'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits

from the no-blood-no-foul dept

Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it. This seemed like poor reasoning; Wells Fargo had no control whether anyone would use the data in a criminal manner, but it did have control over how it stored the data. In that case, data was lost because it was stored in an unencrypted format on a laptop. Certainly some could argue that that was negligent. But it looks like this line of reasoning is becoming standard. A recent suit brought against data broker Axciom for letting customer data slip out was dismissed since the plaintiffs couldn’t prove that anything bad had been done with it. Again, either the company was negligent in letting personal data out, or it wasn’t; that should be the measure upon which these cases are decided, not what was done later with the data. There is a flipside, which is that if plaintiffs started winning these cases, data breach lawsuits could easily become the latest class action charade (We can see the commercials now, “Has your personal data been leaked? Call the law offices of…“). But companies can’t keep getting let off the hook just because harm can’t be proven, or they’ll have little incentive to protect the data.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits”

Subscribe: RSS Leave a comment
Stu says:

it's about damages

In law, the word damages means money lost. A lawsuit can’t be won if there are no proven “damages”.

I believe that when someone loses money because of a breach like this, they will prevail in court. (I hope)

Don’t knock class action lawsuits. You may need one some day, as your only hope for justice.

Knock the bad lawyers who misuse them – not the tool.

Anonymous Coward says:

This is an interesting debate. I think the lawyers may be wording the suits incorrectly. How about suing for unauthorized disclosure? If the companies didn’t violate a law then it must have been a lawful disclosure so therefore they violated their own privacy guidelines and due process rights of its customers.

For example.. If the data had been encrypted and locked in a vault and someone used force to enter the vault and steal the data then the company used due diligence to protect the data even if it was unencrypted.

In this case the data was simply printed on paper and left on the sidewalk for anyone willing to put forth the effort to pickup the paper. This kind of disclosure, even if the person shouldn’t have picked up the paper, would be a violation of the companies own privacy policies, probably a couple of laws but most certainly the customer’s due process rights.

Now.. the grey area here is to argue that unencrypted data on an unsecured laptop is akin to printing out the information and leaving it on the sidewalk. Its a tough argument but not an impossible argument.. just needs to be argued by a good attorney who can think on its toes.

Anonymous Coward says:

Re: Re:

The “harm” is unlawful disclosure of my personal information. The question unanswered by the courts is how much is my personal information worth? Even if its $1 and the damage was done by negligence then the company should be required to pay $1 per account. If its $10 then.. again.. $10 per account.

Its the same thing as your neighbor borrowing your lawnmower then selling it. Even if the lawnmower was never used and was later returned undamaged does not mean your neighbor isn’t liable for “unlawful deprivation of property”.

In this case I may have opened an account, provided my personal information and expected the company to either return or destroy that information when it was finished. To simply “leave the door open” so anyone can take my “borrowed” stuff is, at best, an ethics violation. At worst, in my eyes, its criminal deprivation of property.

Of course another issue for the courts to address is weather you actually own your personal information and therefore have any right to it. If we, as a society, succeed our identities for the highest bidder (or most clever hacker) then we have nobody else to blame but ourselves.

Anonymous Coward says:

> Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it.

Then Kevin Mitnick should never have been in JAIL! And he should receive a billion dollars in compensation for the years he spent there without trial!!!

Judges are all crooked and should be castrated.

sean says:

“plaintiffs couldn’t prove that anything bad had been done with it”

Can it be proved that anything bad has not been done with it? Or that a copy has not been made and stored for use in a few months or a year.

I feel having a laptop that is unsecured and the data unencrypted sitting on the side walk being worse that papers sitting there with the same info. Reason being how quickly can you copy a document that is electronic and distribute it compared to paper.

Sanguine Dream says:

Well then...

based on that does that mean the **AAs would have to prove how much damage a file sharer has done in order to successfully sue them?

If I hack a banks files and “generate new money” to put in my account without affecting the accounts of other customers (i work in IT for a bank and I know this is possible) does mean the bank can’t sue me and I will only face charges for the hack since not actual money was lost?

Here’s what scares me. What if a precedent is set that forces victims of identity theft to prove the thief actually did something in their name? Now imagine if a statute if limitations were placed (if there isn’t already) on identity theft crimes. That combination could tie a victim up in court for years…

Judge Wapner says:

It's about damages

I think the legal principle here is that generally people who are claiming recompensatory damages in a suit must themselves prove that they were initially damaged. Because the point of the lawsuit is to recoup those iniital damages. If there is no initial damage, what’s to recoup?

Take the example of two cars on the off-ramp on an interstate, at the stop at the end, waiting to turn right. Both drivers are checking for traffic coming from the left, across the overpass. How many times have you been the car behind, and the car in front of you acts like he’s gonna go, and so you check to the left to check traffic, see it’s clear, and then turn your head to start up and go, only to find out that the idiot in front of you for whatever reason has inexplicably stopped and isn’t REALLY going? Often where fender-benders occur at this point it’s because the driver behind THOUGHT the first driver was going and clearing out of the way, and then the driver behind neglected to make that confirmation check of “where the heck is the guy in front of me” AFTER checking the traffic to the left but BEFORE actually putting pedal to the metal…. the result being that the driver behind negligently bumps the fender of the guy in front of him.

Now no issue here that the guy behind is at fault, despite the fact that the guy in front is a wussy idiot for not going when it was completely clear.

Issue being…. when the guy in front goes to court to sue the guy behind, he must prove that he had DAMAGES. Meaning, a court isn’t going to say to the guy in the rear car, hey Mister, you COULD HAVE totalled this man’s car if you’d been going 50 mph rather than 5 mph. He isn’t going to say, hey Mister, you COULD HAVE put this guy in the hospital and caused thousands of dollars in medical bills and this guy deserves thousands more because he COULD HAVE had all this pain and suffering.

Nope, the guy in front must prove that his car was even damaged. Must prove that he was hurt. Bring in his estimates and bills from his auto shop and his doctor. Why?

Because in the United F***ing States of America, no one is supposed to be deprived of life liberty pursuit of happiness and all that without DUE PROCESS.

The burden of proof is on the plaintiff — as it should be.

Wake the f*** up and quit being such a whiner boy.

Adrian Lamo (user link) says:

illusion of privacy

Personally identifying information is so widespread on the net and elsewhere, I can’t possibly imagine a world where its mere existence in someones hands creates liability.

Let me save you some trouble. ALL your information is vulnerable, every last one of you. Every damn person everywhere has their identity in the hands of someone else.

Now that we’ve established that nobody is safe, can we stop with the periodic “23 million identities stolen,” and accept that it’s around 300 million, and get over it?

Life is pain, highness. Anyone who tells you otherwise is selling something.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...