Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Privacy Security The Courts

Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages (digitalguardian.com) 138

chicksdaddy writes: Data breaches have become so common that they've taken on a kind of formality. One of the phrases that often accompany such incidents goes something like this: "[Company X] has no evidence that any of the stolen information has been used inappropriately." Or you might read that "there is no evidence of fraud linked to the stolen data." Such assurances are generally interpreted as wishful thinking. But when courts are asked to weigh in on the question of damages resulting from cyber incidents in civil suits, the question of what harm resulted from the incident is very different – and very real. To put it simply: if nobody can prove harm resulting from a cyber incident, a company can't be held liable for those damages.

That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company's widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in "Clapper v. Amnesty International," concluding that the plaintiffs hadn't proven that any harm resulted from the Michaels breach. "Simply put, Whalen has not asserted any injuries that are 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. "Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction," Seybert concluded.

This isn't to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen's attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn't asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted. Whalen's other attempts to establish "costs" associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.

This discussion has been archived. No new comments can be posted.

Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages

Comments Filter:
  • Court was right (Score:5, Insightful)

    by vux984 ( 928602 ) on Thursday January 07, 2016 @11:07PM (#51259867)

    The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.

    There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.

    • by vux984 ( 928602 )

      Sorry to reply to my own post, but for example the credit card companies CAN show direct harm, and could potentially sue Michael's for damages (or just fine them through the existing contractual agreements) for any losses they incurred as a result. (And that goes back to my earlier comment about PCI compliance penalties, etc).

      • That is outside of this suit. You are correct in both of your postings however and we can hope that the processors roll the shit downhill
        • by KGIII ( 973947 )

          Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.

          The demonstrable harm would be, in those case, the concern, the loss of data, and the need to take action

          • I would like credit issuers to have a due diligence responsibility. A SSN and a few other personal identifying pieces of info is not a 'confidential key' that they should be using to grant credit. It shouldn't be possible for identity thieves to attain such value from such information.

            The SSNs of all citizens should be a matter of public record.

            • by KGIII ( 973947 )

              The more I think about it, the more I think they don't want to. As I understand it, they are able to push most fraudulent charges onto the merchant. I also understand that the SSN was never, ever, meant to be something confidential or used as something confidential. I'm not sure how it ended up that way? Perhaps someone has some insight...

              So, I'm inclined to agree with you based on the things that I believe to be true. It might add some cost to them but, frankly, there should be a better way. Heh, later in

            • I would like credit issuers to have a due diligence responsibility. A SSN and a few other personal identifying pieces of info is not a 'confidential key' that they should be using to grant credit. It shouldn't be possible for identity thieves to attain such value from such information.

              The SSNs of all citizens should be a matter of public record.

              WRONG!

              The SSNs should STOP BEING USED FOR IDENTIFICATION. They really aren't SUPPOSED to be; but every single damned database seems to think it MUST store an SSN, and every single Utility, Credit Card co, etc, seems to think that it is the best thing since the invention of the birthdate for IDENTIFICATION.

              In fact, my original SS Card said in big, bold red letters a the bottom: "For Social Security and Income Tax Purposes Only - Not For Identification". See Question 21 in this FAQ [ssa.gov]. What's curious is that

          • Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.

            Standing, maybe; damages, not so much.

            It's just like the cruel facts in a Wrongful Death suit: Unless you are a breadwinner with minor children to support, your heirs have next to zero chance winning damages because "Life isn't in itself, worth anything".

            Now there is an argument for "loss of consortium"; but that is kind of a tough row to hoe, unless the deceased is your spouse. Even then, it isn't so much of a cash-register-ringer, either.

            • by KGIII ( 973947 )

              Yeah, as mentioned - I don't imagine it will amount to much per individual but, in aggregate, it may mean something. Then, with standing, we can get precedent. If we can get precedent then we can work on things like class actions. It still doesn't mean a whole hell of a lot for the individual but it *might* mean more appropriate levels of accountability for those who failed to keep the data secure.

              It is not, by any means, ideal. However, it's a possibility. The damages may be small and that's okay as they a

              • If we can get precedent then we can work on things like class actions. It still doesn't mean a whole hell of a lot for the individual but it *might* mean more appropriate levels of accountability for those who failed to keep the data secure.

                Class-Actions only do 2 things:

                1. First and foremost, they enrich both side's legal teams

                2. They cause the Offender to increase the cost to the Consumer to pay for the Damage-Award

                Nothing more. The actual Aggrieved Party (hereinafter, "Individual") is lucky to get a coupon for a free medium fries. But usually what happens is that EVERY Individual ends up paying the Damage Award.

                Case in point (no pun) : The Tobacco Industry Settlement. A pack of name-brand Cigarettes in my State (Indiana) before the To

                • You seem to believe in the "pass the costs on to the customer" nonsense. In fact, if the companies could raise their prices to make more money, they would. The main reason they don't is that they'd lose sales volume, and that would be enough to reduce profits. It could be that the tobacco companies had decided they'd make more money jacking up the rates, and used the settlement as an excuse.

                  Fines and settlements and stuff lower the value of a company without allowing the company to make any more money

                  • by KGIII ( 973947 )

                    They also seem to think that the raising of prices of an *addictive* substance is somehow similar to others. I'd also be surprised if a good amount of that increase was not actually for taxes. I don't smoke cigarettes but I do smoke cigars. They had signs up in the shops that had the actual text of the tax increases that were being applied to tobacco products when this happened, I remember this quite clearly.

                    Ah well, he's a Mac fan - 'snot like you can trust him to be rational. ;-)

                    Oddly enough, my cigars ha

                    • Vendors of various sorts like to show tax increases or whatever when they raise prices, because there is often some resentment, and they want to diffuse that.

    • Re:Court was right (Score:5, Interesting)

      by Wootery ( 1087023 ) on Thursday January 07, 2016 @11:34PM (#51259965)

      The broader question is whether this is how it should be.

      With the law as it stands, companies aren't well motivated to prevent breaches. They lose a bit of face, but that seems to be all.

      • The broader question is whether this is how it should be.

        With the law as it stands, companies aren't well motivated to prevent breaches.

        Maybe, but it makes sense that the party who is actually harmed is the party who has standing to sue. Who was harmed? The issuers of the credit cards (which is banks, mostly) and the merchants who accepted payments made with the stolen cards. Mostly the latter.

        So, really, it should be all of the merchants who got ripped off who should band together and sue Michaels. But they won't because not only are lawsuits a pain, but if they did they'd establish a precedent which might someday place them in the cross

    • She showed a cost for credit monitoring, and her time to fix the problems THEY created by willful negligence should be reimbursed.

      Near as I can tell, the judge was bought.

      • Near as I can tell, the judge was bought.

        More likely, she is ignorant of technology, and the plaintiff's lawyers did a lousy job explaining the issue. The judge noticed a (incorrect) similarity to another case [wikipedia.org], and thought she should rule in a similar way.

        Remember judges are elected, and sometimes they can be really, really dumb.

        • Remember judges are elected, and sometimes they can be really, really dumb.

          Federal District Court judges are not elected, they are nominated by the President and confirmed by the Senate. Judge Joanna Seybert was nominated by Clinton in 1993.

      • I'm annoyed by people like you who do not (carefully) read TFA but rather make a comment from summary. Even worse, these people pick and choose only a section of the whole to make a dubious comment on.

        Whalen essentially alleges five different types of injuries:
        (1) actual damages including monetary losses arising from unauthorized bank account withdrawals, fraudulent card payments, and/or related bank fees charged to their accounts, (Compl. 49);
        (2) the loss of time and money associated with credit monitoring and obtaining replacement cards, (Compl. 54);
        (3) overpayment of Michaels' services because Whalen would not have shopped at Michaels had she known that Michaels did not properly safeguard her personal identified information (PII), (Compl. 24, 70-71);
        (4) the lost value of Whalen's credit card information, (Compl. 35-37) and
        (5) a statutory violation of GBL 349, (Compl. 74-98)

        By laws, you cannot assume damage before there are real damages. If laws permit to do so, there will be tons of law suits attempting to get money before a real issue happens! Also if you actually READ the PDF file from Bloomsburg Law site, you will see how the judge counters her claims and should be able to un

    • by tsotha ( 720379 )
      I'm not a lawyer, but I believe "dismissed without prejudice" means they can re-file later. Presumably after being able to document harm.
      • "dismissed without prejudice" means they can re-file later.

        Yes (though it might be a ~$250 court filing fee)

        • "dismissed without prejudice" means they can re-file later.

          Yes (though it might be a ~$250 court filing fee)

          What district are you in? In mine, the filing fee is $400. (I know, I have filed suits in federal court - and won)

    • by mwvdlee ( 775178 )

      Just take the judges' credit card and personal information, use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites, then after the judge is done dealing with the credit card company to get the situation corrected just say "no harm done".

      • by Ash-Fox ( 726320 )

        Just take the judges' credit card and personal information, use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites, then after the judge is done dealing with the credit card company to get the situation corrected just say "no harm done".

        It's an annoyance, but getting transactions reversed, new card issued etc. isn't exactly going to take more than maybe a 15 minute phone call. Outside of that, I don't really see the judge going further than that. So, what is your point exa

        • Really? Kind of depends where you use the credit card and how many systems you have to update, not too mention you need to worry what other things they are doing, like identity theft.
          • by Ash-Fox ( 726320 )

            Really? Kind of depends where you use the credit card

            Such as?

            how many systems you have to update

            I am a big credit card user (I pay for 'expensive' hotels, taxis, flights, trains etc on a weekly basis) and I have 6 things I pay with my credit card a month through automated means (subscription or billing systems). Annecdotally, I've lost my wallet twice in my life-time and both times, it was relatively painless to get it sorted quickly. I'm just not seeing the issue?

            not too mention you need to worry what othe

      • by vux984 ( 928602 )

        My card has been compromised twice in the past two years. The first time the bank caught it, before the transactions even showed up on my online banking, they called me couriered me a knew card.

        Second time, I noticed the charges, called them, they made a list of the fraudulent items, reversed them, and I had a new card in 24 hours.

        I had to update my saved card information with a few subscription services like netflix. Am I really going to sue someone because I had to do THAT?

        use it to buy loads of expensive stuff, narcotics and subscriptions to perverse sex sites

        If that ACTUALLY happened, then

      • Was this done to any of the people in the class action suit? Do drug pushers even take credit cards? If it's just expensive stuff and subscriptions, I can challenge the transactions and get a new card number in less than a week. I find it very annoying to change cards, but I couldn't total up enough damages to warrant filing in small claims court.

    • by Anonymous Coward

      The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.

      There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.

      I disagree with you. Let me give you an example on a different topic, which I think illustrates the problem well.

      When the lung issues associated with asbestos started to become apparent, many people in the building industry who were affected tried to sue their employers for the damage caused to their bodies while doing their jobs.

      But most of them found that that could not get anywhere with this because they had had multiple employers over their careers, and legally even though the damage was obvious, it was

    • She did. Her credit card was used in two instances. The fact that the credit company would eat those charges - changes nothing. The card was fraudulently used. But I love how we have other laws and legal actions that corporations can claim damages they might occur - but haven't - and judges award them damages.
    • by hey! ( 33014 )

      Yes, showing concrete damages is the usual requirement, so the judge is technically correct which he has to be. But that doesn't mean that the plaintiffs haven't been harmed. People don't steal private information to do harmless things, and exposure and the uncertainty that comes with it inflicts harm as well -- we just can't precisely quantify that harm.

      The legal system in effect sets a conventional amount to the value of harm it knows happened but can't quantify, and that value is $0. And that's arguab

      • by rsborg ( 111459 )

        Exactly.

        And in the case of breaches, when the company (in my case Tmobile) automatically signs you up for credit protection for X months, then the credit monitoring agency (Experian) decides to start billing you for $40/month because your "freebie" is over - when I'd never have needed the monitoring (or even wanted it), it just feels like I'm being made a victim because I was previously victimized.

        Is that damages enough?

    • by phorm ( 591458 )

      Define harm.
      I've been part of a few class actions where vendors colluded on the cost of hardware (monitors, RAM, etc) to inflate the price, and received a cash settlement.

    • by flink ( 18449 )

      The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.

      There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.

      This is why we need statutory punitive damages to make companies liable for these kinds of breaches. Otherwise they have no incentive to protect your data. The harm done by all these leaks just becomes an externality. The only way we are going to get corporations to protect the data they are entrusted with is if they have a financial interest in doing so.

    • I would be more inclined to say that the court is right with the law as it is now if the dismissal had been based on standing and a lack of injury. That's well established. With this reasoning for dismissing based on SMJ, only provable identity theft would ever be actionable from the perspective of the consumer whose information was lost. For anything short of that, class actions are utterly useless. A breached company will only have to answer to credit card companies and banks instead of to each person tha
  • What about all the time the credit card owners have to waste getting a new card and updating all of their vendors, services, etc. If the business is responsible for the credit card data being stolen, and I lose 12 hours of my time dealing with that, then that's "damage", and I deserve to be reimbursed for my time.
    • Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved. You update the obvious ones and the ones you forgot about will come running when their payment gets declined.
      • Sure, and the last time this happened to me, and I forgot to update my satellite provider, a promotion was taken away from me because a payment became late. Again, it doesn't matter if it takes 30 seconds to deal with this. Any amount of time spent greater than 0 is an inconvenience and this should not go unpunished. I think the logic is pretty clear...
      • Twelve hours? How many vendors and services do you deal with? Except for the minor inconvenience of being with a credit card for a few days, there's not much work involved

        It's easy for you, if you've already gone through it, and know what to do. If you have to research it, then it's going to take longer.

        • How much research do you need to do? This is all common sense. Credit card gets stolen. Number is not good anymore. Service providers need new number.
        • by KGIII ( 973947 )

          I was doxxed about eight years ago (before it had a name, really). I've kept the 'do not issue credit' flag enabled at the reporting bureaus ever since. It's pretty good protection but a pain in the ass if I did want credit for something - and I do actually have a few credit cards for the benefits they give me but it's a hassle to get the information, make the calls, specify the lender, and enable them to run a check. Usually, I just use a debit card on a separate account and push money into that separate a

      • Then make a case. I could file a lawsuit against you for being ignorant, but that doesn't mean it has merit.

        Likewise, either test your legal acumen in the arena, or stop having brilliantly stupid ideas in the internet.

        I spent time typing this, you owe me money. I'll settle for $100 BTC.

    • The plaintiff tried that argument. Here is what the judge said in response:

      Whalen also argues that she has standing because she lost time and money associated with credit monitoring and other mitigation expenses. (Pl.’s Opp. Br. at 8.) But the Supreme Court has dismissed this type of argument, explaining that plaintiffs “cannot manufacture standing” through credit monitoring. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1151, 185 L. Ed. 2d 264 (2013). “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Id.

      That conclusion rings especially true here where Whalen cancelled her affected credit card. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-CV-4787, 2014 WL 7005097, at *3 (N.D. Ill. Dec. 10, 2014) (“[T]here is no reason to believe that identity theft protection was necessary after [the plaintiff] cancelled the affected debit card.”). Thus, these allegations are insufficient to confer standing.

      The judge's argument here seems weak to me. In Clapper v Amnesty, the credit monitoring was somewhat speculative. In this case, when you know your personal information has been stolen, it is best practices. Also, the judge completely ignored the time wasted cancelling the credit card. You can read it yourself [bloomberglaw.com].

      As someone else mentioned, I'd think the fact that the credit card number was demonstrably given to a criminal is already pr

  • If someone broke into a bank vault but you couldn't prove they took anything would they get away with it?

    • by DogDude ( 805747 )
      In a civil case, yes. In a criminal case, no.
      • by KGIII ( 973947 )

        Well, did they damage the vault in the process of breaking in? Not that has one iota of bearing on the case at hand (necessarily) but they could be found liable in a civil court. It'd be a bit interesting if they didn't have enough to prove, beyond reasonable doubt, that the person had committed the offense but were able to prove that the defendant had, more likely than not, committed the offense and thus be liable for civil damages. Something akin to the OJ event.

        But, and this is related, if they'd broken

        • In fact, that's kind of why I am surprised that these cases keep turning out this way. Then again, from what I've read, nobody has presented it quite like that. I touched on that in a prior post - in this thread, and it doesn't seem like it should be all that difficult to argue that they have standing, that there was harm (even if it is minor), and that they deserve to have an opportunity to put their case in front of a jury.

          Given the huge amounts of money at stake, and the fact that it keeps happening over and over, I'd kind of expect that sooner or later, a lawyer is going to find a legal theory that makes it stick.....

          • by KGIII ( 973947 )

            That makes sense to me. I've never seen (and I've read a few and paid attention to a few - but it's not like I'm an expert, scholar, or lawyer) anyone actually argue it like I present it in the thread. It seems so simple to me - especially considering the many other things, things I might consider frivolous where they conclude that the plaintiff was harmed. Hell, they've found for damages with things like libel and slander. Are the judges aware what can be done with information? Especially information in ag

    • You are confusing civil and criminal court.
    • Fine. But do you then sue the bank for not having a strong enough vault?

      So if they catch the people who breached Michaels, prosecute them. Michaels is not the criminal here!

  • Ok, if this has no harm to the end user, i.e. nothing physical stolen, then why would copying music or movies be damaging? That has all of the same IP, as my information about myself that michaels and others would just have given up.
    • Wait, wait, this is about a case in reality. Not one about sex, drugs or copyright.

    • Ok, if this has no harm to the end user, i.e. nothing physical stolen, then why would copying music or movies be damaging?

      There are laws that specifically address the topic of copyright infringement, setting penalties regardless of whether damage was inflicted. In some cases, punitive penalties can be applied beyond the damage actually caused.

      In the case of user data being lost, there is no particular law that applies, so the lawyers need to find existing laws and use them to sue, showing why they apply in this situation. In this situation, the lawyers sued under laws that allow people to recover damage, but they didn't demo

      • Actually there are laws that apply in this situation. At issue is harm. The judge decided that since the plaintiff was not out any money - the credit card company did not pass on the fraudulent charges - no harm was done. The problem with this decision is that a crime was committed. At issue is whether or not Michael's is protecting their customers credit card information. As has been stated, without any pressure, merchants have no motivation to improve their systems. Merchants need to be held respons
        • Failing to protect customer information is not a crime in the US. There was obviously a crime committed in getting the data, but it's going to be hard to trace down the perpetrators and bring them to justice. The store has civil liability.

          Probably the proper way for legislative bodies to address this is statutory damages, which presume that some sort of harm has been done that's hard to quantify. If each person whose information was leaked was awarded $50, merchants would get REALLY careful about data

  • by PPH ( 736903 ) on Friday January 08, 2016 @12:44AM (#51260155)

    Hint: It doesn't always have to be monetary.

    What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.

    • by OzPeter ( 195038 )

      Hint: It doesn't always have to be monetary.

      What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.

      Well if your damages are non-monetary, then how would a monetary payment make you whole again?

      • Ever hear of pain and suffering....monetary awards for psychological damages happen all the time. Moron.
      • First, most people would go through a lot of things for the right price, so a monetary payment would usually count as making someone whole. Obviously this isn't going to help a dead person, and won't solve major medical problems, but, second, what is the court supposed to do? About all a judge can do is award monetary damages. Judges have no mystical powers to reverse the effects of negligence.

        Yes, this really sucks if you're blinded in an accident you have 0% responsibility for, but I don't know a be

    • by swb ( 14022 )

      Was your "psychological harm" so great that you could demonstrate financial damage from it?

      Did you lose wages from work, have to obtain counseling or incur any other monetary costs associated with this?

      If not, I don't think anyone would buy into your psychological harm because you really can't demonstrate any actual consequences from it. I don't think transitory emotional states without any demonstrable consequences count as psychological damage.

    • What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them?

      You get psychologically damaged by having your details maybe or maybe no fall into the hands of someone you don't know and are unlikely to ever meet? For that you shouldn't get monetary compensation but rather psychiatric care.

      I actually think that a lot of lawsuits should end like that. Instead of money, actually fix the problem. "Oh I'm traumatised", "Well here's a 6 month subscription to a psychiatrist and the court will ensure you go once a week, that'll fix you."

      The only psychological damage that exist

  • by Bruinwar ( 1034968 ) <bruinwar @ h o t mail.com> on Friday January 08, 2016 @08:49AM (#51261061)

    It's a real pain in the ass when a data breach allows credit card fraud to occur. Anyone who's had it happen to them know that. So the credit card company doesn't make you pay (oh, they don't eat it, ever, they don't pay the vendor), that's great. But you still have to catch the fraudulent charges (in time), call, make a claim, change your account number, remember all the subscribed accounts that use that number (netflix etc...), wait & see, worry.

    But the company that can't keep their shit secure has no liability.

  • They can show actual damages from the breech, Then again, they might be insured against losses from fraud, so it would have to be the insurance company that sues. Does it stop there? I don't know.
    • And they are unlikely too sue. So nothing changes. This is why the judge is an ass-hat.
    • They might be able to sue, but maybe not. The credit card company is going to have a pretty thorough contract with the retailer that accepts payments via that credit network. It probably covers this type of situation with specified recourse, whether it's a fine, arbitration, liability, etc.

      • Ah, good point. In the end then, addressing the core issue is a job for a different branch of government. Either Congress must pass a new law or the Administration must implement new regulations on data security (via the FTC I would think).
  • by theophilosophilus ( 606876 ) on Friday January 08, 2016 @10:22AM (#51261551) Homepage Journal
    The cost of a credit protection service enrolled in as a precaution is damage enough. This is a forseeable injury regardless of actual fraud. The class representatives could have subscribed to some service and pled the class as existing of all persons that incurred this expense. The result is the negligent company is held accountable and other companies are on notice that they will be held accountable. If there was actual fraud for some persons, it would destroy the commonality requirement for class certification; the persons suffering fraud would all have had different levels and types of damages.
  • It sounds like the judge did the right thing but dismissing without prejudice. That will allow it to come back when or if they get enough information to prove the case. Will we base the outcome of cases like this on how the data was used by the folks who stole it? How long do we have to wait to determine the cost? What about the impact of ambiguity resulting from multiple large breaches, how do we attribute loss? ... I would be concerned about the second aspect; if a company avoids doing the right thin
    • Yes, the outcome will depend on what use the criminals make of the data. If I'm walking on the sidewalk and a car goes out of control and hits a wall next to me, no damages and no grounds for a lawsuit. If I'm walking on the sidewalk and the out-of-control car hits me, there will be harm and I will seek damages. The two cases are absolutely identical except that I was two meters farther along the sidewalk in the second example, the amount of negligence and responsibility being exactly the same.

      • by wb7dpf ( 2944853 )
        I think the mistake here is that it assumes that this is one event, but it is two; the negligent actions of a company to appropriately protect their data and then the impact of the release of that data. While the release hasn't yet been an issue, the initial case has opened up customers to identity theft. For the analogy, I think there is an element of intent and ownership that is missing. So I would modify it to be that you park your car on a lot and the lot owner holds the keys. When the car is stolen a
  • What if the same had to be proven by companies who get people for piracy? Isn't this basically the same thing? We are talking about stolen information that has value in slightly different ways but causes harm to the "victim" in similar ways. Resonable fines should be paid by anyone who commits piracy and the same rules should apply to companies who can't keep their customers private information secure.
  • I know this is technically how the law is supposed to work but the likely consequence of this is that companies will put more effort into covering up the damages than they put into securing their data. It's a lot more expensive to develop a system that is difficult to penetrate than it is to roll the dice and hope that you don't get hacked and if you do, cover up the evidence.

Between infinite and short there is a big difference. -- G.H. Gonnet

Working...