, 2006-02-20
A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.
Expand all |
Post comment
Strict liability for data breaches?
2006-02-21
Adam (1 replies)
Adam (1 replies)
Strict liability for data breaches?
2006-02-21
Stephen T (1 replies)
Stephen T (1 replies)
Plaintiff chose whom to sue and what theories to use. Plaintiff chose to sue the company, not the guy with the laptop who could have encrypted. And plaintiff chose to use two chief theories: (1) that Brazos violated the GLBA by not insisting that its contractors encrypt or work only on premises, and (2) that Brazos violated its own internal policy by not insisting that its contractors encrypt or work only on premises. Too bad for plaintiff, the GLBA doesn't require encryption or on-site-only rules. And Brazos's internal policy didn't either. That's not the court's failure; it's just bad facts getting in the way of plaintiff's chosen theory. The judge has no obligation to try to find plaintiff a better theory than the plaintiff has chosen.
And if plaintiff doesn't submit any actual *evidence* to support a theory not based on the GLBA or the internal policy, then plaintiff deserves to lose.
By the way, it's not a conflict of interest if an expert witness is hired by a party. Experts aren't expected to be neutrals. It would be a conflict only if the expert were hired by *two* opposite parties. Being hired by one, the expert knows exactly where his bread is buttered, and has no conflict at all.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/387/33175#33175