Sadly the court is wrong here. The precautions taken were inadequate: the theft was reasonabley forseeable, the precautions well publicized and known to anyone conversant with the proper computer security and relatively inexpensive, and the precautions could only be taken by the defendant not the plantiff. If defendant had asked its customers "Should we keep your personal information encrypted on disks in our employee's homes or just leave it lying around in the clear? This option will cost $50" they would have been able to transfer the risk, thoyugh I am sure they would have suffered enough bad publicity to choose to protect things. And clearly the court should have at least heard some testimony about the assessments and how the they were being addressed. I am sure a later case where there are actual damages will reopen these issues.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/387/33161#33161