Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Liability for Data Breaches are Minimal 184

vandon submitted a Security Focus bit about liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.
This discussion has been archived. No new comments can be posted.

Liability for Data Breaches are Minimal

Comments Filter:
  • by geekoid ( 135745 ) <dadinportland&yahoo,com> on Wednesday February 22, 2006 @09:12PM (#14781305) Homepage Journal
    is a failure to follow policy.

    Now the person suing the company needs to acuse the company of not following policy, and provide some sort of proof. Then the company cabn attempt to defend itself.
  • by zegebbers ( 751020 ) on Wednesday February 22, 2006 @09:13PM (#14781312) Homepage
    these sorts of problems will only continue. Without any sort of accountability, why should companies care?
    • I think this qualifies as a "fundamental breakdown of the law." Not only do we have to get tougher on the companies when it comes to laws, we have to get tougher on the lawmakers. Maybe, just maybe, we should have a system that regulates lobbyists, since these types of companyes seem to have really good ones.
    • Start fining companies a thousand dollars a head, and watch all those "policy violations" start getting noticed.
      • >Start fining companies a thousand dollars a head, and watch all those "policy violations" start getting noticed.

        Yeah, and also watch everyone pull online access to your account as too big a security risk. Let's all go back to the 1970s where you had to talk to a banker to know your balance. Let's just throw the whole information society out the window while we are at it.
    • It will continue until a congressman or senator becomes a victim. Until then, it's "everyone else's" problem.
  • Liability ... are? I know the editors are not quite Mensa geniuses but this is a new low.
  • by Anonymous Coward on Wednesday February 22, 2006 @09:16PM (#14781320)
    And, yet, if the person who cracked/hacked/illegally accessed the same data were caught and brought to trail the company would say that it suffered millions or billions in damages. Hmmm. Minor disconnect there.
  • Well (Score:1, Insightful)

    by Anonymous Coward
    If someone breaks into my house and steals one of my guns am I liable for what they do with it? No. A locked house is reasonable protection. If that absolves me of someone's death, then surely it absolves someone of having their computer stolen.
    • I agree totally. There are plenty of organisations out there harvesting and selling our information without going after the ones that tried to keep it confidential!
    • Well sorta,

      I will agree that the consultant should not be held liable, as the article said the house was locked.

      The bigger question is still "Did the consultant need all that data at his home on his laptop?"

      I believe the answer should be a resonding NO. He could have accessed the data remotely, simple telnet would have provided better security. Another soultion might have been to provide the data to the consultant in small groups, maybe 25 or 50 thousand names. This would have reduced to number of people op
    • If a consultant had private data on the company... perhaps confidential shareholder information, personal information about management, etc... would the company then sue the consultant if he left his/her laptop unsecured and it was stolen?

      I have a laptop for work, and I leave the damn thing in the office. Then, at least, I can't be held responsible for company property if my house were broken into. If I had strongly confidential data on the thing (other than a few encryption keys, which can be changed eas
    • It all depends... Every situation seems to be different. Take, for example, the fact that at least in the U.S., a bartender and/or drinking establishment can be held liable if they allow a customer to get drunk, drive away, and end up in a car accident, injuring or killing another person. The premise seems to be the idea that the establishment and bartender is responsible for cutting people off before they can get to a stage where they can cause the incident.

      So if you view corporate laptops in *that* lig
    • Re:Well (Score:3, Interesting)

      by 1u3hr ( 530656 )
      A locked house is reasonable protection. If that absolves me of someone's death, then surely it absolves someone of having their computer stolen.

      TFA discusses this point: what is "reasonable" protection. The data could easily have been encrypted; but it wasn't. Or was it "reasonable" for a consultant to have copies of 550,000 customer files on his laptop at his home at all? If you're allowed to have a gun at all for personal protection, you have to be able to keep it in your home, but the same doesn't go

      • I think you're right, but then where do we draw the line between reasonable and unreasonable? The company I work for started using encryption to cover all the private customer files on our laptops. The laptops are used to collect information in areas that don't have wired or wireless internet coverage.

        But unless we disable booting from floppy/CD, it won't prevent someone from popping in a CD, starting up the machine in another operating system, and installing a keystroke logger. Then put the laptop ba
        • I think you're right, but then where do we draw the line between reasonable and unreasonable?

          That's what he case was about, and the court was apparently comfortable with large amounts of confidential data unencrypted on a laptop kept in a home. So the bar is very low.

          In your case; well can't it be set in BIOS to only boot from the hard disk? Though there must be a way to defeat that with a screwdriver. Maybe just a paper or foil seal over the drive bays that would reveal any unauthorised physical meddli

          • I'm more concerned with the ethical bar, not the legal one. If very private medical or financial data about me was going to be carted around in a laptop, I would want the security to be ironclad.

            It's exceptionally difficult to do that, and I don't see much of a way around it.
  • Nice. (Score:1, Informative)

    by Anonymous Coward
    "Liability for Data Breaches are Minimal"

    Grammar for Article Submitters are Minimal?
  • by Dukeofshadows ( 607689 ) on Wednesday February 22, 2006 @09:17PM (#14781331) Journal
    I've got six digits in loans thanks to med school and they're growing by the day. I'd like to see *any* judge with kids in college or grad school take a look at this case: any company that releases data like this should be fined $100+ for *every* person affected. Also, there needs to be state or federal laws for violations of privacy on this scale whether by the company themselves or their contractors.
    • I'm sure for any ones you propose, the folks here can point out all sorts of corner cases in which they would not work / make sense.

      Where do you draw the line? If I lose my laptop that has 18,000 valid email addresses stored in it, and somebody gets that data, should I be liable? How about the person who has a database of, oh, a couple hundred addresses?

      What about addresses and phone numbers? My contacts database has about 2000 of those.

      • Yes. Someone who loses a laptop with personal data should be liable, but only for "private" data (ie, something, that when stolen can directly lead to real possibility of either identity theft or tangible loss... ie, name, SSN, address, CC#s, medical information).

        A laptop should never contain full customer profiles non-encrypted, without serious security policies in place. The idea is that loss of that data should be as important to the holder of that data as it is to the customer/person that data reference
      • The trend seems to be quite simple to follow. The first (and likely only) question we need to ask is, "Does this laptop belong to a corporation?"

        If the answer is "Yes", then the owner of the laptop is not liable.

        If the answer is "No", then the owner of the laptop is liable.

      • If I lose my laptop that has 18,000 valid email addresses stored in it, and somebody gets that data, should I be liable?


        Do you have any other stupid questions?

        • Yes.

          Do you have any other stupid questions?

          I was thinking about, "Did your mother have any children that lived", but I'll settle for:

          What if somebody steals my laptop? Am I still liable? OK, what if they break into my home and steal my desktop computer?
    • There are no laws against violation of your privacy. In fact, you don't have a right to privacy. There are large companies out there that collect all sorts of information about you (SSN, demographics, profile, etc.) and sell it to anyone who is willing to pay. The law in question only covers financial institutions and only requires them to have a policy for protecting data.

      Anyway, I don't see your point. The real problem with identity theft is that banks are not performing due diligence when extending c
  • by MrNaz ( 730548 ) on Wednesday February 22, 2006 @09:19PM (#14781336) Homepage
    This actually makes sense, as the tort of negligence is a civil matter and where a defendant's (in this case the loan company) actions are being assessed, the law requires the standards of "the reasonable man" to be used..

    Generally in cases such as this, the court will use the reasonable man test in a formulation which would likely sound like this: "would a reasonable man, in the position of the defendant with the same information and experience that the defendant can reasonably be expected to possess, have behaved in the same way".

    It then comes down to the court hearing evidence from members of industry and other witnesses or even amici curi (meaning "friend of the court", which is a person who offers evidence but is not called officially by the plaintiff or defendant, and excuse me but my latin spelling is not that good). The judge then decides if the defendant acted the way a reasonable man should.

    P.S., Yes i know the formulation of "reasonable man" is sexist, but hey, it's the law :P
    • I'd like to second the parent and encourage mods to mark it informative. The summary is talking about an extremely basic principle of tort law. One may question the sensibility of applying tort law literally hundreds of years old to modern scenarios, but unquestionably the court in this case is acting as it should, by applying established legal principles to the facts at hand.
      • When carrying sensitive data on a laptop, wouldn't a reasonable man in the profession ensure that if he looses the data, it can not be abused? Like by using strong encryption, readily and easy available. I would think this is a diligence that can be expected from anyone working in such position.
        • The honest truth is I don't know. It's partly philosophical (should it be the practice of a "reasonable man") but also partly empirical (is it the practice of "reasonable men"). But because it's a difficult question with no easy answers, it's exactly the sort of question courts (often, juries) have to wrestle with.
    • I agree. Much like how creationists draw the wrong meaning from "theory" in "theory of evolution", the article is drawing incorrect conclusion by asserting that "reasonable" is not a reasonable standard.

      Our laws are full of these subjective terms:
      "Reasonable doubt" -- The standard for determination of guilt in a criminal trial.

      "Probable cause" -- The standard for search and arrest warrants. (With exceptions of "plain view" and "open fields", which are also phrases with specific legal requirements.)

  • by core plexus ( 599119 ) on Wednesday February 22, 2006 @09:24PM (#14781364) Homepage
    Just as you can't always rely upon the police to protect you (they come after the crime/whatever has happened), or the fire department, etc., so too must each person be diligent in making sure that their not being victimized. This case is a perfect example of why.

    In fact, this case is but one example of many that we have been hearing about, and by the time the company admits it, the damage may be done. The criminals are always coming up with new ideas, scams, and tricks, such as the "You've won the lottery! Deposit this check and we'll send you your lottery winnings [suvalleynews.com]"

    Punishment, no matter how severe or financially crippling, will not stop this.

    • "they are" contracts to "they're", not "their".

      This is really starting to get to me. If you think you're smart enough to have an opnion, then learn to talk gooder before you bludgeon me with it.
    • must each person be diligent in making sure that their not being victimized.

      Oh? And what's your solution to this? Should I call all the banks, jobs, and universities I've ever dealt with and beg them to tell me whether they're keeping my information safe for me? Ask them to promise, pinky swear, to destroy all the copies of my records so they can't fall into the wrong hands?

      On the consumer side, there is no proactive solution to the kind of identity theft that happened in this case. All you can do is keep
    • That is a ridiculous argument. Punishing a company for being negligent is exactly what stops other companies being negligent (whether the punishment is handed down by the state or from consumers). How do you suggest this guy who had a loan should have been diligent?
    • This misses the entire point of policing and prosecution. They are not there to protect, they are there to deter, to raise the stakes of diverging from community standards.

      Yes, you're right. Punishment will not stop *ANYTHING*. Barring totalitarian fascism, "punishment" is not intended to eradicate undesirable behavior. It is merely intended to reduce its frequency. To that end, there is nothing anyone can do to reduce that frequency to zero. At a certain point you just have to accept that, basically, shit
  • by Clockwork Apple ( 64497 ) on Wednesday February 22, 2006 @09:24PM (#14781366) Homepage
    "Apparently the mere existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data."

    It's as if a million Lawyers cried out and then were suddenly silenced.

  • by CyricZ ( 887944 ) on Wednesday February 22, 2006 @09:26PM (#14781382)
    Since the courts have failed in this matter, what we might end up seeing eventually is something along the lines of the "organic" branding of food that is common in some nations. Food which is prepared without the use of chemicals, or genetic modification, and some such, use such a label such as "organic" to differentiate themselves from other growers and manufacturers.

    The obvious computing equivalent would perhaps be "Served by OpenBSD" or "Data Stored on Solaris" labels on websites which collect and store personal data. The same could even go for other firms that collect data. Banks, for instance, could advertise that they store their data on IBM systems.

    While it doesn't really prevent attacks or theft outright, it does indicate to consumers that the company has their IT department in order. I, for one, would feel far more comfortable dealing with businesses who openly profess their use of OpenBSD, Solaris, or Linux. Likewise, I would do my best to avoid those who built their networks around other, potentially more vulnerable systems.

    One of the questions that consumers might ask when dealing with a business that collects much personal information could become, "Do you run your database servers on HP-UX, OpenBSD, or Solaris?"

    • The only problem with this is that you are then giving the hacker information that they can use to attack the system. I would be more frightened if I saw a page that had that on it than one that did not.
      • But systems like Solaris, OpenBSD, and even Linux are often secure enough that it's okay to let people know that you're using them. It's just the old security through obscurity deal, where it's not a good idea to rely on obscurity to protect your systems.

        And besides, using Netcraft or nmap one can already often tell what operating system an Internet-accessible system is running.

        Even then, a good network will be designed such that the web servers run OpenBSD, and the databases are run on a mix of Solaris and
    • One of the questions that consumers might ask when dealing with a business that collects much personal information could become, "Do you run your database servers on HP-UX, OpenBSD, or Solaris?"

      Why should this make anyone feel secure? It doesn't matter if it's a company policy or a piece of software, if it's neglected it will be abused.

      You can't automate correct functioning.

  • So does this mean someone can just place a sticker on the laptop (or computer) stating, "Do not steal this equipment or the sensitive data contiained within!" -- and then be protected from any liability?


  • ....has taken a closer look at a case in which a person sued their student loan company after their information -- along with 550,000 other people's -- was leaked when a contractor's laptop was stolen.

    What possible reason could there be to have that much, or for that matter any, confidential data on a portable machine?!?!

    Maybe the company policy allowed for this kind of thing, but the question should then be 'is this a reasonable policy'. My first thought is that if the employee works remotely and ne
    • Depending on the physical security of the actual server rooms of a particular business, it could be quite easy for somebody to actually steal a server. Any able-bodied individual could easily carry out two or three rackmount systems. A system in a desktop case wouldn't be difficult to take, either.

      Even some of the larger systems from Sun or SGI could be taken. If the entire system isn't taken, then at least any storage systems could be taken with relative ease.

      Unless you're dealing with vintage Big Iron, mo
      • Um, I'm not so sure. If it's in the company building, the chances are that the security is such that only people employed by the company would be able to access the room, and it'd likely have some form of security camera.

        All the server rooms I've seen that have important, confidential data restrict access based on two of:
        - something you have
        - something you know
        - something you are

        And then, only a few people in the company are even allowed in.

        Not only that, with a laptop, you can misplace it by leaving it on
        • Not only that, with a laptop, you can misplace it by leaving it on a park bench or something, just totally open for someone completely to take it without any CCTV footage.

          Not if the park bench happens to be near Speaker's Corner in Hyde Park, London.

      • I'll grant that a motivated thief can steal pretty much anything, but for the purposes of liability I'd say it should be a test of what's reasonable. If, for instance, GenericBank was keeping it's servers in an unlocked closet that it shares with a StarBucks franchise, I'd say they were playing pretty damn fast and loose with security, and they could have reasonably predicted that their server could be stolen. If on the other hand, GenericBank was keeping it's server in a secure location, locked, access c
    • ...it should all be stored on a secure server, and he/she should be working on the files without ever saving any of the data to this laptop's drive, making the company liable in this case.

      Let's say you use the laptop to log on to the secure server- in order to work on these files, they have to be transferred in some form to the laptop. The sensitive data will be located in Laptop's RAM, and it can be paged to a swap file on the hard disk, which an attacker can later recover if they steal the laptop or it

    • While I generally agree with your sentiment, I would like to see the background behind how this data got onto the laptop. In some cases I've seen, the IT department has decided that it would more secure to put sensitive information on one or two laptops rather than serve it up on the web -- while you might be able to do the latter securely, it is a tempting target and much larger compared to two personal laptops. I can see many situations where the company might conclude that it's safer to put the informa
  • subjectivity (Score:5, Insightful)

    by commodoresloat ( 172735 ) * on Wednesday February 22, 2006 @09:29PM (#14781399)
    It's a totally subjective standard that's superficially imposed.

    Unlike the slashdot summary of the decision.

  • Really, what were the damages? What was the monetary value of the "damage" done? Did someone lose their job? Have their identity stolen? Without real damages you don't have a suit, IMO. (Real damages don't qualify as your friends laughing at you for borrowing so much money for an art history degree.) I have a hard time imagining any real damages that would be likely or did occur from this (unless someones identity was stolen then you could sue to recover expenses and damage to your credit). Although this co
  • In Spain the affair described in the story would have translated in a fine of 600,000 EUR (US $714,000) in application of the Organic Law on Protection of Personal Data [www.agpd.es] and the judge blaming the company for not taking enough care of data.
  • Here in the land of the kangaroo, we do all the hard work for the thieves and just let bank and credit statements fall off the back of a truck. [news.com.au]
  • This is not an uncommon situation by any stretch of the imagination. NY state just enacted its Breach Notification act stating that any company that loses customer data must disclose this loss to its customers... with the HUGE loophole that if the data is encrypted (not mentioned what form of encryption), no disclosure needs to take place. HIPAA also states something to the same effect with our patient privacy rights... paraphrase: Any open band communication must be encrypted, any data that travels on inse
    • with the HUGE loophole that if the data is encrypted (not mentioned what form of encryption), no disclosure needs to take place.

      I LOVE this! From now on, all my bookkeeping is going to be done in ROT-13. Take that, future plaintiffs!!
    • But Your Honor, it was encrypted, three times! First, we converted all the letters to numbers using ASCII, then we encrypted that using ROT 13 encryption, and just to be safe we re-encrypted using ROT 13 again!

      And the sad thing is, many judges would accept that.
  • Reasonable steps, are the exact opposite of subjective. The test is what a reasonable person would view as the proper level of security for the data. Ughhh.
  • I am so sorry (Score:1, Redundant)

    by ellem ( 147712 ) *
    1) Collect Data
    2) Lose Data
    3) ???
    4) Profit!
  • But the answer to all this corporate corruption, idiocy, and malfeasance isn't to run the pawns of our corporate feudal lords, but violence.

    Seriously, the business elite has simply lost the fear of God, and someone needs to instill it back in them. If the token jail sentences, loony leftist activism, and fear of reputation lost has failed to keep them in check, than stronger measures are needed.

    I am not talking about randomly going postal, ala many a mail carrier, but a campaign of precise, systematic, leth

    • For those opposed to violence, can you think of a better solution?

      Yeah, the rule of law really sucks. You should come and live in Somalia [wikipedia.org]. It freakin' rocks here! No lawyers. No taxes. *Everyone* has the fear of God in them. Oh, and the best thing of all: No bullshit personal data losses by stupid big businesses, because there are no big businesses. It's all nice and small and simple and manageable.

      Come on out, and I'll set you up in a sweet little shack in the outskirts of Mogadishu. The occasional g

  • I wonder if this is a situation where a USB drive would come in handy? Easy enough to take the thing and toss it in a secure place (vault, etc), and you could also use a secure filesystem on it, even if the OS filesystem were left open.
  • IANAL, so I don't know if there are legislated standards for data handling practices, but I assume there aren't in this case.

    I'm not sure that a legislated security standard is a good idea. Take a look at how the US handles homeland security. With an incompetent standard, people don't even have to keep above the "well, at least you took some reasonable measures" bar. They just implement the standard, and look the other way when it's shown that it's not doing any good.

    Then again, if not the fed, who SHOUL
  • Absurd (Score:5, Insightful)

    by blueforce ( 192332 ) <clannagael@gmaiPARISl.com minus city> on Wednesday February 22, 2006 @10:02PM (#14781547) Homepage Journal
    existence of some type of policy -- regardless of what that policy actually is -- is now enough for companies to eschew any liability for leaking consumers' data.

    That's a ridiculous statement. I'm an applications manager and the company(ies) I work for are in the HR/accounting/BPO industries. I manage a team of software developers, designers, graphic artists, etc. to create BPO software. Our software processes, and we are custodians of, a lot of sensitive personal information. Nearly everything we make, implement, buy, or use affects the security of the data and applications. I spend a substantial amount of time discussing security and IP issues with our inhouse counsel. The one question he *always* asks with regard to security is "What would be reasonable for us to do to protect the data? In other words, what would a company be required to do, within reason, to protect the data that we are housing?" There is no "correct" answer to that as it's highly subjective. What he always stresses to us is "Would I be able to convince a judge or a jury that the precautions we took were inline with accepted practices, and were they reasonable enough to protect the data?". In most cases, he relies on our (my) judgement to determine whether it's enough or too little. Security is such a subjective topic - there is such thing as too much when people who need to can't access information, and of course there is such thing as not enough.

    The real issues arises when determining what is reasonable. What's reasonable to a person whose HIPAA information is being stored might be absurd. Likewise, "reasonable" to a company might equate to "whatever we can afford" which may be far too little. It becomes a balancing act to reconcile the concerns of both sides to take what measures would be considered "reasonable" to protect the information in question. What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation. The minute someone tries to legislate it and define "reasonable" is the minute someone else will find loopholes and ways around it. But to say "regardless of what that policy actually is" is just plain absurd.
    • >What's reasonble to protect a list of credit card numbers is far different than what's reasonable to protect a list of song titles. It's highly subjective and open to interpretation.

      Good point, but bad example.

      Visa and Mastercard realized they were losing money to credit card fraud. They now have contractual requirements ("PCI DSS") that tell you how to secure credit card information if you accept it. The standards are detailed, down to the level of network architecture and firewall policies. The contra
  • What I would like to know is why all this super-sensitive information is riding around in everyone's laptops. Now, I'm sure it's a great convenience for Mr. HR rep who for some reason needs to be able to look up any employee's SS# on the fly, but I think the privacy rights of the thousands of customers/employees on that laptop are much more important than the convenience of one employee. I have had my identity stolen twice in the past 12 months. One from UC Berkely's laptop theft, and another from Georgia T
  • Follow the Money (Score:3, Insightful)

    by Doc Ruby ( 173196 ) on Wednesday February 22, 2006 @10:09PM (#14781580) Homepage Journal
    As Bruce Schneier always says, if the people responsible for exposing others to security risks don't lose more than the costs of applying the security, then they never will. And of course the people exposed will always lose.
  • GLB (Score:2, Informative)

    by cyriustek ( 851451 )
    The problem here lies with the application of Gramm-Leach-Bliley. The regulation merely requires financial institutions to apply reasonable protections to the customers information. Unfortunately for most consumers, this bar lis lower than one would hope. The application of GLB, and most other federal regulations does not adequately protect the individual. This is why people should ensure they communication with the congressional representatives to get privacy laws with teeth in place.

    Tragically, the privac
    • Tragically, the privacy laws that are currently being evaluated at the federal level water down the requirements of many state laws. For example, California's SB-1386 requires a company to report to you that you information may have been inappropriately disclosed. However, the proposed federal legislation requires companies to only disclose this to you if they believe you are at risk from this exposure.

      Won't change a thing here in California. You'll still have to fulfill the state requirement, even thoug

  • by Expert Determination ( 950523 ) on Wednesday February 22, 2006 @10:21PM (#14781619)
    All a company has to do is follow a minimal set of guidelines and then they can convince a judge that they carried it out, how can it be their fault?

    I was involved with an IP lawyer a couple of years back. He told me to encrypt my mails to him so at a future date we could prove, if needed, that we'd made a reasonable effort to keep our R&D secret. He gave me some Norton tool with a horribly hobbled form of encryption. I was able to crack it in minutes by downloading an app from the .ru domain :-) I told the lawyer. But his response was that all we needed was to be able to prove "due diligence", not actually be secure. After all, what does some judge know about crack software downloaded off the web. The box containing the software used words like "SECURE".

    And this is how the world works. Companies don't really try to make themselves secure - they just make them secure enough to convince other people that they are. I've been complicit in such things myself. One of our clients demanded we make our software development secure. We made loads of groups so we could control exactly who in the company had access to what source code. But this was braindead - people all through the company needed access to software all over the place. We couldn't partition things up in this way without hindering development. So I made all the groups and put everyone who asked in whatever groups they asked for. We could now report to the client that we had made the groups and denied permission to people outside these groups. We omitted to mention who was actually contained in each group and just said that people were in whatever groups they needed.

  • IANAL but the reasonable [wikipedia.org] standard isn't something the judge simply made up on the spot as the OP seem to imply. It is actually a crucial part of our law and quite commonly used, especially in ngeligence cases.
  • When protecting the records of millions of customers, taking reasonable precautions means it simply doesn't get stolen, ever. Anything less is negligence.
  • by Infonaut ( 96956 ) <infonaut@gmail.com> on Thursday February 23, 2006 @12:00AM (#14782127) Homepage Journal

    This was a US District Court case, at the lowest level of the federal judicial structure, and there are likely other decisions in other districts that may have come out differently.

    Furthermore, the facts in this case don't look terribly good for the plaintiff. As others have pointed out, in a torts case you need to prove a harm. From the decision:

    Brazos points out that the evidentiary record is completely devoid of any disputed facts indicating that Guin's personal information was actually on Wright's laptop at the time it was stolen, or that Guin's personal information is now in the possession of the burglar.

    The rationale for summary judgment in this case is clear, because the plaintiff can't provide any evidence of harm.

    The author of the SecurityFocus piece further muddies the waters by giving it the title "Strict liability for data breaches?" Strict liability is imposed in torts cases for activities that are abnormally dangerous. The case in question was purely about negligence.

    Most court cases are very fact-specific, and in this one the facts were such that the law of torts gunned down the plaintiff. It wasn't the specifics of statute, but the plaintiff's inability to prove he'd been harmed that doomed the case. Imagine if in order to win a torts case, you didn't have to prove that you had been harmed. Even emotional harm cases require some actual evidence of damage to the plaintiff. What if you were a sysad and someone in the office where you work claimed you had illicitly entered their computer and taken their private information, but they had no proof. Would you want your accuser to prevail?

  • Everybody here is bitching about what to do when it happens, simple for me:

    I go to my bank, and I ask for a credit card. I have to sign for the thing. Together with that they state that you've read the agreement statements and other legal mumbo jumbo. I ask for those things, the bank representative gets me a copy out of which I scrap all the statements I do not agree with and rewrite them according to what I think of it. I ask for a signature of the bank representative (usually I deal with their manager by
  • They ruled according to the law, as written. Don't blame the judge, it's the law that's bad. And the law is bad because it overlooks the damage caused by the loss of personal information. I'm not surprised -- the issue was probably framed in the wrong terms. Look at the medical industry -- they have HIPAA [loc.gov]. Private medical information gets insane protections. In this capitalist society, it's high time financial information got the same protection. Granted, that's the supposed purpose of Chapter 94 [cornell.edu] of Title 1
  • A reverence for the written word, regardless of its practical application or not, seems to be one of the most remarkable characteristics of American culture. It is evidently found comforting and enormously important to have things on paper, even if they are not actually applied and it makes very little practical difference.

    The origins of this national trait would be worth someone's time to investigate. I suspect that it was a combination of protestantism, with the high importance this religion attaches to

  • Makes you wonder, just how many of these "incidents" occur without any knowledge of the public. It would not surprise me to find out that my personal information is leaked or lost by one of the (hundreds? thousands?) of people collecting it on a "once every 24 months" basis. The only time you really see these things publicised is when someone gets caught trying to cover it up or when someone does some whistle blowing. (are there any laws in place that require disclosure when personal collected informatio
  • In the gigantic aerospace company I work for, "policy" is routinely ignored by one and all whenever possible. Top-level management spends all their time generating policies to cover their collective ass, but the reams of paper are so volumnious that no one has time to read, much less follow, the actual liability-avoidance policies.
  • Understanding of subject/verb agreement are also minimal, it would seem.

Kill Ugly Processor Architectures - Karl Lehenbauer