Slashdot Mirror
Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages (digitalguardian.com)
chicksdaddy writes: Data breaches have become so common that they've taken on a kind of formality. One of the phrases that often accompany such incidents goes something like this: "[Company X] has no evidence that any of the stolen information has been used inappropriately." Or you might read that "there is no evidence of fraud linked to the stolen data." Such assurances are generally interpreted as wishful thinking. But when courts are asked to weigh in on the question of damages resulting from cyber incidents in civil suits, the question of what harm resulted from the incident is very different – and very real. To put it simply: if nobody can prove harm resulting from a cyber incident, a company can't be held liable for those damages.
That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company's widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in "Clapper v. Amnesty International," concluding that the plaintiffs hadn't proven that any harm resulted from the Michaels breach. "Simply put, Whalen has not asserted any injuries that are 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. "Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction," Seybert concluded.
This isn't to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen's attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn't asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted. Whalen's other attempts to establish "costs" associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.
That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company's widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in "Clapper v. Amnesty International," concluding that the plaintiffs hadn't proven that any harm resulted from the Michaels breach. "Simply put, Whalen has not asserted any injuries that are 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. "Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction," Seybert concluded.
This isn't to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen's attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn't asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted. Whalen's other attempts to establish "costs" associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.
The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.
There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.
Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved. You update the obvious ones and the ones you forgot about will come running when their payment gets declined.
If someone broke into a bank vault but you couldn't prove they took anything would they get away with it?
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
Sure, and the last time this happened to me, and I forgot to update my satellite provider, a promotion was taken away from me because a payment became late. Again, it doesn't matter if it takes 30 seconds to deal with this. Any amount of time spent greater than 0 is an inconvenience and this should not go unpunished. I think the logic is pretty clear...
Vonal Declosion
Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved
It's easy for you, if you've already gone through it, and know what to do. If you have to research it, then it's going to take longer.
"First they came for the slanderers and i said nothing."
I just called you a WAAAAAAAAAAAAMBULANCE. Should be arriving shortly.
If you want news from today, you have to come back tomorrow.
chip and signature. Get a different bank.
That's one of the purposes of class actions. If a large number of people were each hurt a little, that's a lot of hurt.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
Then make a case. I could file a lawsuit against you for being ignorant, but that doesn't mean it has merit.
Likewise, either test your legal acumen in the arena, or stop having brilliantly stupid ideas in the internet.
I spent time typing this, you owe me money. I'll settle for $100 BTC.
How much research do you need to do? This is all common sense. Credit card gets stolen. Number is not good anymore. Service providers need new number.
At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions.
They don't have to pick it up......if the bank hasn't sent you a C&P card, but the merchant has a C&P card reader, then it's up to the bank to pay for fraud.
"First they came for the slanderers and i said nothing."
Wait, wait, this is about a case in reality. Not one about sex, drugs or copyright.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I was doxxed about eight years ago (before it had a name, really). I've kept the 'do not issue credit' flag enabled at the reporting bureaus ever since. It's pretty good protection but a pain in the ass if I did want credit for something - and I do actually have a few credit cards for the benefits they give me but it's a hassle to get the information, make the calls, specify the lender, and enable them to run a check. Usually, I just use a debit card on a separate account and push money into that separate account as needed.
However, I'd my mail sent down to me over the holidays and inside was a fairly nondescript envelope (the standard tear open at the perforations type) that informed me that my data was, indeed, part of the OPM hack. (Thanks to another Slashdotter who was kind enough to clue me in on what to look for, it was eventually found though it looked like one of those fake things that tells you that you might win a car - sans fake key in the envelope.) Now, my credit is locked down and all so credit monitoring is of absolutely no benefit to me and I've no other way to ensure my information isn't being misused somewhere else.
Give me a couple of hours and I can figure out GIMP well enough to make a birth certificate and SSN. How the hell do I know that I'm not out somewhere getting speeding tickets in areas I've never even visited? In many areas they don't even do credit checks to hook up utilities. There are still lending agencies who will ignore the credit ratings/do not issue flags and give you a credit card - it might be prepaid at first but they'll go ahead and increase it after a while.
That doesn't even remotely cover some of the worst things a creative person could think of now that they've got all that information compiled. I am less than impressed. I'm also fairly helpless and have little/no recourse. For all I know, I'm smuggling drugs across the border into AZ right now or poteen out of Canada! Worse, I could be in Vermont and getting ready for sap season and planning on smuggling VT maple syrup into Canada to mix in with the local syrup as part of the VT Maple Syrup Cartel! You can go to prison for that sort of stuff!
Do you have any idea what they do to people who tamper with maple syrup in Canada? They'd probably make me root for the Edmonton Oilers and go curling! Worse, I don't even speak French and I prefer Maine's maple syrup! I'd be caught up in the web of deceit known as the Golden Syrup Triangle and not even have managed to get any pancakes out of the deal. They might even force me to use that "pancake syrup" that comes in a bottle shaped like an old woman. No, I don't think I could live like that - and all because OPM failed to keep my data secure or, you know, delete it because they didn't need it some 15 years later.
I don't even really like hockey.
"So long and thanks for all the fish."
Hint: It doesn't always have to be monetary.
What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.
Have gnu, will travel.
I've had my credit card number stolen. Research was 5-10 minutes. Filling out the forms was another 5-10. When I got the new card, updating places that used the card for payments was yet another 5-10.
So that's 30 minutes of lost time for you (genius that you are, you do it quickly)........multiply 30 minutes of lost time by several million people and you have the kind of damages that class action lawsuits were created for.
"First they came for the slanderers and i said nothing."
The act was criminal, but this isn't about a criminal case. It's a civil case where the users whose information was breached were suing Michael's. The plaintiffs were unable to prove any damages, however, so they can't sue Michael's.
Ok, if this has no harm to the end user, i.e. nothing physical stolen, then why would copying music or movies be damaging?
There are laws that specifically address the topic of copyright infringement, setting penalties regardless of whether damage was inflicted. In some cases, punitive penalties can be applied beyond the damage actually caused.
In the case of user data being lost, there is no particular law that applies, so the lawyers need to find existing laws and use them to sue, showing why they apply in this situation. In this situation, the lawyers sued under laws that allow people to recover damage, but they didn't demonstrate that there was damage. So to continue, they can either find a way to show that their was damage, or find a different set of laws to sue under
(ianal ymmv never trust me for anything important, etc).
"First they came for the slanderers and i said nothing."
Whalen also argues that she has standing because she lost time and money associated with credit monitoring and other mitigation expenses. (Pl.’s Opp. Br. at 8.) But the Supreme Court has dismissed this type of argument, explaining that plaintiffs “cannot manufacture standing” through credit monitoring. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1151, 185 L. Ed. 2d 264 (2013). “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Id.
That conclusion rings especially true here where Whalen cancelled her affected credit card. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *3 (N.D. Ill. Dec. 10, 2014) (“[T]here is no reason to believe that identity theft protection was necessary after [the plaintiff] cancelled the affected debit card.”). Thus, these allegations are insufficient to confer standing.
The judge's argument here seems weak to me. In Clapper v Amnesty, the credit monitoring was somewhat speculative. In this case, when you know your personal information has been stolen, it is best practices. Also, the judge completely ignored the time wasted cancelling the credit card. You can read it yourself.
As someone else mentioned, I'd think the fact that the credit card number was demonstrably given to a criminal is already prima facie evidence of harm. If I stole your credit card, handed it to the nearest homeless person and told him, "have fun with this," that would be some clear harm, even if the CC company reimbursed me.
"First they came for the slanderers and i said nothing."
Near as I can tell, the judge was bought.
More likely, she is ignorant of technology, and the plaintiff's lawyers did a lousy job explaining the issue. The judge noticed a (incorrect) similarity to another case, and thought she should rule in a similar way.
Remember judges are elected, and sometimes they can be really, really dumb.
"First they came for the slanderers and i said nothing."
.......multiply 30 minutes of lost time by several million people and you have the kind of damages that class action lawsuits were created for.
I smell a class action lawsuit against Big Brother and other reality TV shows on the horizon.
But time is not a tangible loss unless you can show that it directly impacted your earnings. I.e. were you forced to do it during work hours and you receive monetary compensation by the hour with no alternative form of recourse (such as billing to a blanket overhead account).
Seriously if I could sue for every time my time was wasted there's would be no companies, no government road maintenance, infrastructure would fall apart, but on the up side one would hope there'd be a lot less shit on TV and the radio as a result.
It's a real pain in the ass when a data breach allows credit card fraud to occur. Anyone who's had it happen to them know that. So the credit card company doesn't make you pay (oh, they don't eat it, ever, they don't pay the vendor), that's great. But you still have to catch the fraudulent charges (in time), call, make a claim, change your account number, remember all the subscribed accounts that use that number (netflix etc...), wait & see, worry.
But the company that can't keep their shit secure has no liability.
SLOWER TRAFFIC KEEP RIGHT
They can show actual damages from the breech, Then again, they might be insured against losses from fraud, so it would have to be the insurance company that sues. Does it stop there? I don't know.
The justice system can't exist without them. Otherwise, we'd just have lawyers yelling over each other at a jury.
At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions.
They don't have to pick it up......if the bank hasn't sent you a C&P card, but the merchant has a C&P card reader, then it's up to the bank to pay for fraud.
A little more detail might be good: This is what's known as the "liability shift rule". It was enacted by all of the major credit card associations and individual issuers in the US last year. What it means is that when a transaction is found to be fraudulent, the chain of participants in the transaction is examined, and the first one in the chain that doesn't support the chip technology is liable for the fraud. The chain includes: The bank who issued the card, the merchant who accepted the card, the acquiring bank who processed the transaction, the clearinghouse who routed the transaction and the bank who processed the payment (almost always the same as the card issuer, though it's worth calling out twice because a bank could issue chip cards but not implement the backend system changes needed to process and validate them correctly).
So what you're saying is your an ass-hole - got it.
Open mouth insert foot.
Actually there are laws that apply in this situation. At issue is harm. The judge decided that since the plaintiff was not out any money - the credit card company did not pass on the fraudulent charges - no harm was done. The problem with this decision is that a crime was committed. At issue is whether or not Michael's is protecting their customers credit card information. As has been stated, without any pressure, merchants have no motivation to improve their systems. Merchants need to be held responsible.
The cost of a credit protection service enrolled in as a precaution is damage enough. This is a forseeable injury regardless of actual fraud. The class representatives could have subscribed to some service and pled the class as existing of all persons that incurred this expense. The result is the negligent company is held accountable and other companies are on notice that they will be held accountable. If there was actual fraud for some persons, it would destroy the commonality requirement for class certification; the persons suffering fraud would all have had different levels and types of damages.
Why have 1 person driving a backhoe when you could employ 20 with shovels?
It sounds like the judge did the right thing but dismissing without prejudice. That will allow it to come back when or if they get enough information to prove the case. Will we base the outcome of cases like this on how the data was used by the folks who stole it? How long do we have to wait to determine the cost? What about the impact of ambiguity resulting from multiple large breaches, how do we attribute loss? ... I would be concerned about the second aspect; if a company avoids doing the right thing because they choose to lawyer up and aggressively go after claims from customers, customers may loose confidence in that company and will move their business elsewhere since they feel they were treated inappropriately and "the company got away with it." This could be more damaging in the long run - especially in light of the supposed "no proven losses."
What if the same had to be proven by companies who get people for piracy? Isn't this basically the same thing? We are talking about stolen information that has value in slightly different ways but causes harm to the "victim" in similar ways. Resonable fines should be paid by anyone who commits piracy and the same rules should apply to companies who can't keep their customers private information secure.
I know this is technically how the law is supposed to work but the likely consequence of this is that companies will put more effort into covering up the damages than they put into securing their data. It's a lot more expensive to develop a system that is difficult to penetrate than it is to roll the dice and hope that you don't get hacked and if you do, cover up the evidence.
I'm annoyed by people like you who do not (carefully) read TFA but rather make a comment from summary. Even worse, these people pick and choose only a section of the whole to make a dubious comment on.
Whalen essentially alleges five different types of injuries:
(1) actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts, (Compl. 49);
(2) the loss of time and money associated with credit monitoring and obtaining replacement cards, (Compl. 54);
(3) overpayment of Michaels' services because Whalen would not have shopped at Michaels had she known that Michaels did not properly safeguard her personal identified information (PII), (Compl. 24, 70-71);
(4) the lost value of Whalen's credit card information, (Compl. 35-37) and
(5) a statutory violation of GBL 349, (Compl. 74-98)
By laws, you cannot assume damage before there are real damages. If laws permit to do so, there will be tons of law suits attempting to get money before a real issue happens! Also if you actually READ the PDF file from Bloomsburg Law site, you will see how the judge counters her claims and should be able to understand exactly why.
Anyway, this does not mean she cannot sue Michael again. The case is dismissed without prejudice which means she can take Michael to court again IF there is real damage later on.
PS: Where is in the court ruling said that she "paid" for credit monitoring? On the other hand "Michaels offered free credit monitoring for twelve months." You need to look at #2 above and read on what the judge commented on the item...
Remember judges are elected, and sometimes they can be really, really dumb.
Federal District Court judges are not elected, they are nominated by the President and confirmed by the Senate. Judge Joanna Seybert was nominated by Clinton in 1993.
good point
"First they came for the slanderers and i said nothing."
Thanks for the detailed breakdown of liability chain... very interesting.
Still don't know why more C&P hasn't been adopted yet from a retailer standpoint... if they're liable and the hardware exists - why do I still see swipe machines everywhere with no chip readers alongside?
Make sure everyone's vote counts: Verified Voting
What I find odd is that they've issued the chips, but as far as I can tell aren't demanding PINs. I have a couple of chipped cards, and I see no feature allowing me to establish a PIN even if I want to.
I guess that makes it harder to counterfeit the cards, which is nice, but it's still easy for the cards themselves to be stolen, and the numbers alone are still cheerfully accepted by most online merchants (along with the ultra-weak 3-digit code).
Any idea why they're not rolling out PINs at the same time as the chips? Are they planning to?
She's still an idiot. I can only assume that she has never had to deal with the hassle of having your CC info stolen. Especially if you are traveling at the time.
Failing to protect customer information is not a crime in the US. There was obviously a crime committed in getting the data, but it's going to be hard to trace down the perpetrators and bring them to justice. The store has civil liability.
Probably the proper way for legislative bodies to address this is statutory damages, which presume that some sort of harm has been done that's hard to quantify. If each person whose information was leaked was awarded $50, merchants would get REALLY careful about data security.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
In the copyright cases we hear about, the damages are defined by statute so the plaintiff doesn't have to show actual harm. I believe they are set way too high. If Congress passed a law saying that damages of $X were to be awarded in cases of data breach, there would be no need to show actual harm.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
That's cute. Stupid, but cute. I'm an "ultraconservative?" Tell me now, how did you reach that conclusion?
"So long and thanks for all the fish."