Slashdot Mirror
Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers (digitalguardian.com)
chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.
She has a decent clue about technology and law unlike 99% of all other judges/lawyers.
For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.
I quit shopping at Home Depot after the time I ran into a cashier who insisted that I could not buy what was in my cart unless I supplied my zip code as part of the credit card transaction, despite having it explained to her that it is a violation of their merchant agreement, and in many states is also illegal. I left my shit in the shopping cart and left.
I was utterly unsurprised to see that Home Depot got breached. I hope they have to pay out big.
...from risk "acceptance" to risk mitigation and avoidance. Too long companies haven't been going that extra mile because, hey, it's cheaper to pay out for the 2--3 years of credit monitoring and letting customers spend hundreds of hours and potential legal/attorney/specialist fees to clean up the mess. When risk "acceptance" is saying "eh...3 million stolen IDs is cheaper than it would be to put serious effort into making it very hard to get those IDs from us" then we will NEVER be clear of this. I hope Anthem gets hit with billions in lawsuits and gets crippled. It'll serve as a nice warning to every other major company in the US that it's time to start taking security seriously or your businesses will start getting sunk.
For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Look, I dislike Ayn Rand as much as the next liberal my age, but I would hardly consider her novel, Anthem to be "harmful" to people who read it...
New York General Business Law may be an applicable controlling law in the case if one of the parties harmed lives there or if the contract agreement stated New York laws governed contract disputes.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Simple fix, Apple and Google can add a feature to their phone OSs where the user can turn on a security feature where if they don't enter their password every "xx" (set by user) days, the phone also auto-wipes....
They do a somewhat similar thing on the iOS devices that have a touch-sensor.
If you don't log-into such a device at least once every 48 hours (or after a power-cycle), you HAVE to use the Passcode (not the biometric sensor) to unlock the device.
That is VERY significant, in that the Supreme Court has ruled that, while you CAN be forced to use your finger to unlock a device, you CANNOT be ordered to divulge (nor enter) a Passcode.
It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)
Already done. Where does it say that Apple can force-update an iOS (or any) of their devices?
Maybe because nothing was stolen in the first place.
"I'm not much interested in interoperability. I want substitutability. I want to be able to throw your software out."
Well if that's the case then you won't mind defense counsel and all C-level officers of the company submitting an inventory of their full bank account and credit card information? Sure, such a submission would be on the public record... but you can't prove that any harm will come from it.