Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers (digitalguardian.com)

Posted by yaelk on from the another-security-breach dept.

chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.

10 of 92 comments (clear)

  1. Koh for Supreme Court by Anonymous Coward · · Score: 5, Insightful

    She has a decent clue about technology and law unlike 99% of all other judges/lawyers.

    1. Re:Koh for Supreme Court by whoever57 · · Score: 4, Informative

      The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.

      I think that you are 100% wrong here. In order to proceed with a lawsuit, you have to show that you have standing. Without harm (any amount of damages), you don't have standing to sue. So this ruling is NOT about how much, instead it is about if ANY harm occurred.

      --
      The real "Libtards" are the Libertarians!
    2. Re:Koh for Supreme Court by ShanghaiBill · · Score: 4, Insightful

      The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.

      Another issue is culpability. Sure, these companies should be held responsible. But some of the responsibility should also go onto the financial institutions that created the system where mere knowledge of a CC number or SSN allows a criminal to access accounts. It should be illegal to use SSNs to authenticate identity, and CCs should all have passwords/PINs so the numbers on the card are not sufficient to make a charge. We should fix the underlying problem, rather than just punishing the inevitable breaches. Harsh penalties for breaches encourage more companies to attempt a coverup.

    3. Re: Koh for Supreme Court by BlckAdder · · Score: 4, Informative

      Judge Koh is already in line for a nomination to the Ninth Circuit Court of Appeals, which will probably happen this month. Not to say that couldn't be pulled in favor of a Supreme Court nomination, but it's pretty unlikely.

    4. Re:Koh for Supreme Court by Impy+the+Impiuos+Imp · · Score: 4, Interesting

      The Supreme Court just granted standing to states and companies to put a hold on enforcement of a new EPA regulation, a massive one about power plant emissions.

      There was the same argument -- no standing because you don't have to spend money yet. Except that in a previous similar case, companies spent tens of billions preparing for a new regulation that ultimately got overturned. Worse, the EPA bragged, "Haha made you spend money and implement the regulation anyway!" on its web site.

      Supreme Court: Well, if you're gonna be assholes about it...

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  2. Doh! Preventative measure COST. by redelm · · Score: 4, Insightful

    For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.

  3. This is a great ruling by surfdaddy · · Score: 5, Insightful

    ...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.

  4. Home Depot by PvtVoid · · Score: 5, Interesting

    I quit shopping at Home Depot after the time I ran into a cashier who insisted that I could not buy what was in my cart unless I supplied my zip code as part of the credit card transaction, despite having it explained to her that it is a violation of their merchant agreement, and in many states is also illegal. I left my shit in the shopping cart and left.

    I was utterly unsurprised to see that Home Depot got breached. I hope they have to pay out big.

  5. Re:Doh! Preventative measure COST. by Fallen+Kell · · Score: 5, Insightful

    For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.

    But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  6. Re:Jurisdiction? by Fallen+Kell · · Score: 4, Informative

    New York General Business Law may be an applicable controlling law in the case if one of the parties harmed lives there or if the contract agreement stated New York laws governed contract disputes.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"