Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages (digitalguardian.com)

← Back to Stories (view on slashdot.org)

Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages (digitalguardian.com)

Posted by samzenpus on Thursday January 7, 2016 @03:02PM from the you're-not-hurt dept.

chicksdaddy writes: Data breaches have become so common that they've taken on a kind of formality. One of the phrases that often accompany such incidents goes something like this: "[Company X] has no evidence that any of the stolen information has been used inappropriately." Or you might read that "there is no evidence of fraud linked to the stolen data." Such assurances are generally interpreted as wishful thinking. But when courts are asked to weigh in on the question of damages resulting from cyber incidents in civil suits, the question of what harm resulted from the incident is very different – and very real. To put it simply: if nobody can prove harm resulting from a cyber incident, a company can't be held liable for those damages.

That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company's widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in "Clapper v. Amnesty International," concluding that the plaintiffs hadn't proven that any harm resulted from the Michaels breach. "Simply put, Whalen has not asserted any injuries that are 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. "Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction," Seybert concluded.

This isn't to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen's attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn't asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted. Whalen's other attempts to establish "costs" associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.

138 comments

Min score:

Reason:

Sort:

Court was right by vux984 · 2016-01-07 15:07 · Score: 4, Insightful

The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.
There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.
1. Re:Court was right by vux984 · 2016-01-07 15:17 · Score: 2
  
  Sorry to reply to my own post, but for example the credit card companies CAN show direct harm, and could potentially sue Michael's for damages (or just fine them through the existing contractual agreements) for any losses they incurred as a result. (And that goes back to my earlier comment about PCI compliance penalties, etc).
2. Re:Court was right by fsckinhippies · 2016-01-07 15:32 · Score: 1
  
  That is outside of this suit. You are correct in both of your postings however and we can hope that the processors roll the shit downhill
3. Re:Court was right by Wootery · 2016-01-07 15:34 · Score: 4, Interesting
  
  The broader question is whether this is how it should be.
  With the law as it stands, companies aren't well motivated to prevent breaches. They lose a bit of face, but that seems to be all.
4. Re:Court was right by Anonymous Coward · 2016-01-07 16:13 · Score: 0
  
  I think it is fair, but I see it as a given instead that credit card companies or their insurers have standing to sue in place of individuals. People might decide to not support Discover cards in their store out of spite from being sued, but I don't anyone would stand in the way of Visa if they took them to court.
5. Re:Court was right by KGIII · 2016-01-07 16:19 · Score: 2
  
  Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.
  The demonstrable harm would be, in those case, the concern, the loss of data, and the need to take action as well as remain vigilant. They are actual, viable, impacts and are certainly not absolved away by saying that there is no standing. Yet, strangely, in all the cases that I've looked at - nobody seems to have really argued this. Those are truly demonstrable harm. If they had to change one password, cancel one credit card, or even worry in the slightest then they have been harmed.
  I'd also like to think the credit issuers would have cause. Even better, it's a civil matter so the burden of proof is much lower (things like jurisprudence and preponderance of evidence) so I'd think that harm could be shown and a finding for the plaintiff fairly easy to come by. Yet, strangely, I have read a few (not this particular case) and nobody has seemed to argue this. Even just the slightest of action, just one extra step, just one worry - is harm...
  Two things...
  I'm not normally sue-happy and think many civil cases end up being just plain silly but this matter has been going on for a while and there haven't been many meaningful repercussions handed down. Setting precedent might be nice - I'm not suggesting that the defendants should owe hundreds of millions of dollars because someone had to lock their credit down.
  I am not, by any means, a lawyer but I have spent some time in court, read a bunch of findings, briefings, etc, and try to spend some time just going to the courts and observing them because I feel that such is my duty. The courts are our easiest to access branch of the government if we want to make changes. I observe the courts, as I feel it is my duty, and if I find a problem then I use my freedom of speech/press to make others aware of this problem (perhaps like this post) and firmly believe that this is a part of the social contract that we citizens have failed to uphold.
  As Wootery says below my post - is this how it *should* be? As near as I can tell, there was harm. It may be minimal harm but that's for a jury to decide. They should have standing and they should be allowed their day in court. I think this can be appealed (the finding of no demonstrable harm) and a higher court might decide they have demonstrated harm and thus have standing and chuck it back down for them to actually put it in front of a jury.
  Someone has to set precedent so that when really bad things do happen there is recourse for the victims. I have a notice that says my data was, indeed, in the OPM hack. I have a lawyer on retainer. I should have him look into it - it might be kind of fun, I could even present it myself with, of course, council to assist. Unfortunately, I've a very busy year coming up. Still... Someone's gotta try making a reasonable argument to the judges and, from what I've seen, they're not really giving the judge reason to believe there's harm. I'd argue that differently or, more accurately, ask a lawyer and see if it's a viable option to argue it differently.
  Thoughts? There are a couple of lawdogs here. raymoris perhaps?
  
  --
  "So long and thanks for all the fish."
6. Re: Court was right by Anonymous Coward · 2016-01-07 16:24 · Score: 0
  
  Quite to the contrary, the vendors processing costs go up significantly if they have a breach.
7. Re:Court was right by tsotha · 2016-01-07 17:55 · Score: 1
  
  I'm not a lawyer, but I believe "dismissed without prejudice" means they can re-file later. Presumably after being able to document harm.
8. Re:Court was right by Bing+Tsher+E · 2016-01-07 18:05 · Score: 1
  
  I would like credit issuers to have a due diligence responsibility. A SSN and a few other personal identifying pieces of info is not a 'confidential key' that they should be using to grant credit. It shouldn't be possible for identity thieves to attain such value from such information.
  The SSNs of all citizens should be a matter of public record.
9. Re:Court was right by phantomfive · 2016-01-07 18:43 · Score: 1
  
  "dismissed without prejudice" means they can re-file later.
  
  Yes (though it might be a ~$250 court filing fee)
  
  --
  "First they came for the slanderers and i said nothing."
10. Re:Court was right by KGIII · 2016-01-07 19:29 · Score: 1
  
  The more I think about it, the more I think they don't want to. As I understand it, they are able to push most fraudulent charges onto the merchant. I also understand that the SSN was never, ever, meant to be something confidential or used as something confidential. I'm not sure how it ended up that way? Perhaps someone has some insight...
  So, I'm inclined to agree with you based on the things that I believe to be true. It might add some cost to them but, frankly, there should be a better way. Heh, later in this thread - I mention some of the things that can happen if you steal my ID. It's not exactly hard to fake a social security card and a birth certificate. Back home, I have an official seal and gold foil to use with the seal. I think it cost me about $50 for the kit. (I'm a Notary Public - it's a long story but some friends wanted me to marry them and I wanted to make sure everything was done properly.)
  It didn't take one shard of evidence to get the official stamp. You can EASILY get a birth certificate to copy. Social Security cards haven't changed in years. I don't even know how to use GIMP worth a damn and I bet I can bang that out in a couple of hours. I've even got appropriate paper qualities to print on.
  So, yes. I concur... There really should be some method of authentication and, for once, that damned method should be kept safe. Err... I feel a rant coming on so I'm gonna stop now. Yes, I'm going to stop while I'm ahead and just go bug the missus for a while. Well, after I check one more post. :/
  
  --
  "So long and thanks for all the fish."
11. Re:Court was right by mwvdlee · 2016-01-07 20:17 · Score: 1
  
  Credit card companies pass on most of the cost to the shops and stores where the stolen credit cards were used.
  They take back the money and keep the processing fees.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
12. Re:Court was right by mwvdlee · 2016-01-07 20:21 · Score: 1
  
  Just take the judges' credit card and personal information, use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites, then after the judge is done dealing with the credit card company to get the situation corrected just say "no harm done".
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
13. Re:Court was right by Anonymous Coward · 2016-01-07 21:38 · Score: 1
  
  The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.
  There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.
  I disagree with you. Let me give you an example on a different topic, which I think illustrates the problem well.
  When the lung issues associated with asbestos started to become apparent, many people in the building industry who were affected tried to sue their employers for the damage caused to their bodies while doing their jobs.
  But most of them found that that could not get anywhere with this because they had had multiple employers over their careers, and legally even though the damage was obvious, it was impossible to determine which employer had caused it. In fact, all the employers were liable because the effects of asbestosis are cumulative, but there wasn't a legal way for them to share the blame. It took a number of years for the law to change to allow these cases to be heard, by which time a lot of those affected had died.
  How does this relate to data leaks? Well I hope it's obvious, but in case it isn't: We are seeing so many data leaks happening these days that even where there is clear and obvious damage (eg card fraud, etc), it can often be virtually impossible to show exactly which data leak it was caused by.
  So yes, the judge has a point that that there is no damage that can be attributed to this case. But that shouldn't be the point; the hackers may not even have got any card details from this hack. But if they got other details that help them make further attacks then ultimately the original hacked site should share some blame for the cumulative effect.
14. Re:Court was right by shawn2772 · 2016-01-08 01:29 · Score: 1
  
  The broader question is whether this is how it should be.
  With the law as it stands, companies aren't well motivated to prevent breaches.
  
  Maybe, but it makes sense that the party who is actually harmed is the party who has standing to sue. Who was harmed? The issuers of the credit cards (which is banks, mostly) and the merchants who accepted payments made with the stolen cards. Mostly the latter.
  So, really, it should be all of the merchants who got ripped off who should band together and sue Michaels. But they won't because not only are lawsuits a pain, but if they did they'd establish a precedent which might someday place them in the crosshairs of such a suit.
  The real solution, though, is not to find ways to motivate merchants to properly secure their databases of credit card numbers, but to get rid of theft-prone credit card numbers entirely. Technology provides many better options for conducting credit transactions. Using them requires work on the part of both banks and other credit card issuers and merchants.
15. Re:Court was right by Ash-Fox · 2016-01-08 01:47 · Score: 1
  
  Just take the judges' credit card and personal information, use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites, then after the judge is done dealing with the credit card company to get the situation corrected just say "no harm done".
  It's an annoyance, but getting transactions reversed, new card issued etc. isn't exactly going to take more than maybe a 15 minute phone call. Outside of that, I don't really see the judge going further than that. So, what is your point exactly?
  
  --
  Change is certain; progress is not obligatory.
16. Re:Court was right by oh_my_080980980 · 2016-01-08 02:03 · Score: 1
  
  She did. Her credit card was used in two instances. The fact that the credit company would eat those charges - changes nothing. The card was fraudulently used. But I love how we have other laws and legal actions that corporations can claim damages they might occur - but haven't - and judges award them damages.
17. Re:Court was right by oh_my_080980980 · 2016-01-08 02:05 · Score: 1
  
  Really? Kind of depends where you use the credit card and how many systems you have to update, not too mention you need to worry what other things they are doing, like identity theft.
18. Re:Court was right by Anonymous Coward · 2016-01-08 02:18 · Score: 0
  
  > (or just fine them through the existing contractual agreements)
  
  Citizens cannot fine fellow citizens, even by contract, and such a clause in a contract is unenforceable. Stop spreading ill-informed disinformation. http://www.adamsdrafting.com/a...
19. Re:Court was right by Ash-Fox · 2016-01-08 02:26 · Score: 1
  
  Really? Kind of depends where you use the credit card
  Such as?
  
  how many systems you have to update
  I am a big credit card user (I pay for 'expensive' hotels, taxis, flights, trains etc on a weekly basis) and I have 6 things I pay with my credit card a month through automated means (subscription or billing systems). Annecdotally, I've lost my wallet twice in my life-time and both times, it was relatively painless to get it sorted quickly. I'm just not seeing the issue?
  
  not too mention you need to worry what other things they are doing, like identity theft.
  Why wouldn't you worrying before? That's an absurd approach in today's world. I have credit report alterts setup, identity theft notification etc. despite the fact I have /never/ had a breach.
  
  --
  Change is certain; progress is not obligatory.
20. Re:Court was right by hey! · 2016-01-08 02:35 · Score: 2
  
  Yes, showing concrete damages is the usual requirement, so the judge is technically correct which he has to be. But that doesn't mean that the plaintiffs haven't been harmed. People don't steal private information to do harmless things, and exposure and the uncertainty that comes with it inflicts harm as well -- we just can't precisely quantify that harm.
  The legal system in effect sets a conventional amount to the value of harm it knows happened but can't quantify, and that value is $0. And that's arguably the right general convention to use; it keeps the courts from being clogged with speculative lawsuits. But it doesn't mean that it's the right conventional amount in these kinds of situations. In effect Michaels gets off with simply having to do what it ought to have been doing all along; it shifts the risk of its practices onto its customers, and we know from economics that risk has real monetary value. This is to say nothing of the distress and time the uncertainty over exposure costs the customers.
  So $0 in this case is quite demonstrably unjust, even if we can't put a precise dollar figure on that injustice. Fortunately there's a solution to this: the legislature can set a conventional amount of damages for a particular kind of situation that is greater than $0; this is called "statutory damages". This amount should be set, not necessarily to cover all the potential damages suffered by victims, but at least to force companies to bear some of the financial risks of their sloppy practices. Let's say we set the amount of statutory damages at $20; not much from the victim's standpoint I know. Multiply that by three million customers, and we're talking sixty million dollars. That's a lot of money, well worth hiring some security experts to audit your system to avoid, but according to Michael's most recent 10Q they have over a billion dollars in current assets that could be liquidated to cover that sixty million; in fact fifty million of that is in cash.
  So clearly it is possible to set statutory damages at a level which will strongly incentivize companies to act more responsibly without destroying them financially over speculative damages.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
21. Re:Court was right by phorm · 2016-01-08 02:51 · Score: 1
  
  Define harm.
  I've been part of a few class actions where vendors colluded on the cost of hardware (monitors, RAM, etc) to inflate the price, and received a cash settlement.
22. Re:Court was right by flink · 2016-01-08 03:12 · Score: 1
  
  The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.
  There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.
  This is why we need statutory punitive damages to make companies liable for these kinds of breaches. Otherwise they have no incentive to protect your data. The harm done by all these leaks just becomes an externality. The only way we are going to get corporations to protect the data they are entrusted with is if they have a financial interest in doing so.
23. Re:Court was right by Anonymous Coward · 2016-01-08 03:16 · Score: 0
  
  Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.
  Exactly. You have ambulance-chasers claiming "stresses/depression from being part of a road accident" despite not being physically hurt. They sometimes wins damages against whoever caused the accident. This is similiar: "someone has my credit card number, name, SSN, ..., I must continously look out for identity theft, it is depressing, I get headaches, I have problem working, ..."
24. Re:Court was right by Anonymous Coward · 2016-01-08 03:42 · Score: 0
  
  It's an annoyance, but getting transactions reversed, new card issued etc. isn't exactly going to take more than maybe a 15 minute phone call. Outside of that, I don't really see the judge going further than that. So, what is your point exactly?
  Having just done this I can say, "Bullshit!" The 15 minute phone call was just a start. And 15 minutes of my time wasted is a cost. Then they sent me a three page form. Why three pages? Well, they wanted my address. Yes, the address they mailed the form to.
25. Re:Court was right by vux984 · 2016-01-08 04:06 · Score: 1
  
  My card has been compromised twice in the past two years. The first time the bank caught it, before the transactions even showed up on my online banking, they called me couriered me a knew card.
  Second time, I noticed the charges, called them, they made a list of the fraudulent items, reversed them, and I had a new card in 24 hours.
  I had to update my saved card information with a few subscription services like netflix. Am I really going to sue someone because I had to do THAT?
  
  use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites
  If that ACTUALLY happened, then sure HE had been harmed for some quantifiable amount, but he still has to connect it to the Michaels leak... who knows maybe his card was stolen from somewhere else too.
  And its just him, not a class action.
  Not unless everyone who had their cards stolen in the michaels breach all were subscribed to perverse sex sites and purchased narcotics and had to deal with all of that. But that didnt happen.
26. Re:Court was right by dunkindave · 2016-01-08 04:35 · Score: 1
  
  "dismissed without prejudice" means they can re-file later.
  Yes (though it might be a ~$250 court filing fee)
  What district are you in? In mine, the filing fee is $400. (I know, I have filed suits in federal court - and won)
27. Re:Court was right by Anonymous Coward · 2016-01-08 04:36 · Score: 0
  
  Then there is a market for stores to buy data theft insurance, or the stores are already paying for it, but the issue is subsequent purchases, like those out of nation. Does a company like Visa do the same in all other countries?
  Honestly, with that response, I'm thinking that the system setup already might be the best possible. Could get better if they had something like an SMS or app check at time of purchase for odd purchasing behavior, but my imagination is apparently lacking if stores are already punished financially for their screw ups in an automated manner.
28. Re:Court was right by Ash-Fox · 2016-01-08 04:40 · Score: 1
  
  Having just done this I can say, "Bullshit!" The 15 minute phone call was just a start. And 15 minutes of my time wasted is a cost. Then they sent me a three page form. Why three pages? Well, they wanted my address. Yes, the address they mailed the form to.
  Why has that never happened to me when I cancelled cards, nor when I reversed transactions?
  
  --
  Change is certain; progress is not obligatory.
29. Re:Court was right by rsborg · 2016-01-08 06:17 · Score: 1
  
  Exactly.
  And in the case of breaches, when the company (in my case Tmobile) automatically signs you up for credit protection for X months, then the credit monitoring agency (Experian) decides to start billing you for $40/month because your "freebie" is over - when I'd never have needed the monitoring (or even wanted it), it just feels like I'm being made a victim because I was previously victimized.
  Is that damages enough?
  
  --
  Make sure everyone's vote counts: Verified Voting
30. Re:Court was right by Anonymous Coward · 2016-01-08 06:29 · Score: 0
  
  Of course it might be years before individuals can prove that their identities were stolen or their identities might not be stolen for year based on data released in the wild by Micheal's data breach. Once again the courts proving they don't understand how things work in the real world.
31. Re:Court was right by Anonymous Coward · 2016-01-08 06:34 · Score: 0
  
  My father use to tell me the story that when SSN's were issued his boss told him that it was an ID number that only his boss and the federal government would have, so he could be sure that his retirement was safely there for him when he got ready for it.
  He told me at the time he knew it was BS. Social Security was just a legal Ponzi scheme, and the federal government couldn't keep nuclear design secrets from the Soviets, so how could they keep hundreds of millions of number available to tens of millions of employers and thousands of government workers secret?
32. Re:Court was right by Anonymous Coward · 2016-01-08 06:51 · Score: 0
  
  This is a common myth. When person gets reimbursed for a fraudulent charge, as long as the store follows their merchant agreement and the transaction is approved, the store gets paid for the transaction. Stores are not required to check identification or the signature, in fact the merchant agreement prevents this. The only other way a merchant would not get paid for a purchase would be if they were involved with the fraud. This means the card issuer is the one that assumes the direct cost of the fraud.
33. Re:Court was right by macs4all · 2016-01-08 07:09 · Score: 1
  
  Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.
  Standing, maybe; damages, not so much.
  
  It's just like the cruel facts in a Wrongful Death suit: Unless you are a breadwinner with minor children to support, your heirs have next to zero chance winning damages because "Life isn't in itself, worth anything".
  
  Now there is an argument for "loss of consortium"; but that is kind of a tough row to hoe, unless the deceased is your spouse. Even then, it isn't so much of a cash-register-ringer, either.
34. Re:Court was right by macs4all · 2016-01-08 07:24 · Score: 1
  
  I would like credit issuers to have a due diligence responsibility. A SSN and a few other personal identifying pieces of info is not a 'confidential key' that they should be using to grant credit. It shouldn't be possible for identity thieves to attain such value from such information.
  The SSNs of all citizens should be a matter of public record.
  WRONG!
  
  The SSNs should STOP BEING USED FOR IDENTIFICATION. They really aren't SUPPOSED to be; but every single damned database seems to think it MUST store an SSN, and every single Utility, Credit Card co, etc, seems to think that it is the best thing since the invention of the birthdate for IDENTIFICATION.
  
  In fact, my original SS Card said in big, bold red letters a the bottom: "For Social Security and Income Tax Purposes Only - Not For Identification". See Question 21 in this FAQ. What's curious is that they apparently didn't bother to actually change the SS CODE, so SSNs are still NOT supposed to be used for Identification, period!
  
  Yet Here. We. Are.
35. Re:Court was right by vux984 · 2016-01-08 08:22 · Score: 1
  
  So what is this then, exactly?
  Noncompliance Fines- The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses. [...]
  http://www.focusonpci.com/site...
36. Re:Court was right by KGIII · 2016-01-08 08:34 · Score: 1
  
  Yeah, as mentioned - I don't imagine it will amount to much per individual but, in aggregate, it may mean something. Then, with standing, we can get precedent. If we can get precedent then we can work on things like class actions. It still doesn't mean a whole hell of a lot for the individual but it *might* mean more appropriate levels of accountability for those who failed to keep the data secure.
  It is not, by any means, ideal. However, it's a possibility. The damages may be small and that's okay as they add up if enough people are harmed. We just need to get them to accept that the damages might be minimal (but so aren't things like emotional harm) but that they truly exist. Then we just need to get it in front of a jury and have a pretty girl cry about how it ruined her life. A few days of testimony like that and we might get a precedent. Might... :(
  
  --
  "So long and thanks for all the fish."
37. Re:Court was right by macs4all · 2016-01-08 10:10 · Score: 1
  
  If we can get precedent then we can work on things like class actions. It still doesn't mean a whole hell of a lot for the individual but it *might* mean more appropriate levels of accountability for those who failed to keep the data secure.
  Class-Actions only do 2 things:
  1. First and foremost, they enrich both side's legal teams
  2. They cause the Offender to increase the cost to the Consumer to pay for the Damage-Award
  
  Nothing more. The actual Aggrieved Party (hereinafter, "Individual") is lucky to get a coupon for a free medium fries. But usually what happens is that EVERY Individual ends up paying the Damage Award.
  
  Case in point (no pun) : The Tobacco Industry Settlement. A pack of name-brand Cigarettes in my State (Indiana) before the Tobacco Class-Action was in the neighborhood of $2. IMMEDIATELY after the Settlement, Cigarette prices SOARED to $5 to $7.
  
  So, were the Tobacco Companies PUNISHED by the Class-Action; or was it simply the Individuals?
38. Re:Court was right by david_thornley · 2016-01-08 11:19 · Score: 1
  
  You seem to believe in the "pass the costs on to the customer" nonsense. In fact, if the companies could raise their prices to make more money, they would. The main reason they don't is that they'd lose sales volume, and that would be enough to reduce profits. It could be that the tobacco companies had decided they'd make more money jacking up the rates, and used the settlement as an excuse.
  Fines and settlements and stuff lower the value of a company without allowing the company to make any more money than it could have earlier, so they hit the stockholders and investors.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
39. Re:Court was right by david_thornley · 2016-01-08 11:22 · Score: 1
  
  If you're filing a class-action suit, the filing fee is peanuts compared to what you will pay the lawyers.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
40. Re:Court was right by david_thornley · 2016-01-08 11:26 · Score: 1
  
  Was this done to any of the people in the class action suit? Do drug pushers even take credit cards? If it's just expensive stuff and subscriptions, I can challenge the transactions and get a new card number in less than a week. I find it very annoying to change cards, but I couldn't total up enough damages to warrant filing in small claims court.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
41. Re:Court was right by KGIII · 2016-01-08 17:22 · Score: 1
  
  They also seem to think that the raising of prices of an *addictive* substance is somehow similar to others. I'd also be surprised if a good amount of that increase was not actually for taxes. I don't smoke cigarettes but I do smoke cigars. They had signs up in the shops that had the actual text of the tax increases that were being applied to tobacco products when this happened, I remember this quite clearly.
  Ah well, he's a Mac fan - 'snot like you can trust him to be rational. ;-)
  Oddly enough, my cigars had very little change in pricing - and this is the important part - even though they were also included in the lawsuits. The taxes weren't raised on cigars or pipe tobacco. I sometimes enjoy a pipe but not very often and usually only when I drank did I smoke a pipe. The two go hand-in-hand for me and I don't drink any more (as a general rule - I sometimes allow myself to have two, but no more than two) so I don't really smoke a pipe much any more. I kind of miss it but it just feels awkward to not be sipping a whiskey or rum with an ice cube while smoking a pipe.
  At any rate, the taxes did not go up, where I was, at that time. Cigarette prices had the giant increase. I think the taxes on cigars went up a nickel while the first tax increase on cigarettes (I was in NC at the time so it was pretty low compared to elsewhere) was $1.25/pack. The taxes on cigarettes is something like 75% of the price IIRC? I imagine I could look it up and it will vary by State but I'm just going off memory from what someone repeated in the tobacco store.
  Meh, a quick Google indicates that the Federal tax is a little over $1 and the NY State tax is another $4.35 but Google indicates that's the highest. I think it's something like an additional $3.50 in Maine but I'm not a cigarette smoker so I don't really pay attention and I have done all the research I'm gonna do on this topic.
  Ah well, hopefully he sees this reply. I'm kinda lazy tonight.
  
  --
  "So long and thanks for all the fish."
42. Re:Court was right by cemulli · 2016-01-09 11:36 · Score: 1
  
  I would be more inclined to say that the court is right with the law as it is now if the dismissal had been based on standing and a lack of injury. That's well established. With this reasoning for dismissing based on SMJ, only provable identity theft would ever be actionable from the perspective of the consumer whose information was lost. For anything short of that, class actions are utterly useless. A breached company will only have to answer to credit card companies and banks instead of to each person that had their information stolen. And I really don't like this outcome because it takes all of the harm and injury from information insecurity that courts don't yet recognize, and jettisons those ideas in favor of making data breach litigation into a battle between deep pockets. The rich get richer, the rich's lawyers get richer, and consumers get left out of every major decision pertaining to how their personal and financial information will be treated if they want to stay plugged in to modern society.
43. Re:Court was right by david_thornley · 2016-01-11 03:55 · Score: 1
  
  Vendors of various sorts like to show tax increases or whatever when they raise prices, because there is often some resentment, and they want to diffuse that.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Judges by Anonymous Coward · 2016-01-07 15:08 · Score: 0

I think we should toss judges due to lack of usefulness
1. Re:Judges by sabbede · 2016-01-08 00:59 · Score: 1
  
  The justice system can't exist without them. Otherwise, we'd just have lawyers yelling over each other at a jury.
Took up half my screen, by Anonymous Coward · 2016-01-07 15:11 · Score: 0

Longest summary ever.
Time is Money by CptChipJew · 2016-01-07 15:11 · Score: 0

What about all the time the credit card owners have to waste getting a new card and updating all of their vendors, services, etc. If the business is responsible for the credit card data being stolen, and I lose 12 hours of my time dealing with that, then that's "damage", and I deserve to be reimbursed for my time.

--
Vonal Declosion
1. Re:Time is Money by despe666 · 2016-01-07 15:18 · Score: 1
  
  Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved. You update the obvious ones and the ones you forgot about will come running when their payment gets declined.
2. Re:Time is Money by Anonymous Coward · 2016-01-07 15:21 · Score: 0
  
  Lawyers would not even take on a case for small damages like that
3. Re:Time is Money by CptChipJew · 2016-01-07 15:21 · Score: 1
  
  Sure, and the last time this happened to me, and I forgot to update my satellite provider, a promotion was taken away from me because a payment became late. Again, it doesn't matter if it takes 30 seconds to deal with this. Any amount of time spent greater than 0 is an inconvenience and this should not go unpunished. I think the logic is pretty clear...
  
  --
  Vonal Declosion
4. Re:Time is Money by phantomfive · 2016-01-07 15:33 · Score: 1
  
  Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved
  It's easy for you, if you've already gone through it, and know what to do. If you have to research it, then it's going to take longer.
  
  --
  "First they came for the slanderers and i said nothing."
5. Re:Time is Money by Frosty+Piss · 2016-01-07 15:50 · Score: 1
  
  I just called you a WAAAAAAAAAAAAMBULANCE. Should be arriving shortly.
  
  --
  If you want news from today, you have to come back tomorrow.
6. Re:Time is Money by Pseudonym · 2016-01-07 16:11 · Score: 1
  
  That's one of the purposes of class actions. If a large number of people were each hurt a little, that's a lot of hurt.
  
  --
  sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
7. Re:Time is Money by Bite+The+Pillow · 2016-01-07 16:12 · Score: 1
  
  Then make a case. I could file a lawsuit against you for being ignorant, but that doesn't mean it has merit.
  Likewise, either test your legal acumen in the arena, or stop having brilliantly stupid ideas in the internet.
  I spent time typing this, you owe me money. I'll settle for $100 BTC.
8. Re:Time is Money by despe666 · 2016-01-07 16:15 · Score: 1
  
  How much research do you need to do? This is all common sense. Credit card gets stolen. Number is not good anymore. Service providers need new number.
9. Re:Time is Money by KGIII · 2016-01-07 16:41 · Score: 1
  
  I was doxxed about eight years ago (before it had a name, really). I've kept the 'do not issue credit' flag enabled at the reporting bureaus ever since. It's pretty good protection but a pain in the ass if I did want credit for something - and I do actually have a few credit cards for the benefits they give me but it's a hassle to get the information, make the calls, specify the lender, and enable them to run a check. Usually, I just use a debit card on a separate account and push money into that separate account as needed.
  However, I'd my mail sent down to me over the holidays and inside was a fairly nondescript envelope (the standard tear open at the perforations type) that informed me that my data was, indeed, part of the OPM hack. (Thanks to another Slashdotter who was kind enough to clue me in on what to look for, it was eventually found though it looked like one of those fake things that tells you that you might win a car - sans fake key in the envelope.) Now, my credit is locked down and all so credit monitoring is of absolutely no benefit to me and I've no other way to ensure my information isn't being misused somewhere else.
  Give me a couple of hours and I can figure out GIMP well enough to make a birth certificate and SSN. How the hell do I know that I'm not out somewhere getting speeding tickets in areas I've never even visited? In many areas they don't even do credit checks to hook up utilities. There are still lending agencies who will ignore the credit ratings/do not issue flags and give you a credit card - it might be prepaid at first but they'll go ahead and increase it after a while.
  That doesn't even remotely cover some of the worst things a creative person could think of now that they've got all that information compiled. I am less than impressed. I'm also fairly helpless and have little/no recourse. For all I know, I'm smuggling drugs across the border into AZ right now or poteen out of Canada! Worse, I could be in Vermont and getting ready for sap season and planning on smuggling VT maple syrup into Canada to mix in with the local syrup as part of the VT Maple Syrup Cartel! You can go to prison for that sort of stuff!
  Do you have any idea what they do to people who tamper with maple syrup in Canada? They'd probably make me root for the Edmonton Oilers and go curling! Worse, I don't even speak French and I prefer Maine's maple syrup! I'd be caught up in the web of deceit known as the Golden Syrup Triangle and not even have managed to get any pancakes out of the deal. They might even force me to use that "pancake syrup" that comes in a bottle shaped like an old woman. No, I don't think I could live like that - and all because OPM failed to keep my data secure or, you know, delete it because they didn't need it some 15 years later.
  I don't even really like hockey.
  
  --
  "So long and thanks for all the fish."
10. Re:Time is Money by Anonymous Coward · 2016-01-07 16:43 · Score: 0
  
  So what you're saying is you're incompetent and don't know your own finances... Got it.
11. Re:Time is Money by Anonymous Coward · 2016-01-07 16:47 · Score: 0
  
  I've had my credit card number stolen. Research was 5-10 minutes. Filling out the forms was another 5-10. When I got the new card, updating places that used the card for payments was yet another 5-10. If it takes you more than 10 minutes to figure out what to do, you are either a moron and shouldn't be buying things online, or you have a shitty bank/credit union that makes it difficult to find the information.
12. Re:Time is Money by phantomfive · 2016-01-07 16:53 · Score: 4, Insightful
  
  I've had my credit card number stolen. Research was 5-10 minutes. Filling out the forms was another 5-10. When I got the new card, updating places that used the card for payments was yet another 5-10.
  So that's 30 minutes of lost time for you (genius that you are, you do it quickly)........multiply 30 minutes of lost time by several million people and you have the kind of damages that class action lawsuits were created for.
  
  --
  "First they came for the slanderers and i said nothing."
13. Re:Time is Money by Anonymous Coward · 2016-01-07 18:13 · Score: 0
  
  It's a lot like cancer where it's 30 minutes of your time if you catch it early but the longer it goes the more pain and suffering you will incur.
14. Re:Time is Money by Anonymous Coward · 2016-01-07 18:46 · Score: 0
  
  What's your major malfunction?
15. Re:Time is Money by Anonymous Coward · 2016-01-07 18:50 · Score: 0
  
  Yeah, cause everybody is a moron except you, Asshole.
16. Re:Time is Money by phantomfive · 2016-01-07 20:01 · Score: 1
  
  The plaintiff tried that argument. Here is what the judge said in response:
  
  Whalen also argues that she has standing because she lost time and money associated with credit monitoring and other mitigation expenses. (Pl.’s Opp. Br. at 8.) But the Supreme Court has dismissed this type of argument, explaining that plaintiffs “cannot manufacture standing” through credit monitoring. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1151, 185 L. Ed. 2d 264 (2013). “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Id.
  
  That conclusion rings especially true here where Whalen cancelled her affected credit card. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *3 (N.D. Ill. Dec. 10, 2014) (“[T]here is no reason to believe that identity theft protection was necessary after [the plaintiff] cancelled the affected debit card.”). Thus, these allegations are insufficient to confer standing.
  
  The judge's argument here seems weak to me. In Clapper v Amnesty, the credit monitoring was somewhat speculative. In this case, when you know your personal information has been stolen, it is best practices. Also, the judge completely ignored the time wasted cancelling the credit card. You can read it yourself.
  
  As someone else mentioned, I'd think the fact that the credit card number was demonstrably given to a criminal is already prima facie evidence of harm. If I stole your credit card, handed it to the nearest homeless person and told him, "have fun with this," that would be some clear harm, even if the CC company reimbursed me.
  
  --
  "First they came for the slanderers and i said nothing."
17. Re:Time is Money by thegarbz · 2016-01-07 23:44 · Score: 1
  
  .......multiply 30 minutes of lost time by several million people and you have the kind of damages that class action lawsuits were created for.
  I smell a class action lawsuit against Big Brother and other reality TV shows on the horizon.
  But time is not a tangible loss unless you can show that it directly impacted your earnings. I.e. were you forced to do it during work hours and you receive monetary compensation by the hour with no alternative form of recourse (such as billing to a blanket overhead account).
  Seriously if I could sue for every time my time was wasted there's would be no companies, no government road maintenance, infrastructure would fall apart, but on the up side one would hope there'd be a lot less shit on TV and the radio as a result.
18. Re:Time is Money by Anonymous Coward · 2016-01-08 00:05 · Score: 0
  
  Again, it doesn't matter if it takes 30 seconds to deal with this. Any amount of time spent greater than 0 is an inconvenience and this should not go unpunished. I think the logic is pretty clear...
  Your post has cost me more of that, but I didn't have to respond.
  No-one is forcing you to spend the time to get a new credit card. You can decide to not have a credit card if you want to.
  Sure, it would be nice to be able to bill someone for time spent on getting something you don't need, but why should anyone?
19. Re:Time is Money by Anonymous Coward · 2016-01-08 00:52 · Score: 0
  
  And i just called you a WHAM!BULANCE. The cleaner should arrive shortly after to sanitize the scene. Either that or George Michael is gonna serenade you...
20. Re:Time is Money by oh_my_080980980 · 2016-01-08 02:07 · Score: 1
  
  So what you're saying is your an ass-hole - got it.
21. Re:Time is Money by oh_my_080980980 · 2016-01-08 02:08 · Score: 1
  
  Open mouth insert foot.
22. Re:Time is Money by Anonymous Coward · 2016-01-08 06:16 · Score: 0
  
  No offense intended, but you don't know what you're talking about. I've been through identity theft -- soup to nuts it took about 9 months
  to get cleared up. Actual hours were probably around 70-80. There's letter writing to each creditor, the police report, and researching
  the items on your credit bureau to see who the _real_ vendor is. Mine was a relatively simple one at that, none of the charges had gone to
  collections and there were no false judgments or bench warrants against me. Hiring an attorney who is versed in multiple state laws is
  extremely expensive (a stolen id can be used to obtain a DL in another state; say a ticket is issued against such license, and the failure
  to appear results in an extraditable arrest warrant - you can see what I mean). Judges in other states do not accept a simple phone
  call from the victim saying "It wasn't me, your Honour." You have to appear and prove it wasn't you. Yeah, nuts like you (again, don't be
  offended) are part of the problem - do some proper research before blowing off someone's misfortune as a 5-minute ordeal.
  The judge was wrong.
  CAP === 'peephole'
23. Re:Time is Money by Anonymous Coward · 2016-01-09 06:37 · Score: 0
  
  What about all the time the credit card owners have to waste getting a new card and updating all of their vendors, services, etc. If the business is responsible for the credit card data being stolen, and I lose 12 hours of my time dealing with that, then that's "damage", and I deserve to be reimbursed for my time.
  This is entirely correct.
  More formally, the right to not have a portion of one's life stolen (through negligence on the part of a business, or by other causes) is part of the right to pursuit of happiness, which must be considered as a fundamental right in any free country.
  Kidnapping, after all, is primarily a matter of stealing a portion of somebody's life: if we're going to consider holding somebody at gunpoint for 10 minutes kidnapping, then we also must consider other forms of stealing 10 minutes of somebody's life wrongful conduct.
  In the USA, such rights are protected under the 9th Amendment (unspecified rights retained by the people), and the 10th Amendment (unspecified rights reserved to the people). The assertion of such rights is not limited to government alone, but also to private entities, whether or not those entities are acting as agents of the government.
  In short, your position is correct, under the highest law of the land.
  However, it is not in the interests of the legal profession to acknowledge this. Legal professionals serve as intermediaries in many situation where people don't want their own time wasted. This is a major source of income for the profession. In ethics terms, this creates what is known as a "conflict of interest": the profession has a vested interest in not protecting people's time, since that means they are more likely to be hired to do that kind of thing.
  Worse, the right to ethical practice of law also arises under the 9th Amendment, and not just with respect to the actions of individual lawyers, but also with respect to ethics issues concerning the legal profession as a class or group in society. It's definitely not in the interest of lawyers to acknowledge this, since large portions of US law violate this right, creating a substantial artificial demand for the services of legal professionals.
  As the legal profession is able to manipulate the selection of judges (through a variety of mechanisms, such as campaign contributions on the part of "associations" of lawyers), they ensure that people don't get selected for these positions that will rock the ethics boat. Hence, the legal profession is able to get away with ignoring the obligations posed by the highest law in the land.
  You can remind yourself of just how successful the US legal profession has been at avoiding its legal and ethical responsibilities (with respect to the issue of wasted time) every time you get your mail. While the 1st Amendment prevents direct action by Congress contrary to freedom of the press, it does not prevent the direct assertion of fundamental rights, which could and should be used to prevent the receipt of junk mail (including all offers that you didn't opt-in to receive). Dealing with junk mail steals a portion of your life, and also requires the expenditure of funds to dispose of the garbage (which also carries an environmental cost to society). It is clearly a violation a fundamental rights, but the ethical conflict of interest the legal profession has with respect to protecting your time has caused them to ignore this issue, and ensures that you get a steady stream of junk mail. Worse, the US Post Office, a government agency, is complicit in this violation of fundamental rights, as it actually has special rates for bulk mailings!
  This legal ethics problem is one of the major why we have problems with companies not acting in a responsible manner. It has been known since Adam Smith's time that capitalism requires a reasonable level of regulation for it to work to the benefit of society, and this legal ethics problem is preventing regulation through the courts from being effective.
  The
24. Re:Time is Money by Anonymous Coward · 2016-01-09 16:14 · Score: 0
  
  Due to the kind of ultraconservative social asshole and generally unpleasant person you are, I say you deserved it and any other repercussions heading your way. Karma is a bitch.
25. Re:Time is Money by KGIII · 2016-01-09 16:27 · Score: 1
  
  That's cute. Stupid, but cute. I'm an "ultraconservative?" Tell me now, how did you reach that conclusion?
  
  --
  "So long and thanks for all the fish."
The breach IS a harm by Shadow+of+Eternity · 2016-01-07 15:20 · Score: 1

If someone broke into a bank vault but you couldn't prove they took anything would they get away with it?

--
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
1. Re:The breach IS a harm by DogDude · 2016-01-07 15:24 · Score: 1
  
  In a civil case, yes. In a criminal case, no.
  
  --
  I don't respond to AC's.
2. Re:The breach IS a harm by The+MAZZTer · 2016-01-07 15:24 · Score: 1
  
  You are confusing civil and criminal court.
3. Re: The breach IS a harm by Anonymous Coward · 2016-01-07 15:24 · Score: 0
  
  Then a law is needed for civil penalties, possibly including involving those impacted.
4. Re:The breach IS a harm by Tony+Isaac · 2016-01-07 16:22 · Score: 1
  
  Fine. But do you then sue the bank for not having a strong enough vault?
  So if they catch the people who breached Michaels, prosecute them. Michaels is not the criminal here!
5. Re:The breach IS a harm by Anonymous Coward · 2016-01-07 16:39 · Score: 0
  
  The legal term is "due care". Michaels had a legal obligation to provide due care over keeping their customer's data secure.
  If a bank vault was robbed and found to have never been locked, the bank could be sued as not providing due care. Now apparently you must prove, with concrete evidence, that your money was, in fact, stolen as a direct result of a singular action instead of continuous negligence.
  Or another example: If a doctor knew that not giving your sickly wife a specific drug would likely kill her then chose to not administer the treatment and then she dies, according to this ruling's argument you would have to prove that she died from no other cause except that lack of due care to prove the doctor was even slightly at fault.
6. Re:The breach IS a harm by KGIII · 2016-01-07 16:57 · Score: 1
  
  Well, did they damage the vault in the process of breaking in? Not that has one iota of bearing on the case at hand (necessarily) but they could be found liable in a civil court. It'd be a bit interesting if they didn't have enough to prove, beyond reasonable doubt, that the person had committed the offense but were able to prove that the defendant had, more likely than not, committed the offense and thus be liable for civil damages. Something akin to the OJ event.
  But, and this is related, if they'd broken into the vault and the bank had needed to close or lost business because of that action then they might be liable. That, kinda sorta, is related but it's really a horrible analogy on their part. So, if the bank could show harm (closing, loss of business, needing to replace the security system) even though no physical harm might have been done - they may, in fact, be able to demonstrate that they have standing. Harm doesn't always need to be something physically tangible - see cases of libel for examples where tangible evidence of harm doesn't always need to be presented. There are also things like mental anguish affirmative findings, so - it seems that it needn't always be tangible.
  In fact, that's kind of why I am surprised that these cases keep turning out this way. Then again, from what I've read, nobody has presented it quite like that. I touched on that in a prior post - in this thread, and it doesn't seem like it should be all that difficult to argue that they have standing, that there was harm (even if it is minor), and that they deserve to have an opportunity to put their case in front of a jury.
  This doesn't mean that I think a victim should be awarded huge sums of money or anything like that. I just think it'd be good to get it in front of a jury and, hopefully, set a precedent. If the victim had to make even one phone call that they'd not normally make - there is harm. It's trivial, minimal, and not worth a whole lot but it is still harm. Setting precedent may make companies that wish to retain data think twice about it or, if they must, protect it better.
  To try to put this back into the analogy, just the bank needing to run an ad campaign, put a sign in the window, spend more time reassuring clients, or things of that nature - they're actually harm. Probably not worth a significant amount but they're still harm. As such, they should be allowed to put their case in front of a jury of their peers.
  
  --
  "So long and thanks for all the fish."
7. Re:The breach IS a harm by phantomfive · 2016-01-07 19:24 · Score: 1
  
  In fact, that's kind of why I am surprised that these cases keep turning out this way. Then again, from what I've read, nobody has presented it quite like that. I touched on that in a prior post - in this thread, and it doesn't seem like it should be all that difficult to argue that they have standing, that there was harm (even if it is minor), and that they deserve to have an opportunity to put their case in front of a jury.
  Given the huge amounts of money at stake, and the fact that it keeps happening over and over, I'd kind of expect that sooner or later, a lawyer is going to find a legal theory that makes it stick.....
  
  --
  "First they came for the slanderers and i said nothing."
8. Re:The breach IS a harm by KGIII · 2016-01-07 19:35 · Score: 1
  
  That makes sense to me. I've never seen (and I've read a few and paid attention to a few - but it's not like I'm an expert, scholar, or lawyer) anyone actually argue it like I present it in the thread. It seems so simple to me - especially considering the many other things, things I might consider frivolous where they conclude that the plaintiff was harmed. Hell, they've found for damages with things like libel and slander. Are the judges aware what can be done with information? Especially information in aggregate....
  I know, I know... I'm preaching to the choir. ;-)
  Still, it's damned frustrating. I kinda vented about the OPM hack in this thread already so I'm too frustrated to get into it again.
  
  --
  "So long and thanks for all the fish."
9. Re:The breach IS a harm by Shadow+of+Eternity · 2016-01-08 05:14 · Score: 1
  
  If michaels' idea of a vault was a cardboard box out back then yes.
  
  --
  A bullet may have your name on it but splash damage is addressed "To whom it may concern."
US banks deserve a spoonful of their own medicine by Anonymous Coward · 2016-01-07 15:35 · Score: 0

My bank was supposed to issue Chip and Pin enabled credit and debit cards by the end of 2015 and they still haven't done it. At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions. It sucks being stuck in middle of all this b*llsh*t.
Re:US banks deserve a spoonful of their own medici by 110010001000 · 2016-01-07 15:52 · Score: 1

chip and signature. Get a different bank.
Dox Joanna Seybert by Anonymous Coward · 2016-01-07 16:14 · Score: 0

Dox Joanna Seybert and see how she feels about her ruling...
https://en.wikipedia.org/wiki/Joanna_Seybert
Re:US banks deserve a spoonful of their own medici by phantomfive · 2016-01-07 16:17 · Score: 3, Informative

At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions.
They don't have to pick it up......if the bank hasn't sent you a C&P card, but the merchant has a C&P card reader, then it's up to the bank to pay for fraud.

--
"First they came for the slanderers and i said nothing."
Music and Movies? by WindBourne · 2016-01-07 16:22 · Score: 0

Ok, if this has no harm to the end user, i.e. nothing physical stolen, then why would copying music or movies be damaging? That has all of the same IP, as my information about myself that michaels and others would just have given up.

--
I prefer the "u" in honour as it seems to be missing these days.
1. Re:Music and Movies? by Opportunist · 2016-01-07 16:29 · Score: 1
  
  Wait, wait, this is about a case in reality. Not one about sex, drugs or copyright.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Music and Movies? by phantomfive · 2016-01-07 19:31 · Score: 1
  
  Ok, if this has no harm to the end user, i.e. nothing physical stolen, then why would copying music or movies be damaging?
  There are laws that specifically address the topic of copyright infringement, setting penalties regardless of whether damage was inflicted. In some cases, punitive penalties can be applied beyond the damage actually caused.
  
  In the case of user data being lost, there is no particular law that applies, so the lawyers need to find existing laws and use them to sue, showing why they apply in this situation. In this situation, the lawyers sued under laws that allow people to recover damage, but they didn't demonstrate that there was damage. So to continue, they can either find a way to show that their was damage, or find a different set of laws to sue under
  (ianal ymmv never trust me for anything important, etc).
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Music and Movies? by oh_my_080980980 · 2016-01-08 02:14 · Score: 1
  
  Actually there are laws that apply in this situation. At issue is harm. The judge decided that since the plaintiff was not out any money - the credit card company did not pass on the fraudulent charges - no harm was done. The problem with this decision is that a crime was committed. At issue is whether or not Michael's is protecting their customers credit card information. As has been stated, without any pressure, merchants have no motivation to improve their systems. Merchants need to be held responsible.
4. Re:Music and Movies? by david_thornley · 2016-01-08 11:36 · Score: 1
  
  Failing to protect customer information is not a crime in the US. There was obviously a crime committed in getting the data, but it's going to be hard to trace down the perpetrators and bring them to justice. The store has civil liability.
  Probably the proper way for legislative bodies to address this is statutory damages, which presume that some sort of harm has been done that's hard to quantify. If each person whose information was leaked was awarded $50, merchants would get REALLY careful about data security.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Define 'Damage' by PPH · 2016-01-07 16:44 · Score: 2

Hint: It doesn't always have to be monetary.
What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.

--
Have gnu, will travel.
1. Re:Define 'Damage' by OzPeter · 2016-01-07 18:52 · Score: 1
  
  Hint: It doesn't always have to be monetary.
  What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.
  Well if your damages are non-monetary, then how would a monetary payment make you whole again?
  
  --
  I am Slashdot. Are you Slashdot as well?
2. Re:Define 'Damage' by swb · 2016-01-07 22:39 · Score: 1
  
  Was your "psychological harm" so great that you could demonstrate financial damage from it?
  Did you lose wages from work, have to obtain counseling or incur any other monetary costs associated with this?
  If not, I don't think anyone would buy into your psychological harm because you really can't demonstrate any actual consequences from it. I don't think transitory emotional states without any demonstrable consequences count as psychological damage.
3. Re:Define 'Damage' by Anonymous Coward · 2016-01-07 22:51 · Score: 0
  
  Well, what do you propose? Psychological assistance? And if the damage done can't be undone? Forget about it all and call it a day?
  Also, the monetary payment isn't just compensation. It's also punishment.
4. Re:Define 'Damage' by Anonymous Coward · 2016-01-07 23:27 · Score: 0
  
  You don't need monetary costs to justify a monetary punishment.
  Are you implying that business can do any shit they want with your information and as long it doesn't cost you anything it is alright?
5. Re:Define 'Damage' by thegarbz · 2016-01-07 23:49 · Score: 1
  
  What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them?
  You get psychologically damaged by having your details maybe or maybe no fall into the hands of someone you don't know and are unlikely to ever meet? For that you shouldn't get monetary compensation but rather psychiatric care.
  I actually think that a lot of lawsuits should end like that. Instead of money, actually fix the problem. "Oh I'm traumatised", "Well here's a 6 month subscription to a psychiatrist and the court will ensure you go once a week, that'll fix you."
  The only psychological damage that exists in many of these cases is that some lawyer convinced some client that they could get some hard cash for doing nothing.
6. Re:Define 'Damage' by oh_my_080980980 · 2016-01-08 02:15 · Score: 1
  
  Ever hear of pain and suffering....monetary awards for psychological damages happen all the time. Moron.
7. Re:Define 'Damage' by Anonymous Coward · 2016-01-08 03:36 · Score: 0
  
  What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them?
  You get psychologically damaged by having your details maybe or maybe no fall into the hands of someone you don't know and are unlikely to ever meet? For that you shouldn't get monetary compensation but rather psychiatric care.
  I actually think that a lot of lawsuits should end like that. Instead of money, actually fix the problem. "Oh I'm traumatised", "Well here's a 6 month subscription to a psychiatrist and the court will ensure you go once a week, that'll fix you."
  The only psychological damage that exists in many of these cases is that some lawyer convinced some client that they could get some hard cash for doing nothing.
  A 6 month subscription might be entirely too short, the psychiatrist might be a poor match (which is a significant factor in the effectiveness of treatment), and that possibly should be sometimes accompanied by a requirement that the other side both cover the necessary psychiatric treatment and practice due diligence.
8. Re:Define 'Damage' by david_thornley · 2016-01-08 11:40 · Score: 1
  
  First, most people would go through a lot of things for the right price, so a monetary payment would usually count as making someone whole. Obviously this isn't going to help a dead person, and won't solve major medical problems, but, second, what is the court supposed to do? About all a judge can do is award monetary damages. Judges have no mystical powers to reverse the effects of negligence.
  Yes, this really sucks if you're blinded in an accident you have 0% responsibility for, but I don't know a better way.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So B&E is legal now, right? by Anonymous Coward · 2016-01-07 16:49 · Score: 0

I'm SURE the judge wouldn't mind if someone broke into his house and looked around. And he certainly wouldn't hold his security company at fault, even though their alarms didn't.
1. Re:So B&E is legal now, right? by jonnythan · 2016-01-07 16:55 · Score: 1
  
  The act was criminal, but this isn't about a criminal case. It's a civil case where the users whose information was breached were suing Michael's. The plaintiffs were unable to prove any damages, however, so they can't sue Michael's.
2. Re:So B&E is legal now, right? by Anonymous Coward · 2016-01-07 18:18 · Score: 0
  
  What a terrible analogy, some people's path of reasoning looks like MC Escher's 'Stairs'.
  
  If someone broke into the judge's friends house and stole a form the judge had left there with his personal information, the judge suing his friend would be closer to hypocrisy.
Re:Court was right; NOT SO by dltaylor · 2016-01-07 17:10 · Score: 0

She showed a cost for credit monitoring, and her time to fix the problems THEY created by willful negligence should be reimbursed.
Near as I can tell, the judge was bought.
Data Breach is the new the War on Drugs by Anonymous Coward · 2016-01-07 17:59 · Score: 0

As Drugs become legalized the feds are turning to fleecing companies over their data breaches with little to no benefit for the little person because the feds WANT this to continue so they have a new cash cow.
good decision by Jazoray · 2016-01-07 18:17 · Score: 0

now can we please use the same logic for copyright lawsuits?
1. Re:good decision by david_thornley · 2016-01-08 11:43 · Score: 1
  
  In the copyright cases we hear about, the damages are defined by statute so the plaintiff doesn't have to show actual harm. I believe they are set way too high. If Congress passed a law saying that damages of $X were to be awarded in cases of data breach, there would be no need to show actual harm.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Court was right; NOT SO by phantomfive · 2016-01-07 20:07 · Score: 1

Near as I can tell, the judge was bought.
More likely, she is ignorant of technology, and the plaintiff's lawyers did a lousy job explaining the issue. The judge noticed a (incorrect) similarity to another case, and thought she should rule in a similar way.

Remember judges are elected, and sometimes they can be really, really dumb.

--
"First they came for the slanderers and i said nothing."
There are damages... by Anonymous Coward · 2016-01-07 21:27 · Score: 0

If your data is exposed into the wild, you will need to take insurance for identity theft. That is a mesureable damage.
Also, if you are hit, your credit rate is in the sewer (but the insurance normally will cover that - hopefully).
It's a real pain in the ass by Bruinwar · 2016-01-08 00:49 · Score: 2

It's a real pain in the ass when a data breach allows credit card fraud to occur. Anyone who's had it happen to them know that. So the credit card company doesn't make you pay (oh, they don't eat it, ever, they don't pay the vendor), that's great. But you still have to catch the fraudulent charges (in time), call, make a claim, change your account number, remember all the subscribed accounts that use that number (netflix etc...), wait & see, worry.
But the company that can't keep their shit secure has no liability.

--
SLOWER TRAFFIC KEEP RIGHT
1. Re:It's a real pain in the ass by Anonymous Coward · 2016-01-08 06:44 · Score: 0
  
  and this is exactly why I don't pay for subscriptions using my credit card. I use one of the prepaid type that has a straight balance. Once that's gone, the subscription ends and I don't have to worry about it being compromised.
  For everything else, there's checks as I'm now taking advantage of my banks option to "Pay Online" where they send an E-Check. Works fine and I don't have to fucking worry about them screwing things up plus it doesn't cost me any money to do it this way.
2. Re:It's a real pain in the ass by Anonymous Coward · 2016-01-08 07:02 · Score: 0
  
  oh, they don't eat it, ever, they don't pay the vendor
  This is a myth that needs to die. The card issuer always assumes the cost for the fraud unless the merchant is involved in the fraud or violated their merchant agreement.
3. Re:It's a real pain in the ass by david_thornley · 2016-01-08 11:45 · Score: 1
  
  Been there, done that. It wasn't a problem. I had to write a few letters giving the police report number.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
So, the credit card company needs to sue? by sabbede · 2016-01-08 00:56 · Score: 1

They can show actual damages from the breech, Then again, they might be insured against losses from fraud, so it would have to be the insurance company that sues. Does it stop there? I don't know.
1. Re:So, the credit card company needs to sue? by oh_my_080980980 · 2016-01-08 02:16 · Score: 1
  
  And they are unlikely too sue. So nothing changes. This is why the judge is an ass-hat.
2. Re:So, the credit card company needs to sue? by jonnythan · 2016-01-08 02:19 · Score: 1
  
  They might be able to sue, but maybe not. The credit card company is going to have a pretty thorough contract with the retailer that accepts payments via that credit network. It probably covers this type of situation with specified recourse, whether it's a fine, arbitration, liability, etc.
3. Re:So, the credit card company needs to sue? by sabbede · 2016-01-15 00:31 · Score: 1
  
  Ah, good point. In the end then, addressing the core issue is a job for a different branch of government. Either Congress must pass a new law or the Administration must implement new regulations on data security (via the FTC I would think).
Re:US banks deserve a spoonful of their own medici by shawn2772 · 2016-01-08 01:34 · Score: 1

At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions.
They don't have to pick it up......if the bank hasn't sent you a C&P card, but the merchant has a C&P card reader, then it's up to the bank to pay for fraud.
A little more detail might be good: This is what's known as the "liability shift rule". It was enacted by all of the major credit card associations and individual issuers in the US last year. What it means is that when a transaction is found to be fraudulent, the chain of participants in the transaction is examined, and the first one in the chain that doesn't support the chip technology is liable for the fraud. The chain includes: The bank who issued the card, the merchant who accepted the card, the acquiring bank who processed the transaction, the clearinghouse who routed the transaction and the bank who processed the payment (almost always the same as the card issuer, though it's worth calling out twice because a bank could issue chip cards but not implement the backend system changes needed to process and validate them correctly).
Bullshit by Anonymous Coward · 2016-01-08 02:07 · Score: 0

What a stupid comment. A long long time ago some stuffed shirts with dandy wigs sniffed the air and declared that they will only award damages if the exact amount can be proven and so precedent was set. That doesn't mean that damage has not been done and for identity theft that damage can be considerable and haunt a victim for life. Unfortunately fraudsters do not present the victims with a schedule of planned fraud over the next 15 years. Making this even more stupid is that for libel judges award damages without any idea of concrete damages. They could have done it here. They didn't. The courts just make up shit as they go.
And criminal negligence? Do you have any idea what you're talking about? And did you realize that question is rhetorical?
Attorney goof? by theophilosophilus · 2016-01-08 02:22 · Score: 2

The cost of a credit protection service enrolled in as a precaution is damage enough. This is a forseeable injury regardless of actual fraud. The class representatives could have subscribed to some service and pled the class as existing of all persons that incurred this expense. The result is the negligent company is held accountable and other companies are on notice that they will be held accountable. If there was actual fraud for some persons, it would destroy the commonality requirement for class certification; the persons suffering fraud would all have had different levels and types of damages.

--
Why have 1 person driving a backhoe when you could employ 20 with shovels?
Is this a company going after it's customers? by wb7dpf · 2016-01-08 03:07 · Score: 1

It sounds like the judge did the right thing but dismissing without prejudice. That will allow it to come back when or if they get enough information to prove the case. Will we base the outcome of cases like this on how the data was used by the folks who stole it? How long do we have to wait to determine the cost? What about the impact of ambiguity resulting from multiple large breaches, how do we attribute loss? ... I would be concerned about the second aspect; if a company avoids doing the right thing because they choose to lawyer up and aggressively go after claims from customers, customers may loose confidence in that company and will move their business elsewhere since they feel they were treated inappropriately and "the company got away with it." This could be more damaging in the long run - especially in light of the supposed "no proven losses."
1. Re:Is this a company going after it's customers? by david_thornley · 2016-01-08 11:48 · Score: 1
  
  Yes, the outcome will depend on what use the criminals make of the data. If I'm walking on the sidewalk and a car goes out of control and hits a wall next to me, no damages and no grounds for a lawsuit. If I'm walking on the sidewalk and the out-of-control car hits me, there will be harm and I will seek damages. The two cases are absolutely identical except that I was two meters farther along the sidewalk in the second example, the amount of negligence and responsibility being exactly the same.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
2. Re:Is this a company going after it's customers? by wb7dpf · 2016-01-11 03:11 · Score: 1
  
  I think the mistake here is that it assumes that this is one event, but it is two; the negligent actions of a company to appropriately protect their data and then the impact of the release of that data. While the release hasn't yet been an issue, the initial case has opened up customers to identity theft. For the analogy, I think there is an element of intent and ownership that is missing. So I would modify it to be that you park your car on a lot and the lot owner holds the keys. When the car is stolen and crashes (data loss), you have loss. There is further loss as the use of that car results hurting more people/property.
What about piracy? by MarkusTenghamn · 2016-01-08 03:19 · Score: 1

What if the same had to be proven by companies who get people for piracy? Isn't this basically the same thing? We are talking about stolen information that has value in slightly different ways but causes harm to the "victim" in similar ways. Resonable fines should be paid by anyone who commits piracy and the same rules should apply to companies who can't keep their customers private information secure.
1. Re:What about piracy? by Anonymous Coward · 2016-01-08 04:01 · Score: 0
  
  "Fines" is exactly right: "fines" paid to the government, as opposed to bogus "damages" paid to a plaintiff or, in practice, lawyers. "Punitive damages" are a stupid concept. Fortunately, they are mostly restricted to the USA.
Proper Ruling With Improper Consequences by organgtool · 2016-01-08 03:29 · Score: 1

I know this is technically how the law is supposed to work but the likely consequence of this is that companies will put more effort into covering up the damages than they put into securing their data. It's a lot more expensive to develop a system that is difficult to penetrate than it is to roll the dice and hope that you don't get hacked and if you do, cover up the evidence.
Re:Court was right; NOT SO by parkinglot777 · 2016-01-08 04:08 · Score: 1

I'm annoyed by people like you who do not (carefully) read TFA but rather make a comment from summary. Even worse, these people pick and choose only a section of the whole to make a dubious comment on.

Whalen essentially alleges five different types of injuries:
(1) actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts, (Compl. 49);
(2) the loss of time and money associated with credit monitoring and obtaining replacement cards, (Compl. 54);
(3) overpayment of Michaels' services because Whalen would not have shopped at Michaels had she known that Michaels did not properly safeguard her personal identified information (PII), (Compl. 24, 70-71);
(4) the lost value of Whalen's credit card information, (Compl. 35-37) and
(5) a statutory violation of GBL 349, (Compl. 74-98)
By laws, you cannot assume damage before there are real damages. If laws permit to do so, there will be tons of law suits attempting to get money before a real issue happens! Also if you actually READ the PDF file from Bloomsburg Law site, you will see how the judge counters her claims and should be able to understand exactly why.
Anyway, this does not mean she cannot sue Michael again. The case is dismissed without prejudice which means she can take Michael to court again IF there is real damage later on.
PS: Where is in the court ruling said that she "paid" for credit monitoring? On the other hand "Michaels offered free credit monitoring for twelve months." You need to look at #2 above and read on what the judge commented on the item...
Re:Court was right; NOT SO by dunkindave · 2016-01-08 04:30 · Score: 1

Remember judges are elected, and sometimes they can be really, really dumb.
Federal District Court judges are not elected, they are nominated by the President and confirmed by the Senate. Judge Joanna Seybert was nominated by Clinton in 1993.
Re:Court was right; NOT SO by phantomfive · 2016-01-08 04:47 · Score: 1

good point

--
"First they came for the slanderers and i said nothing."
Re:US banks deserve a spoonful of their own medici by rsborg · 2016-01-08 06:20 · Score: 1

Thanks for the detailed breakdown of liability chain... very interesting.
Still don't know why more C&P hasn't been adopted yet from a retailer standpoint... if they're liable and the hardware exists - why do I still see swipe machines everywhere with no chip readers alongside?

--
Make sure everyone's vote counts: Verified Voting
Re:US banks deserve a spoonful of their own medici by jfengel · 2016-01-08 07:02 · Score: 1

What I find odd is that they've issued the chips, but as far as I can tell aren't demanding PINs. I have a couple of chipped cards, and I see no feature allowing me to establish a PIN even if I want to.
I guess that makes it harder to counterfeit the cards, which is nice, but it's still easy for the cards themselves to be stolen, and the numbers alone are still cheerfully accepted by most online merchants (along with the ultra-weak 3-digit code).
Any idea why they're not rolling out PINs at the same time as the chips? Are they planning to?
the plaintiffs must not have tried very hard... by Anonymous Coward · 2016-01-08 07:25 · Score: 0

to show harm. I've had my credit card info stolen a couple of times, I consider the hours needed to straighten things out, get new cards, redo all of the automatic charges, and general hassle to be significant enough.
Re:Court was right; NOT SO by publiclurker · 2016-01-08 07:27 · Score: 1

She's still an idiot. I can only assume that she has never had to deal with the hassle of having your CC info stolen. Especially if you are traveling at the time.
Re:Court was right; NOT SO by Anonymous Coward · 2016-01-08 08:48 · Score: 0

She's still an idiot. I can only assume that she has never had to deal with the hassle of having your CC info stolen. Especially if you are traveling at the time.
Why do so many people feel a need to call people idiots just because they have different opinions? Why do they believe their opinion is the only correct and true one? Makes me wonder who the idiot is!
easy, she is by Anonymous Coward · 2016-01-09 18:20 · Score: 0

saying that there was no evidence of any form of concrete damages when anyone that has had this info stolen knows that there is is quite stupid, hence she is an idiot.