Slashdot Mirror

← Back to Stories (view on slashdot.org)

Liability for Data Breaches are Minimal

Posted by ryuzaki0 on from the be-more-careful dept.

vandon submitted a Security Focus bit about liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.

9 of 184 comments (clear)

  1. The number one reason companies loose lawsuits by geekoid · · Score: 3, Informative

    is a failure to follow policy.

    Now the person suing the company needs to acuse the company of not following policy, and provide some sort of proof. Then the company cabn attempt to defend itself.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  2. With decisions like this, by zegebbers · · Score: 3, Insightful

    these sorts of problems will only continue. Without any sort of accountability, why should companies care?

    --
    Unpretentious Sydney reviews by unqualified Sydney reviewers
  3. Billions in damages by Anonymous Coward · · Score: 3, Insightful

    And, yet, if the person who cracked/hacked/illegally accessed the same data were caught and brought to trail the company would say that it suffered millions or billions in damages. Hmmm. Minor disconnect there.

  4. A reasonable man walked into a bar... by MrNaz · · Score: 3, Informative

    This actually makes sense, as the tort of negligence is a civil matter and where a defendant's (in this case the loan company) actions are being assessed, the law requires the standards of "the reasonable man" to be used..

    Generally in cases such as this, the court will use the reasonable man test in a formulation which would likely sound like this: "would a reasonable man, in the position of the defendant with the same information and experience that the defendant can reasonably be expected to possess, have behaved in the same way".

    It then comes down to the court hearing evidence from members of industry and other witnesses or even amici curi (meaning "friend of the court", which is a person who offers evidence but is not called officially by the plaintiff or defendant, and excuse me but my latin spelling is not that good). The judge then decides if the defendant acted the way a reasonable man should.

    P.S., Yes i know the formulation of "reasonable man" is sexist, but hey, it's the law :P

    --
    I hate printers.
  5. Star Wars referance ahead...CAUTION.... by Clockwork+Apple · · Score: 4, Funny

    "Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data."

    It's as if a million Lawyers cried out and then were suddenly silenced.

    C.

    --
    "Doctor, it's not the voices I hear in MY head, but the voices I hear in YOUR head that really frighten me."
  6. subjectivity by commodoresloat · · Score: 4, Insightful
    It's a totally subjective standard that's superficially imposed.

    Unlike the slashdot summary of the decision.

  7. Re:Too hard to make "iron-clad" rules by LordNimon · · Score: 3, Interesting
    If I lose my laptop that has 18,000 valid email addresses stored in it, and somebody gets that data, should I be liable?

    Yes.

    Do you have any other stupid questions?

    --
    And the men who hold high places must be the ones who start
    To mold a new reality... closer to the heart
  8. Absurd by blueforce · · Score: 4, Insightful

    existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.

    That's a ridiculous statement. I'm an applications manager and the company(ies) I work for are in the HR/accounting/BPO industries. I manage a team of software developers, designers, graphic artists, etc. to create BPO software. Our software processes, and we are custodians of, a lot of sensitive personal information. Nearly everything we make, implement, buy, or use affects the security of the data and applications. I spend a substantial amount of time discussing security and IP issues with our inhouse counsel. The one question he *always* asks with regard to security is "What would be reasonable for us to do to protect the data? In other words, what would a company be required to do, within reason, to protect the data that we are housing?" There is no "correct" answer to that as it's highly subjective. What he always stresses to us is "Would I be able to convince a judge or a jury that the precautions we took were inline with accepted practices, and were they reasonable enough to protect the data?". In most cases, he relies on our (my) judgement to determine whether it's enough or too little. Security is such a subjective topic - there is such thing as too much when people who need to can't access information, and of course there is such thing as not enough.

    The real issues arises when determining what is reasonable. What's reasonable to a person whose HIPAA information is being stored might be absurd. Likewise, "reasonable" to a company might equate to "whatever we can afford" which may be far too little. It becomes a balancing act to reconcile the concerns of both sides to take what measures would be considered "reasonable" to protect the information in question. What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation. The minute someone tries to legislate it and define "reasonable" is the minute someone else will find loopholes and ways around it. But to say "regardless of what that policy actually is" is just plain absurd.

    --
    If you do what you always did, you get what you always got.
  9. One decision does not the end of the world make by Infonaut · · Score: 4, Insightful

    This was a US District Court case, at the lowest level of the federal judicial structure, and there are likely other decisions in other districts that may have come out differently.

    Furthermore, the facts in this case don't look terribly good for the plaintiff. As others have pointed out, in a torts case you need to prove a harm. From the decision:

    Brazos points out that the evidentiary record is completely devoid of any disputed facts indicating that Guin's personal information was actually on Wright's laptop at the time it was stolen, or that Guin's personal information is now in the possession of the burglar.

    The rationale for summary judgment in this case is clear, because the plaintiff can't provide any evidence of harm.

    The author of the SecurityFocus piece further muddies the waters by giving it the title "Strict liability for data breaches?" Strict liability is imposed in torts cases for activities that are abnormally dangerous. The case in question was purely about negligence.

    Most court cases are very fact-specific, and in this one the facts were such that the law of torts gunned down the plaintiff. It wasn't the specifics of statute, but the plaintiff's inability to prove he'd been harmed that doomed the case. Imagine if in order to win a torts case, you didn't have to prove that you had been harmed. Even emotional harm cases require some actual evidence of damage to the plaintiff. What if you were a sysad and someone in the office where you work claimed you had illicitly entered their computer and taken their private information, but they had no proof. Would you want your accuser to prevail?

    --
    Read the EFF's Fair Use FAQ