'No Harm No Foul' Becoming The Norm In Data Breach Lawsuits

from the no-blood-no-foul dept

Back in April, a judge ruled that Wells Fargo should not be penalized for a data breach because there was no evidence that those who acquired the data had done anything criminal with it. This seemed like poor reasoning; Wells Fargo had no control whether anyone would use the data in a criminal manner, but it did have control over how it stored the data. In that case, data was lost because it was stored in an unencrypted format on a laptop. Certainly some could argue that that was negligent. But it looks like this line of reasoning is becoming standard. A recent suit brought against data broker Axciom for letting customer data slip out was dismissed since the plaintiffs couldn't prove that anything bad had been done with it. Again, either the company was negligent in letting personal data out, or it wasn't; that should be the measure upon which these cases are decided, not what was done later with the data. There is a flipside, which is that if plaintiffs started winning these cases, data breach lawsuits could easily become the latest class action charade (We can see the commercials now, "Has your personal data been leaked? Call the law offices of..."). But companies can't keep getting let off the hook just because harm can't be proven, or they'll have little incentive to protect the data.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 19 Oct 2006 @ 12:23pm

    This is an interesting debate. I think the lawyers may be wording the suits incorrectly. How about suing for unauthorized disclosure? If the companies didn't violate a law then it must have been a lawful disclosure so therefore they violated their own privacy guidelines and due process rights of its customers.

    For example.. If the data had been encrypted and locked in a vault and someone used force to enter the vault and steal the data then the company used due diligence to protect the data even if it was unencrypted.

    In this case the data was simply printed on paper and left on the sidewalk for anyone willing to put forth the effort to pickup the paper. This kind of disclosure, even if the person shouldn't have picked up the paper, would be a violation of the companies own privacy policies, probably a couple of laws but most certainly the customer's due process rights.

    Now.. the grey area here is to argue that unencrypted data on an unsecured laptop is akin to printing out the information and leaving it on the sidewalk. Its a tough argument but not an impossible argument.. just needs to be argued by a good attorney who can think on its toes.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.