, 2006-02-20
A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.
Expand all |
Post comment
Strict liability for data breaches?
2006-02-21
Adam (1 replies)
Adam (1 replies)
Strict liability for data breaches?
2006-02-21
Stephen T (1 replies)
Stephen T (1 replies)
Strict liability for data breaches?
2006-02-23
Anonymous (2 replies)
Anonymous (2 replies)
Re: Strict liability for data breaches?
2006-02-23
Anonymous (1 replies)
Anonymous (1 replies)
First, plaintiff did not sue the individual who lost the data because the individual had neither a contractual relationship with the plaintiff, nor any duty of due care to the plaintiff.. nor, for that matter any money. Plaintiff sued the entity they entrusted with their data -- the lender, the one under the legal obligation to protect their data.
Second, Plaintiff did not sue for EITHER violation of GLBA OR for violation of internal policies. Plaintiff sued for breach of contract and negligence. It used GLBA and the internal policies as examples of standards of care, but not as the exclusive ones. GLBA says you must have policies reasonably calculated to protect data. Plaintiff alleged that the company failed to have such policies - and that encryption of stored sensitive data could have and should have been done - NOT that the terms of GLBA dictated it.
Finally, there is no problem with an expert testifying that what the defendant did was reasonable -- the problem is the court crediting that as fact without a trial or without any opportunity for the plainiff to examine the expert. Sure, plaintiff could have -- and should have -- had their own expert submit an affidavit that failure to encrypt was not reasonable, but this does not mean that the court must accept as fact the conclusions of the defense expert who clearly DOES have a conflict of interest -- and is not a mere disinterested witness. It makes the experts testimony suspect, but not necessarily inaccurate.
As I noted, the objection in this case is NOT to the ultimate conclusion - reasonable minds can disagree about whether file level encryption on laptops is reaonsalbe or not. It is to the fact that the plaintiff was denied a trial on this issue.
Finally, there is a lot of confusion here and on slashdot between the issue of damages and the issue of liability. As I noted, the damages to the plaintiff are probably slight, if any actual damages existed at all. Nevertheless, the lack of damages SHOULD not extend to the issue of LIABILITY. The court ruled that what the lender did was REASONALBE -- irrespective of whether it damaged anyone. The same result theoretically would obtain if there had been actual and catastophic ID theft or worse - if a borrower was stalked and killed as a result of the release of the information -- the court found the release of the information to be unforseeable, and therefore no duty to prevent it.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/387/33176#33176