Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Businesses Security Government United States

Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers (digitalguardian.com) 92

chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.
This discussion has been archived. No new comments can be posted.

Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers

Comments Filter:
  • by Anonymous Coward on Friday February 19, 2016 @03:09PM (#51543803)

    She has a decent clue about technology and law unlike 99% of all other judges/lawyers.

    • She's only been a judge since 2008 (https://en.wikipedia.org/wiki/Lucy_H._Koh), she needs more experience. Give her another decade or 2.

      • Re: (Score:3, Informative)

        by Gr8Apes ( 679165 )

        She's only been a judge since 2008

        So what? According to that bio she has a lot of related experience. Apparently GP isn't the only one to think so. I don't think she needs any more "experience" any more than Scalia did when he was nominated at 49.

        • by tnk1 ( 899206 )

          He was being facetious.

          • by Gr8Apes ( 679165 )
            Well darn, the link got swallowed. Need to preview better. As for being facetious, you could read that either way, as text is such a poor carrier of tone.
    • If this was Case against say Apple for massive breach of credit card details, she would found in favor of crApple. She is their judge not home depot's
    • The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is. The judge is correct in the sense that the breach could harm individuals in the future. Yes, a alw suite should be approved to move on. However, no one (and I believe by laws) can simply place a damage value on to this kind of harm. Thus, if there is no damage occurred (someone used the info for something that cause monetary damage) before or during the law suite, it is unlikely t

      • by whoever57 ( 658626 ) on Friday February 19, 2016 @03:31PM (#51543985) Journal

        The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.

        I think that you are 100% wrong here. In order to proceed with a lawsuit, you have to show that you have standing. Without harm (any amount of damages), you don't have standing to sue. So this ruling is NOT about how much, instead it is about if ANY harm occurred.

        • by Impy the Impiuos Imp ( 442658 ) on Friday February 19, 2016 @03:47PM (#51544101) Journal

          The Supreme Court just granted standing to states and companies to put a hold on enforcement of a new EPA regulation, a massive one about power plant emissions.

          There was the same argument -- no standing because you don't have to spend money yet. Except that in a previous similar case, companies spent tens of billions preparing for a new regulation that ultimately got overturned. Worse, the EPA bragged, "Haha made you spend money and implement the regulation anyway!" on its web site.

          Supreme Court: Well, if you're gonna be assholes about it...

        • In order to proceed with a lawsuit, you have to show that you have standing. Without harm (any amount of damages), you don't have standing to sue. So this ruling is NOT about how much, instead it is about if ANY harm occurred.

          You are correct. Courts generally require the demonstration of harm to prove standing, so if you can't demonstrate that harm has occurred, then you can't proceed. Theoretical possible future harm is normally not enough, as the defendants here tried to argue was the case, though the judge decided differently (hence why it is news). This problem comes up a lot in lawsuits.

          One example I dealt with recently is with a wrongful foreclosure in a non-judicial state. The company foreclosing couldn't show they we

          • How is it possible to sue for a declarative judgement? Or is this another case where wealthy companies are treated better by the courts than ordinary citizens?

            I read of too many cases where judges appear to be highly biased in their judgements. The case you describe is yet another example. I speculate that in this case, the mortgage was in arrears, so the judge felt that foreclosure was proper, so he wasn't going to let small details like who was entitled to foreclose get in the way of kicking them out of t

      • by ShanghaiBill ( 739463 ) on Friday February 19, 2016 @03:34PM (#51544009)

        The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.

        Another issue is culpability. Sure, these companies should be held responsible. But some of the responsibility should also go onto the financial institutions that created the system where mere knowledge of a CC number or SSN allows a criminal to access accounts. It should be illegal to use SSNs to authenticate identity, and CCs should all have passwords/PINs so the numbers on the card are not sufficient to make a charge. We should fix the underlying problem, rather than just punishing the inevitable breaches. Harsh penalties for breaches encourage more companies to attempt a coverup.

        • The banks have a worse problem than that. Do you realize that _anybody_ that knows your checking account number (i.e. anybody you've ever written a check to) can do an electronic funds transfer out of your account, no questions asked? I've had this done to me, and when I complained, my bank's response was, "You need to close your account."
      • However, no one (and I believe by laws) can simply place a damage value on to this kind of harm.

        Nonsense. It's done all the time.

        Sometimes, especially when a wrong is fairly egregious, but the actual damages are difficult or impossible to calculate, a Judge will award a "nominal damage" [thefreedictionary.com] amount to the claimant. Usually, the sum is somewhere between $1 and $1,000.

    • by BlckAdder ( 18469 ) on Friday February 19, 2016 @03:35PM (#51544011)
      Judge Koh is already in line for a nomination to the Ninth Circuit Court of Appeals, which will probably happen this month. Not to say that couldn't be pulled in favor of a Supreme Court nomination, but it's pretty unlikely.
  • by Anonymous Coward

    Now when someone cracks the government-mandated backdoor for iPhones I'll be able to sue the US federal government.

    ...right?

    • Simple fix, Apple and Google can add a feature to their phone OSs where the user can turn on a security feature where if they don't enter their password every "xx" (set by user) days, the phone also auto-wipes....

      • It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)

        • by Aaden42 ( 198257 )

          Pretty simple, though potential for bad user experience for people who suffer from CRS...

          Device shouldn't boot to a ramdisk unless passcode is provided. Passcode check is executed in the secure element from mask ROM on the secure element that can't be updated and always increments the fail count then wipes if necessary.

          Recovery scenario for lost passcode would basically be a 10-failed wipe. The secure element wipes its key storage (thus erasing the NAND for all intents & purposes) then falling to

        • It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)

          Already done. Where does it say that Apple can force-update an iOS (or any) of their devices?

          • It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)

            Already done. Where does it say that Apple can force-update an iOS (or any) of their devices?

            Quiet! Some people actually think that Apple uses Microsoft tactics. I've never had an OSX update that I didn't approve. On Windows 10? I never had a choice.

        • It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)

          You don't have an Apple device do you?

      • by sims 2 ( 994794 )

        A software dead man's switch.

        I keep wondering why you never see sdmss implemented.

        I've never seen any implementations for smart phones and implementations for computers are far and few between.

        • I keep wondering why you never see sdmss implemented.

          Probably because almost nobody is paranoid enough to care ... and the paranoid people who do care probably don't have smartphones.

          I'm so paranoid about my data I'm going to have a dead-man's switch ... oooh, Facebook updates.

          Then again, who the hell knows what silly things people do.

        • by tnk1 ( 899206 )

          Features take time to write, QA, and roll out. Apple probably feels that it has provided sufficient capability with their existing options.

          They may also assume someone will write an app for that. After all, having a developer ecosystem does free them from having to think of everything themselves.

          • Standard apps don't have access to files outside of their own folder for the most part, let alone system files. It's possible on a jailbroken phone, but if you're paranoid about the security of your data, you probably don't want to jailbreak your phone and open an attack vector for unsigned apps to be unwittingly installed.

            Besides, most phones will go dead after enough time has passed before the filesystem could be wiped, and who wants to risk losing all of their data if something other than theft or death

            • ANd exactly the direction people who give two craps are going to go if the scumbags at the FBI get their way

      • Simple fix, Apple and Google can add a feature to their phone OSs where the user can turn on a security feature where if they don't enter their password every "xx" (set by user) days, the phone also auto-wipes....

        They do a somewhat similar thing on the iOS devices that have a touch-sensor.

        If you don't log-into such a device at least once every 48 hours (or after a power-cycle), you HAVE to use the Passcode (not the biometric sensor) to unlock the device.

        That is VERY significant, in that the Supreme Court has ruled that, while you CAN be forced to use your finger to unlock a device, you CANNOT be ordered to divulge (nor enter) a Passcode.

  • by redelm ( 54142 ) on Friday February 19, 2016 @03:12PM (#51543831) Homepage
    For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
    • by Fallen Kell ( 165468 ) on Friday February 19, 2016 @03:35PM (#51544013)

      For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.

      But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).

      • But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).

        Exactly. The value of a person's time is the issue here, and that's something our society often doesn't handle well.

        It seems like the legal profession has in the past followed a double standard.

        The time of lawyers is valuable, therefore they must get paid lots of money for (almost) everything they do.

        However, the time of the public is not, since if the law is structured in such a way as to be able to steal that time, then people will tend to hire lawyers to protect them from the their own legal system.

        In s

    • I think the consensus is that if some other company leaks your personal data, THEY should pay for credit monitoring services, not you. In fact, since T-Mobile leaked my personal info, they are paying for credit monitoring for me as we speak.
    • by dissy ( 172727 )

      A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused.

      A "reasonable person" perhaps, but hundreds of people in our government have been trying to pass many laws this week to make protecting said data a crime, and also making it a crime to not provide a way for hackers to obtain that data trivially.

      So to the powers at be, of course no harm was done, these "breaches" are a good thing.

  • About damn time

  • by surfdaddy ( 930829 ) on Friday February 19, 2016 @03:15PM (#51543847)

    ...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.

  • Home Depot (Score:5, Interesting)

    by PvtVoid ( 1252388 ) on Friday February 19, 2016 @03:18PM (#51543857)

    I quit shopping at Home Depot after the time I ran into a cashier who insisted that I could not buy what was in my cart unless I supplied my zip code as part of the credit card transaction, despite having it explained to her that it is a violation of their merchant agreement, and in many states is also illegal [time.com]. I left my shit in the shopping cart and left.

    I was utterly unsurprised to see that Home Depot got breached. I hope they have to pay out big.

    • Every now and again they say they want to see my driver ID when I pay by card. I just refuse, they have never declined to sell me stuff. They do from time to time try to convince me it is for my protection though. It's as if they want to try to make the next security breech as damaging as possible by collecting even more data.
      • by Anonymous Coward

        They do from time to time try to convince me it is for my protection though.

        It drives me nuts when they say it is for my protection, because either I'm the legit cardholder, so I'm in no danger or I'm a scammer and I'm still in no danger. It's for protection of the store, period. It's certainly not for the protection of the person standing there.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        It's a cry for help. The cashier is making a blatantly illogical statement in the hopes that you will call them on it and break them out of the delusional worldview that their corporate HQ has imposed.

      • by Khyber ( 864651 )

        "Every now and again they say they want to see my driver ID when I pay by card. I just refuse, they have never declined to sell me stuff. They do from time to time try to convince me it is for my protection though. "

        Thanks for letting me know you and the stores you shop at are easy marks for credit fraud. At bare minimum they should be checking that the name on the license matches the name on the card.

        • by mishehu ( 712452 )
          A very old trick is to take a card that has all of your information on it and clone somebody else's card information onto the magstripe. Presto-bango, you pass the ID check. Very few places enter the checksum digits shown on the face of the card to verify the face and the magstripe match. Face it, the ID check only stops a pickpocket or a lazy and stupid thief.
      • by mishehu ( 712452 )
        The Children's Place at my local mall HAS refused to sell me $16 of boys jeans for my son because i refused to show them government ID. The photograph for my warehouse club membership on the back of the card was deemed insufficient.
        • by Holi ( 250190 )
          That's a joke right? I mean I shouldn't have to ask, but you never know nowadays.
      • My card says "See Picture ID" on the signature line, so I really can't complain when they ask to see my ID... let's just say I've had people steal my debit card out of my mailbox and go Christmas shopping with it, and it didn't make me happy. (Mail box was a quarter mile from my house, so hard to monitor. I did replace it with a locking mailbox after that.)
    • by Anonymous Coward

      Just speak with a Minnesotan accent and say "55555", which is Young America, MN. Easy to remember, easy to ignore.

      Bad data is worse than no data. Companies will find this out sooner or later.

      • I just give them my work zip code since it is the only other one than my home one that I know.
        • I congratulate you for having successfully avoided '90s pop culture and therefore remaining ignorant of the zip code for Beverly Hills.

      • by Anonymous Coward

        If they ask for my phone number, I say (area code) 867-5309.

      • I _think_ the zip code has to match the zip code of the billing address for the card, so random zip codes shouldn't work...
        • by Anonymous Coward

          If they are doing it for billing verification like gas stations, yes it has to match.
          If they are doing it for marketing, no it doesn't have to match.

          The way you can tell, is you put in a wrong zip code, and if it declines transaction, it was billing, not marketing.

          Some places that were doing it for both purposes at once got in trouble.

    • by MobyDisk ( 75490 )

      This doesn't apply to retail stores, but FYI banks are making exceptions for zip codes at gas stations because the fraud levels are so high.
      http://www.forbes.com/sites/ad... [forbes.com]
      Sorry for the Forbes link. :-(

    • I am always prompted for my zip code when I try to buy gas with a credit card, if i enter the wrong zip (or none) I can not continue. Are you saying that this is illegal practice?
      • Doh! now that i've actually read TFA I will reply to myself -

        Are there any exceptions? If you swipe a card at a gas pump, you might get a prompt asking you for your ZIP code. This kind of transaction is generally exempt from laws about personal information, as are purchases that require delivery or installation, since the company needs to know where to send the package or technician.

        Sorry to waste your time

    • Schenectady, NY is the location for a lot of my purchases when they ask for my zip code.
  • by mlw4428 ( 1029576 ) on Friday February 19, 2016 @03:21PM (#51543887)
    ...from risk "acceptance" to risk mitigation and avoidance. Too long companies haven't been going that extra mile because, hey, it's cheaper to pay out for the 2--3 years of credit monitoring and letting customers spend hundreds of hours and potential legal/attorney/specialist fees to clean up the mess. When risk "acceptance" is saying "eh...3 million stolen IDs is cheaper than it would be to put serious effort into making it very hard to get those IDs from us" then we will NEVER be clear of this. I hope Anthem gets hit with billions in lawsuits and gets crippled. It'll serve as a nice warning to every other major company in the US that it's time to start taking security seriously or your businesses will start getting sunk.
  • by Anonymous Coward

    You would think that the "damages" caused by illegal spying, like those leveled against the NSA and GCHQ are self evident. But governments are arguing hard that they can't be sued for damages resulting from spying, because the "victims" can't show that they were harmed by it.

    • by tnk1 ( 899206 )

      In this case, quantifying the harm is much harder. The harm is to their rights and constitutional liberties, but the actual day-to-day harm is a lot less simple to quantify than if the data was stolen by people who might steal their money. Unless the governments are using this information to make purchases on Amazon, it would be hard to show that this data is having a monetary cost to the users. So, you have less information to use to set damages. You either set them too low and people think they are po

  • Seeing Anthem is the main health care provider for Gov Officials up to and I believe including Congress, no wonder. Like many people believe, if a breach does not impact the "ruling class" nothing is real is done about the issue. Will be interesting to watch.

  • After having been an unlucky player in the Anthem and Home Depot breaches it's ironic the feds aren't more critical of their own shortcomings wrt to the data protection failures at the Office of Personnel Management (OPM) and the IRS. Losses in those incidents affected individuals and extended family. Possibly for years to come.
  • by Verdatum ( 1257828 ) on Friday February 19, 2016 @03:36PM (#51544023)
    Look, I dislike Ayn Rand as much as the next liberal my age, but I would hardly consider her novel, Anthem to be "harmful" to people who read it...
  • Cane somebody explain to me why a U. S. District Judge for the Northern District of California is making a ruling based on New York's General Business Law?

    Don't get me wrong, I'm very pleased by this ruling. I'm just curious as to her authority to make it.

  • So does Judge Lucy Koh just troll the legal system by siding against companies in what is typically an opinion that differs from many other judges?
    Because if she's not doing this for the lulz I suggest we nominate her for a cloning program.

    • by dbc ( 135354 )

      Ha, good one. If you follow the 9th Circuit (or the 9th circus, as it is commonly called among attorneys) you could be forgiven if you thought that trolling the legal system is a litmus test for getting *any* judgeship in the 9th circuit.

      If you look at the history, though, you will see that Lucy Koh has over the years had many high-profile technology cases in her court. She is probably one of the most technologically clue-full judges serving anywhere. This ruling is the result of having a case heard by s

  • Anyone who says that Judge Lucy Koh lacks experience needs to read up about a case called "Apple vs. Samsung". You may have heard of it. She's not afraid to put even the heavy hitters into their place.

    "Come on," Koh told Bill Lee, one of Apple's lawyers. "You want me to do an order on 75 pages? Unless you're smoking crack, you know these witnesses aren't going to be called."

    Seems like she just isn't afraid to call "Bullshit" when pushed.

  • by Caesar Tjalbo ( 1010523 ) on Friday February 19, 2016 @04:52PM (#51544509)

    But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft.

    Maybe because nothing was stolen in the first place.

  • by scdeimos ( 632778 ) on Friday February 19, 2016 @08:35PM (#51546043)

    ...but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information.

    Well if that's the case then you won't mind defense counsel and all C-level officers of the company submitting an inventory of their full bank account and credit card information? Sure, such a submission would be on the public record... but you can't prove that any harm will come from it.

Somebody's terminal is dropping bits. I found a pile of them over in the corner.

Working...