Slashdot Mirror
Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers (digitalguardian.com)
chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.
She has a decent clue about technology and law unlike 99% of all other judges/lawyers.
Now when someone cracks the government-mandated backdoor for iPhones I'll be able to sue the US federal government.
For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
About damn time
...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.
I quit shopping at Home Depot after the time I ran into a cashier who insisted that I could not buy what was in my cart unless I supplied my zip code as part of the credit card transaction, despite having it explained to her that it is a violation of their merchant agreement, and in many states is also illegal. I left my shit in the shopping cart and left.
I was utterly unsurprised to see that Home Depot got breached. I hope they have to pay out big.
Now all I have to do is subscribe everywhere online, wait for the eventual breaches, sit back and watch the money roll in. Time to retire early.
...from risk "acceptance" to risk mitigation and avoidance. Too long companies haven't been going that extra mile because, hey, it's cheaper to pay out for the 2--3 years of credit monitoring and letting customers spend hundreds of hours and potential legal/attorney/specialist fees to clean up the mess. When risk "acceptance" is saying "eh...3 million stolen IDs is cheaper than it would be to put serious effort into making it very hard to get those IDs from us" then we will NEVER be clear of this. I hope Anthem gets hit with billions in lawsuits and gets crippled. It'll serve as a nice warning to every other major company in the US that it's time to start taking security seriously or your businesses will start getting sunk.
You would think that the "damages" caused by illegal spying, like those leveled against the NSA and GCHQ are self evident. But governments are arguing hard that they can't be sued for damages resulting from spying, because the "victims" can't show that they were harmed by it.
Crappy "coders" are going to have trouble getting paid.
You write shit code, you'll get fired in such an environment.
Seeing Anthem is the main health care provider for Gov Officials up to and I believe including Congress, no wonder. Like many people believe, if a breach does not impact the "ruling class" nothing is real is done about the issue. Will be interesting to watch.
Or Not, the fact that the corporate IT network/databases were hacked/breached
should have caused the insurers to stiffly raise their rates. Double entendre intended.
Heads and bowling balls for whoever was in charge ( ie: whoever said 'we can't afford/don't need a full security upgrade' ).
The lawyers defending said corporations should also raise their rates, since the corporation has extra money now...
Never will upper management take classes in security.
So the only possible educational tool for them is the school of hard knocks...
I don't think people are interpreting it like that. People think this ruling means they can sue for millions if their coffee-shop profile is hacked and "stolen." This ruling will just send companies back into the shadows of reporting breaches. They should give amnesty to breaches reported within a reasonable window of them happening to encourage fast reporting and complete transparency. We might need a NTSB equivalent in IT to help determine how breaches occur and begin creating security standards as a nation.
For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
After having been an unlucky player in the Anthem and Home Depot breaches it's ironic the feds aren't more critical of their own shortcomings wrt to the data protection failures at the Office of Personnel Management (OPM) and the IRS. Losses in those incidents affected individuals and extended family. Possibly for years to come.
Look, I dislike Ayn Rand as much as the next liberal my age, but I would hardly consider her novel, Anthem to be "harmful" to people who read it...
Cane somebody explain to me why a U. S. District Judge for the Northern District of California is making a ruling based on New York's General Business Law?
Don't get me wrong, I'm very pleased by this ruling. I'm just curious as to her authority to make it.
So does Judge Lucy Koh just troll the legal system by siding against companies in what is typically an opinion that differs from many other judges?
Because if she's not doing this for the lulz I suggest we nominate her for a cloning program.
You make a good point. I work in IT security and I see a lot of sloppy stuff, mostly people just don't know any better. I can certainly understand why some people would like to see high amounts of damages awarded in law suits, to encourage companies to be more careful in the future.
However, you're absolutely right that encourages companies to just keep quiet, try to hide the breach. Financial damages from law suits plus damage to their reputation can certainly mean executives would rather keep any breaches secret. It's a problem.
One potential solution, or partial solution, would be similar to some other laws already on the books in other areas. A law could specify that IF the company has their systems audited and gets an appropriate security certification, AND they timely report the incident, AND they follow the specified procedures to notify and assist affected customers, then they are presumed prima facia to be not-negligent and therefore not liable, though a plaintiff suing could still prevail if they proved that the defendant was reckless or highly negligent . (I forgot the legal term for "highly negligent "). That would encourage companies to get audited and secured ahead of time, and encourage them to report any breach in order to avoid liability , while not excusing reckless behavior.
Seems like she just isn't afraid to call "Bullshit" when pushed.
"The ferrets, they're every where I tell you!"
Maybe because nothing was stolen in the first place.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
I think the consensus is that if some other company leaks your personal data, THEY should pay for credit monitoring services, not you. In fact, since T-Mobile leaked my personal info, they are paying for credit monitoring for me as we speak.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
I think the word you are looking for is derelict (highly negligent). IDK though as IANAL.
It was "gross negligence' that slipped my mind. Law refers to slight, ordinary,gross, reckless negligence, with different standard applying in different situations. If you leave your phone on the table at a restaurant, they only owe you "slight care" in getting it returned to you, so they become liable only if they are reckless. On the other hand, if you HIRE a security guard to protect your stuff, or someone borrows it from you, a higher standard of care is required.
Justice Rugg described the difference between negligence, gross negligence, and recklessness as someone being âoea fool, a damn fool, and a God-damned fool". :)
Well if that's the case then you won't mind defense counsel and all C-level officers of the company submitting an inventory of their full bank account and credit card information? Sure, such a submission would be on the public record... but you can't prove that any harm will come from it.
The real costs are significantly higher. My identity thief, who obtained SSN's from a major hospital's db, didn't make a single purchase. The SSN's had been sold to llegal (I said it) immigrants such as she. Two years after the theft, I was audited by the IRS, who had decided she was the REAL me, a lien slapped on all my property and accounts, and left homeless, living in a tent.
Months and months later, I was told "Oops. Sorry."
All the password-changing and credit-freezing in the world won't protect you from this growing use of stolen identities.
A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused.
A "reasonable person" perhaps, but hundreds of people in our government have been trying to pass many laws this week to make protecting said data a crime, and also making it a crime to not provide a way for hackers to obtain that data trivially.
So to the powers at be, of course no harm was done, these "breaches" are a good thing.
But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).
Exactly. The value of a person's time is the issue here, and that's something our society often doesn't handle well.
It seems like the legal profession has in the past followed a double standard.
The time of lawyers is valuable, therefore they must get paid lots of money for (almost) everything they do.
However, the time of the public is not, since if the law is structured in such a way as to be able to steal that time, then people will tend to hire lawyers to protect them from the their own legal system.
In short, this is a legal ethics issue. When they argue that there is no standing on matters like this, the lawyers representing the companies that have failed in their responsibilities, and any judges ruling in their favor, are engaging in unethical practice of law.
This contempt for the value of people's time is - in part - why we still have such obscene practices as junk mail, unsolicited sales or political calls, door-to-door solicitation, and so forth. The lawyers have little incentive to recognize the value of other people's time, so they do little to effectively protect that time.
Worse, it's been known since the 1950's that stress has negative physiological consequences. Expose mice to long term stress, and they develop plaques in the arteries, and have higher rates of heart attack! That means that wasting people's time is not just a matter of time and money, but also likely a matter of doing physical harm.
Certainly identity theft (and most other things that involve stealing a portion of a person's life) can be a lengthy and stressful experience (especially when dealing with incompetent bank officials who insist one owes a huge amount of money for a bogus account, almost certainly one created as a result of the bank's own negligence).
We can view kidnapping as stealing a portion of somebody else's life. Resolving an identity theft can take months (and essentially requires spending money on credit monitoring for the rest of one's life!), and the long term stress involved could lead to health issues such as a heart attack or stroke.
If one is wrong, the other must be as well.
In the USA, it follows that stealing a portion of somebody's life is a violation of fundamental rights "retained by the people" under the 9th Amendment, and "reserved to the people" under the 10th. It doesn't matter what type of negligence or misconduct resulted in the theft of that time.
As such, practices like sending junk mail, and the other items mentioned above, are violations of the highest law in the land. The same can be said for other things that waste time, such as excessive bureaucracy, whether on the part of private businesses or government. This includes a lot of the hassles that go on in the medical domain, such as the hoops one has to go through to deal with errors in bills.
Similarly, one has a right to expect reasonable competence on the part of businesses holding private data.
I my case a h/d employee went into the pos system 6 months later and hacked my c/c. Yes people need to sue,your info can get hacked later on.I spent years in WI. Fed court. This happend to me in 2005 and ended in 2013. Go to www.hdpos.blog.com after
You read my blog email me at www.crivitzlogcabin.com tell me
What you thing.or what you would have done