'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits

from the no-blood-no-foul dept

Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it. This seemed like poor reasoning; Wells Fargo had no control whether anyone would use the data in a criminal manner, but it did have control over how it stored the data. In that case, data was lost because it was stored in an unencrypted format on a laptop. Certainly some could argue that that was negligent. But it looks like this line of reasoning is becoming standard. A recent suit brought against data broker Axciom for letting customer data slip out was dismissed since the plaintiffs couldn't prove that anything bad had been done with it. Again, either the company was negligent in letting personal data out, or it wasn't; that should be the measure upon which these cases are decided, not what was done later with the data. There is a flipside, which is that if plaintiffs started winning these cases, data breach lawsuits could easily become the latest class action charade (We can see the commercials now, "Has your personal data been leaked? Call the law offices of..."). But companies can't keep getting let off the hook just because harm can't be proven, or they'll have little incentive to protect the data.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Stu, Oct 19th, 2006 @ 11:34am

    it's about damages

    In law, the word damages means money lost. A lawsuit can't be won if there are no proven "damages".

    I believe that when someone loses money because of a breach like this, they will prevail in court. (I hope)

    Don't knock class action lawsuits. You may need one some day, as your only hope for justice.

    Knock the bad lawyers who misuse them - not the tool.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 19th, 2006 @ 12:23pm

    This is an interesting debate. I think the lawyers may be wording the suits incorrectly. How about suing for unauthorized disclosure? If the companies didn't violate a law then it must have been a lawful disclosure so therefore they violated their own privacy guidelines and due process rights of its customers.

    For example.. If the data had been encrypted and locked in a vault and someone used force to enter the vault and steal the data then the company used due diligence to protect the data even if it was unencrypted.

    In this case the data was simply printed on paper and left on the sidewalk for anyone willing to put forth the effort to pickup the paper. This kind of disclosure, even if the person shouldn't have picked up the paper, would be a violation of the companies own privacy policies, probably a couple of laws but most certainly the customer's due process rights.

    Now.. the grey area here is to argue that unencrypted data on an unsecured laptop is akin to printing out the information and leaving it on the sidewalk. Its a tough argument but not an impossible argument.. just needs to be argued by a good attorney who can think on its toes.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Matt Bennett, Oct 19th, 2006 @ 12:25pm

    It's true. You could criminalize and action, or being negligent to various degrees, but for civil suit there has to be harm done or there's no case. It really is "No harm, No foul" and it's stupid to complain about that.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 19th, 2006 @ 12:31pm

    > Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it.

    Then Kevin Mitnick should never have been in JAIL! And he should receive a billion dollars in compensation for the years he spent there without trial!!!

    Judges are all crooked and should be castrated.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 19th, 2006 @ 12:41pm

    Re:

    The "harm" is unlawful disclosure of my personal information. The question unanswered by the courts is how much is my personal information worth? Even if its $1 and the damage was done by negligence then the company should be required to pay $1 per account. If its $10 then.. again.. $10 per account.

    Its the same thing as your neighbor borrowing your lawnmower then selling it. Even if the lawnmower was never used and was later returned undamaged does not mean your neighbor isn't liable for "unlawful deprivation of property".

    In this case I may have opened an account, provided my personal information and expected the company to either return or destroy that information when it was finished. To simply "leave the door open" so anyone can take my “borrowed” stuff is, at best, an ethics violation. At worst, in my eyes, its criminal deprivation of property.

    Of course another issue for the courts to address is weather you actually own your personal information and therefore have any right to it. If we, as a society, succeed our identities for the highest bidder (or most clever hacker) then we have nobody else to blame but ourselves.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Rational Beaver, Oct 19th, 2006 @ 12:58pm

    So if Wells Fargo loses $500,000 that's okay as long as whoever ends up with the money doesn't do anything evil with the cash?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    sean, Oct 19th, 2006 @ 1:03pm

    "plaintiffs couldn't prove that anything bad had been done with it"

    Can it be proved that anything bad has not been done with it? Or that a copy has not been made and stored for use in a few months or a year.

    I feel having a laptop that is unsecured and the data unencrypted sitting on the side walk being worse that papers sitting there with the same info. Reason being how quickly can you copy a document that is electronic and distribute it compared to paper.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Sanguine Dream, Oct 19th, 2006 @ 2:02pm

    Well then...

    based on that does that mean the **AAs would have to prove how much damage a file sharer has done in order to successfully sue them?

    If I hack a banks files and "generate new money" to put in my account without affecting the accounts of other customers (i work in IT for a bank and I know this is possible) does mean the bank can't sue me and I will only face charges for the hack since not actual money was lost?

    Here's what scares me. What if a precedent is set that forces victims of identity theft to prove the thief actually did something in their name? Now imagine if a statute if limitations were placed (if there isn't already) on identity theft crimes. That combination could tie a victim up in court for years...

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Judge Wapner, Oct 20th, 2006 @ 5:57am

    It's about damages

    I think the legal principle here is that generally people who are claiming recompensatory damages in a suit must themselves prove that they were initially damaged. Because the point of the lawsuit is to recoup those iniital damages. If there is no initial damage, what's to recoup?

    Take the example of two cars on the off-ramp on an interstate, at the stop at the end, waiting to turn right. Both drivers are checking for traffic coming from the left, across the overpass. How many times have you been the car behind, and the car in front of you acts like he's gonna go, and so you check to the left to check traffic, see it's clear, and then turn your head to start up and go, only to find out that the idiot in front of you for whatever reason has inexplicably stopped and isn't REALLY going? Often where fender-benders occur at this point it's because the driver behind THOUGHT the first driver was going and clearing out of the way, and then the driver behind neglected to make that confirmation check of "where the heck is the guy in front of me" AFTER checking the traffic to the left but BEFORE actually putting pedal to the metal.... the result being that the driver behind negligently bumps the fender of the guy in front of him.

    Now no issue here that the guy behind is at fault, despite the fact that the guy in front is a wussy idiot for not going when it was completely clear.

    Issue being.... when the guy in front goes to court to sue the guy behind, he must prove that he had DAMAGES. Meaning, a court isn't going to say to the guy in the rear car, hey Mister, you COULD HAVE totalled this man's car if you'd been going 50 mph rather than 5 mph. He isn't going to say, hey Mister, you COULD HAVE put this guy in the hospital and caused thousands of dollars in medical bills and this guy deserves thousands more because he COULD HAVE had all this pain and suffering.

    Nope, the guy in front must prove that his car was even damaged. Must prove that he was hurt. Bring in his estimates and bills from his auto shop and his doctor. Why?

    Because in the United F***ing States of America, no one is supposed to be deprived of life liberty pursuit of happiness and all that without DUE PROCESS.

    The burden of proof is on the plaintiff -- as it should be.

    Wake the f*** up and quit being such a whiner boy.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Judge Wapner, Oct 20th, 2006 @ 6:01am

    Re: It's about damages

    Oh and, to clarify what I mean about "whiner boy", I'm referring to the impulse to immediately quit reading the story for any headline which is immediately followed by "Contributed by Joe"

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    J Pribe, Oct 20th, 2006 @ 7:18am

    WTF??!?!?!

    So, if I steal the judges car for a few days and return in without wrecking it will I be excused?

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Adrian Lamo, Oct 21st, 2006 @ 5:03pm

    illusion of privacy

    Personally identifying information is so widespread on the net and elsewhere, I can't possibly imagine a world where its mere existence in someones hands creates liability.

    Let me save you some trouble. ALL your information is vulnerable, every last one of you. Every damn person everywhere has their identity in the hands of someone else.

    Now that we've established that nobody is safe, can we stop with the periodic "23 million identities stolen," and accept that it's around 300 million, and get over it?

    Life is pain, highness. Anyone who tells you otherwise is selling something.

    EOT

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This