Mark Rasch, 2006-02-20
A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.
Colapse all |
Post comment
Strict liability for data breaches?
2006-02-21
Adam (1 replies)
Adam (1 replies)
Re: Strict liability for data breaches?
2006-02-22
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
To complete the analogy, and completely mix the metaphor, it should be "an ounce of prevention is worth a meter of cure..." or something like that....
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-21
Jim (Sydney, Australia) (1 replies)
Jim (Sydney, Australia) (1 replies)
Damn. We're currently going through Sarbanse Oxley - I wish WE were allowed to say "Yes, it's documented that we have nothing in place." and get away with it....
[ more ] [ reply ]
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-22
Anonymous
Anonymous
Lovely - I work at a credit card processing company (not CardSystems!). We have annual training for all employees on PCI - Payment Card Industry security regs. Our IT department is required to conduct periodic security tests. All card numbers (PAN - Personal Account Number) on non-production syste...
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-21
Ron Jennings (2 replies)
Ron Jennings (2 replies)
There is no excuse for the person in charge of the laptop. With that kind of data it should have been with him at all times. He could have locked it up in the trunk of his car or had it locked in a safe at home. A safe that holds a a laptop is very cheap compared to the cost of damage control.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-23
Anonymous
Anonymous
Ron,
while it is commendable that you have taken that step, and it is certainly better than nothing, you should be aware that "safes" in the <$400 range are mainly to stop casual pilferage or a kid doing a "snatch and grab". Any actual burglary will only be slightly slowed; even a novice burglar wi...
[ more ] [ reply ]
while it is commendable that you have taken that step, and it is certainly better than nothing, you should be aware that "safes" in the <$400 range are mainly to stop casual pilferage or a kid doing a "snatch and grab". Any actual burglary will only be slightly slowed; even a novice burglar wi...
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-23
Doug
Doug
I'm not defending Brazos on this one but your comment is a little unreasonable. How many people do you know that lock their laptops up in a safe at the end of the day? The more appropriate control would be desktop encryption or not having that data on a laptop in the first place. But anyone who w...
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-21
Stephen T (1 replies)
Stephen T (1 replies)
Sadly the court is wrong here. The precautions taken were inadequate: the theft was reasonabley forseeable, the precautions well publicized and known to anyone conversant with the proper computer security and relatively inexpensive, and the precautions could only be taken by the defendant not the ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-22
Anonymous (1 replies)
Anonymous (1 replies)
I think you are forgetting that $50 worth of encryption wouldn't solve the problem of the means of decryption laying around on the laptop, with the user most likely having the password in a file somewhere on the laptop.
The real solution is to not allow employees and contractors to have a copy of...
[ more ] [ reply ]
The real solution is to not allow employees and contractors to have a copy of...
[ more ] [ reply ]
Re: Re: Strict liability for data breaches?
2006-02-26
Stonewall
Stonewall
I am surprised by the finding. Disk encryption certainly isn't perfect, but it is another easy-to-implement barrier which i thought would pass the "reasonable man" test in the case of portable computers. I also agree that this amount of data shouldnt normally be left lying around....
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-21
Anonymous
Anonymous
well since the government oversees these 'standards' the lobbyists are whispering to old dubya 'put a cap on it' I think the regular guy will never hold these large corporate thieves liable, it makes too much sense, after all companies have all the protection, regular consumers do not nor will the...
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-21
WB
WB
Well said. It's a sad state when even the court doesn't consider reasonable care a requirement. Perhaps the judge that made this decision will some day face this delima herself and then have a new perspective on what is reasonable.
Was it reasonable for this contractor to have Account Numbers, S...
[ more ] [ reply ]
Was it reasonable for this contractor to have Account Numbers, S...
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-22
Frank, Hsv, AL
Frank, Hsv, AL
Until, the courts et al, learn about computers and what it takes to secure the computer and the data on it, we will have these uninformed decisions by the courts. Did the plaintiffs lawyer understand the many layers of "Stuff" you have to go through to make an informed decision on something like thi...
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-22
Anonymous
Anonymous
About encryption:
If it's encrypted and stored on a laptop, isn't it likely that the decryption mechanism is also on the laptop?
The key and data must be separated for encryption to be useful. Ideally this would be the case, but I see requirements all the time to encrypt data stored in databases...
[ more ] [ reply ]
If it's encrypted and stored on a laptop, isn't it likely that the decryption mechanism is also on the laptop?
The key and data must be separated for encryption to be useful. Ideally this would be the case, but I see requirements all the time to encrypt data stored in databases...
[ more ] [ reply ]
Strict liability for data breaches?
2006-02-23
Anonymous (2 replies)
Anonymous (2 replies)
If people don't want activist judges, don't expect judges to make up laws that don't exist.
Plaintiff chose whom to sue and what theories to use. Plaintiff chose to sue the company, not the guy with the laptop who could have encrypted. And plaintiff chose to use two chief theories: (1) that Bra...
[ more ] [ reply ]
Plaintiff chose whom to sue and what theories to use. Plaintiff chose to sue the company, not the guy with the laptop who could have encrypted. And plaintiff chose to use two chief theories: (1) that Bra...
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-23
Mark D. Rasch
Mark D. Rasch
A few observations
First, plaintiff did not sue the individual who lost the data because the individual had neither a contractual relationship with the plaintiff, nor any duty of due care to the plaintiff.. nor, for that matter any money. Plaintiff sued the entity they entrusted with their data ...
[ more ] [ reply ]
First, plaintiff did not sue the individual who lost the data because the individual had neither a contractual relationship with the plaintiff, nor any duty of due care to the plaintiff.. nor, for that matter any money. Plaintiff sued the entity they entrusted with their data ...
[ more ] [ reply ]
Re: Strict liability for data breaches?
2006-02-23
Anonymous (1 replies)
Anonymous (1 replies)
By asking the question "What the court failed to do however is to ask the question: should it be? Can we reasonably do better?" You are asking the court to legislate which is exactly what they are not supposed to do. If the laws are not good enough then the lawmakers need to change them.
...
[ more ] [ reply ]
...
[ more ] [ reply ]
Judge Made Law
2006-02-24
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
Virtually all of tort law is judge made. There are almost no statutes on the books proscribing what constitutes "negligence" or "reasonable care." Indeed, the entire CONCEPT of negligence exists only in the common law (judge made.)
Indeed, the LAW doesnt need to be changed -- its relatively s...
[ more ] [ reply ]
Indeed, the LAW doesnt need to be changed -- its relatively s...
[ more ] [ reply ]
Re: Judge Made Law
2006-03-05
Anonymous (1 replies)
Anonymous (1 replies)
With regard to the small amount of damage concern, I was surprised that the case wasn't sounded in the context of a class action.
(Aside: The plaintiff's attorney is a well-known outfit here in the Twin Cities, known primarily for bringing fair credit collection actions against banks and other le...
[ more ] [ reply ]
(Aside: The plaintiff's attorney is a well-known outfit here in the Twin Cities, known primarily for bringing fair credit collection actions against banks and other le...
[ more ] [ reply ]
Re: Re: Judge Made Law
2006-03-15
Anonymous
Anonymous
That is a good observation. In particular, while the plaintiff's atorneys apaprently never made the argument, there is in fact a very real and provable damage which would occur to every one of the people who elected to use the 'free credit monitoring' servcie which Brazos offered. Each of the nece...
[ more ] [ reply ]
[ more ] [ reply ]
Strict liability for data breaches?
2006-11-09
california
california
wal mart computer has been stolen and it has all the new hire information on it and they sent a letter telling me to contact all the credit bureaus for identity theft possibilties and the credit companies dont charge for the once a year credit checks but if you have to check every four months who pa...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]