics of statute, but the plaintiff's inability to prove he'd been harmed that doomed the case. Imagine if in order to win a torts case, you didn't have to prove that you had been harmed. Even emotional harm cases require some actual evidence of damage to the plaintiff. What if you were a sysad and someone in the office where you work claimed you had illicitly entered their computer and taken their private information, but they had no proof. Would you want your accuser to prevail?

What can we do about it you ask:

[guruevi]

Everybody here is bitching about what to do when it happens, simple for me:

I go to my bank, and I ask for a credit card. I have to sign for the thing. Together with that they state that you've read the agreement statements and other legal mumbo jumbo. I ask for those things, the bank representative gets me a copy out of which I scrap all the statements I do not agree with and rewrite them according to what I think of it. I ask for a signature of the bank representative (usually I deal with their manager by then) and a signed copy of that document.

If the bank director/manager/clerk agrees with it, he places his signature and I am free from crap like this. If they don't agree, I don't get their service (credit card) because I do not want it from them with those rules imposed to it. But usually (if you are like me only change the privacy statements) they agree and sign (they don't understand anyway).

Recently I did an overdraft of a certain checking account and they charged me $32 for it and some interest. I asked where I agreed with that, the bank clerk said it is all accounts that have that. I asked again for the document I signed agreeing to that. They got the bank director who remembered that I did not agree and got out the documents with the statement that I agreed to it only if all my accounts were overdrafted or to such an amount that the bank was actually loosing money on me as a customer (over all my accounts) and they agreed with that since I deposited quite a sum in a special savings account (saving up for a fully upgraded Quad G5) and me and my family has some international funds making me their special customer.

If they don't agree, then ask why. If it is just an answer along it being company regulations or whatever, I threaten to change my services to other company's. Usually they do agree when they are going to loose a good customer.

Really, in the USA company's do a LOT to keep their customers and giving them all kind of traits (because then you do not spread bad publicity). Of course if you order a credit card online or through mail, then you're usually screwed (although online could be debatable if you reviewed the correct information).