Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers

chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.

Koh for Supreme Court

She has a decent clue about technology and law unlike 99% of all other judges/lawyers.

Re:Koh for Supreme Court

[ShanghaiBill]

The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.

Another issue is culpability. Sure, these companies should be held responsible. But some of the responsibility should also go onto the financial institutions that created the system where mere knowledge of a CC number or SSN allows a criminal to access accounts. It should be illegal to use SSNs to authenticate identity, and CCs should all have passwords/PINs so the numbers on the card are not sufficient to make a charge. We should fix the underlying problem, rather than just punishing the inevitable breaches. Harsh penalties for breaches encourage more companies to attempt a coverup.

Doh! Preventative measure COST.

[redelm]

For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.

This is a great ruling

[surfdaddy]

...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.

Re:Doh! Preventative measure COST.

[Fallen+Kell]

For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.

But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).