Judge Slams Anthem, Rules That Breach Constitutes Harm To Customers (digitalguardian.com) 92
chicksdaddy writes: You would think that the "damages" caused by massive online thefts, like those leveled against Target, Home Depot and Anthem Healthcare are self evident. But companies are arguing hard that they can't be sued for damages resulting from data breaches, because the "victims" can't show that they were harmed by the theft. That was the case back in June, when lawyers for Home Depot filed a motion to have a case linked to the compromise at that company dropped. The case was brought by customers whose data was stolen in the attack, but Home Depot's attorneys argued that those customers couldn't prove that they were harmed by the theft of their credit card information. Now a judge in San Francisco has dealt a blow to would-be defendants in a case against Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February 2015. In her decision in the Anthem case, Koh reasoned that the theft of personal identification information is harm to consumers in itself, regardless of whether any subsequent misuse of it can be proven. Allegations of a "concrete and imminent threat of future harm" are enough to establish an injury and standing in the early stages of a breach suit, she said.
Koh for Supreme Court (Score:5, Insightful)
She has a decent clue about technology and law unlike 99% of all other judges/lawyers.
Re: (Score:1)
She's only been a judge since 2008 (https://en.wikipedia.org/wiki/Lucy_H._Koh), she needs more experience. Give her another decade or 2.
Re: (Score:3, Informative)
She's only been a judge since 2008
So what? According to that bio she has a lot of related experience. Apparently GP isn't the only one to think so. I don't think she needs any more "experience" any more than Scalia did when he was nominated at 49.
Re: (Score:2)
He was being facetious.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is. The judge is correct in the sense that the breach could harm individuals in the future. Yes, a alw suite should be approved to move on. However, no one (and I believe by laws) can simply place a damage value on to this kind of harm. Thus, if there is no damage occurred (someone used the info for something that cause monetary damage) before or during the law suite, it is unlikely t
Re:Koh for Supreme Court (Score:5, Informative)
I think that you are 100% wrong here. In order to proceed with a lawsuit, you have to show that you have standing. Without harm (any amount of damages), you don't have standing to sue. So this ruling is NOT about how much, instead it is about if ANY harm occurred.
Re:Koh for Supreme Court (Score:4, Interesting)
The Supreme Court just granted standing to states and companies to put a hold on enforcement of a new EPA regulation, a massive one about power plant emissions.
There was the same argument -- no standing because you don't have to spend money yet. Except that in a previous similar case, companies spent tens of billions preparing for a new regulation that ultimately got overturned. Worse, the EPA bragged, "Haha made you spend money and implement the regulation anyway!" on its web site.
Supreme Court: Well, if you're gonna be assholes about it...
Re: (Score:2)
In order to proceed with a lawsuit, you have to show that you have standing. Without harm (any amount of damages), you don't have standing to sue. So this ruling is NOT about how much, instead it is about if ANY harm occurred.
You are correct. Courts generally require the demonstration of harm to prove standing, so if you can't demonstrate that harm has occurred, then you can't proceed. Theoretical possible future harm is normally not enough, as the defendants here tried to argue was the case, though the judge decided differently (hence why it is news). This problem comes up a lot in lawsuits.
One example I dealt with recently is with a wrongful foreclosure in a non-judicial state. The company foreclosing couldn't show they we
Re: (Score:2)
How is it possible to sue for a declarative judgement? Or is this another case where wealthy companies are treated better by the courts than ordinary citizens?
I read of too many cases where judges appear to be highly biased in their judgements. The case you describe is yet another example. I speculate that in this case, the mortgage was in arrears, so the judge felt that foreclosure was proper, so he wasn't going to let small details like who was entitled to foreclose get in the way of kicking them out of t
Re:Koh for Supreme Court (Score:5, Insightful)
The issue is not about whether breach of personal info would harm individuals whose info belong to, it is how much DAMAGE it is.
Another issue is culpability. Sure, these companies should be held responsible. But some of the responsibility should also go onto the financial institutions that created the system where mere knowledge of a CC number or SSN allows a criminal to access accounts. It should be illegal to use SSNs to authenticate identity, and CCs should all have passwords/PINs so the numbers on the card are not sufficient to make a charge. We should fix the underlying problem, rather than just punishing the inevitable breaches. Harsh penalties for breaches encourage more companies to attempt a coverup.
Re: (Score:3)
Re: (Score:2)
However, no one (and I believe by laws) can simply place a damage value on to this kind of harm.
Nonsense. It's done all the time.
Sometimes, especially when a wrong is fairly egregious, but the actual damages are difficult or impossible to calculate, a Judge will award a "nominal damage" [thefreedictionary.com] amount to the claimant. Usually, the sum is somewhere between $1 and $1,000.
Re: Koh for Supreme Court (Score:2)
Re: Koh for Supreme Court (Score:4, Informative)
I like this prescident (Score:1)
Now when someone cracks the government-mandated backdoor for iPhones I'll be able to sue the US federal government.
Re: (Score:2)
Simple fix, Apple and Google can add a feature to their phone OSs where the user can turn on a security feature where if they don't enter their password every "xx" (set by user) days, the phone also auto-wipes....
Re: (Score:2)
It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)
Re: (Score:2)
Pretty simple, though potential for bad user experience for people who suffer from CRS...
Device shouldn't boot to a ramdisk unless passcode is provided. Passcode check is executed in the secure element from mask ROM on the secure element that can't be updated and always increments the fail count then wipes if necessary.
Recovery scenario for lost passcode would basically be a 10-failed wipe. The secure element wipes its key storage (thus erasing the NAND for all intents & purposes) then falling to
Re: (Score:2)
It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)
Already done. Where does it say that Apple can force-update an iOS (or any) of their devices?
Re: (Score:2)
It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)
Already done. Where does it say that Apple can force-update an iOS (or any) of their devices?
Quiet! Some people actually think that Apple uses Microsoft tactics. I've never had an OSX update that I didn't approve. On Windows 10? I never had a choice.
Re: (Score:2)
It is actually more simple than that. All they need to do is require the PIN to apply updates to the OS, rather than allowing automatic updates being pushed by Apple (or whomever)
You don't have an Apple device do you?
Re: (Score:2)
A software dead man's switch.
I keep wondering why you never see sdmss implemented.
I've never seen any implementations for smart phones and implementations for computers are far and few between.
Re: (Score:2)
Probably because almost nobody is paranoid enough to care ... and the paranoid people who do care probably don't have smartphones.
I'm so paranoid about my data I'm going to have a dead-man's switch ... oooh, Facebook updates.
Then again, who the hell knows what silly things people do.
Re: (Score:2)
Features take time to write, QA, and roll out. Apple probably feels that it has provided sufficient capability with their existing options.
They may also assume someone will write an app for that. After all, having a developer ecosystem does free them from having to think of everything themselves.
Re: (Score:2)
Standard apps don't have access to files outside of their own folder for the most part, let alone system files. It's possible on a jailbroken phone, but if you're paranoid about the security of your data, you probably don't want to jailbreak your phone and open an attack vector for unsigned apps to be unwittingly installed.
Besides, most phones will go dead after enough time has passed before the filesystem could be wiped, and who wants to risk losing all of their data if something other than theft or death
Re: (Score:2)
ANd exactly the direction people who give two craps are going to go if the scumbags at the FBI get their way
Re: (Score:2)
Simple fix, Apple and Google can add a feature to their phone OSs where the user can turn on a security feature where if they don't enter their password every "xx" (set by user) days, the phone also auto-wipes....
They do a somewhat similar thing on the iOS devices that have a touch-sensor.
If you don't log-into such a device at least once every 48 hours (or after a power-cycle), you HAVE to use the Passcode (not the biometric sensor) to unlock the device.
That is VERY significant, in that the Supreme Court has ruled that, while you CAN be forced to use your finger to unlock a device, you CANNOT be ordered to divulge (nor enter) a Passcode.
Doh! Preventative measure COST. (Score:5, Insightful)
That IS a problem. Better to hide it than report? (Score:2)
You make a good point. I work in IT security and I see a lot of sloppy stuff, mostly people just don't know any better. I can certainly understand why some people would like to see high amounts of damages awarded in law suits, to encourage companies to be more careful in the future.
However, you're absolutely right that encourages companies to just keep quiet, try to hide the breach. Financial damages from law suits plus damage to their reputation can certainly mean executives would rather keep any breache
Gross negligence. Slight, ordinary,gross, reckless (Score:2)
It was "gross negligence' that slipped my mind. Law refers to slight, ordinary,gross, reckless negligence, with different standard applying in different situations. If you leave your phone on the table at a restaurant, they only owe you "slight care" in getting it returned to you, so they become liable only if they are reckless. On the other hand, if you HIRE a security guard to protect your stuff, or someone borrows it from you, a higher standard of care is required.
Justice Rugg described the difference b
Re:Doh! Preventative measure COST. (Score:5, Insightful)
For once, some sense from the bench. A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused. Things like subscribing to a monitoring service, replacing cards, increased statement monitoring. Admittedly, these are not that much cost, say US$100, but that is NOT zero.
But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).
Re: (Score:1)
But that is only a small fraction of the cost. The REAL cost is in the TIME it takes to deal with all those things. Time is money in corporate speak, and their lax security measures is now directly resulting in these affected people to invest hours of their time setting up new credit monitoring, reviewing all recent credit reports (and future ones), replace their cards, change passwords, etc. If they were like a corporation, they would even hire consultants and remediation teams and charge their costs as part of the cost to be made whole when they (the corporation) sues the people responsible (look at what the City of San Francisco included in the charges/lawsuit against Terry Childs).
Exactly. The value of a person's time is the issue here, and that's something our society often doesn't handle well.
It seems like the legal profession has in the past followed a double standard.
The time of lawyers is valuable, therefore they must get paid lots of money for (almost) everything they do.
However, the time of the public is not, since if the law is structured in such a way as to be able to steal that time, then people will tend to hire lawyers to protect them from the their own legal system.
In s
Re: (Score:2)
Re: (Score:2)
A "reasonable person" upon learning their data had been stolen from someone who was supposed to keep it safe would then prudently take measures to detect and limit the damage if the data were misused.
A "reasonable person" perhaps, but hundreds of people in our government have been trying to pass many laws this week to make protecting said data a crime, and also making it a crime to not provide a way for hackers to obtain that data trivially.
So to the powers at be, of course no harm was done, these "breaches" are a good thing.
Wow... (Score:2)
About damn time
This is a great ruling (Score:5, Insightful)
...although I'm sure it iwll be contested. I was in the Home Depot breach, the Target breach, and the TMobile/Experian breach. My wife was in the Bebe breach. You have to figure your info is out there already for most people who don't live under a rock. These companies aren't going to take security seriously until they pay some consequences.
Home Depot (Score:5, Interesting)
I quit shopping at Home Depot after the time I ran into a cashier who insisted that I could not buy what was in my cart unless I supplied my zip code as part of the credit card transaction, despite having it explained to her that it is a violation of their merchant agreement, and in many states is also illegal [time.com]. I left my shit in the shopping cart and left.
I was utterly unsurprised to see that Home Depot got breached. I hope they have to pay out big.
Re: (Score:2)
Re: (Score:1)
They do from time to time try to convince me it is for my protection though.
It drives me nuts when they say it is for my protection, because either I'm the legit cardholder, so I'm in no danger or I'm a scammer and I'm still in no danger. It's for protection of the store, period. It's certainly not for the protection of the person standing there.
Re: (Score:2, Funny)
It's a cry for help. The cashier is making a blatantly illogical statement in the hopes that you will call them on it and break them out of the delusional worldview that their corporate HQ has imposed.
Re: (Score:2)
"Every now and again they say they want to see my driver ID when I pay by card. I just refuse, they have never declined to sell me stuff. They do from time to time try to convince me it is for my protection though. "
Thanks for letting me know you and the stores you shop at are easy marks for credit fraud. At bare minimum they should be checking that the name on the license matches the name on the card.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Just speak with a Minnesotan accent and say "55555", which is Young America, MN. Easy to remember, easy to ignore.
Bad data is worse than no data. Companies will find this out sooner or later.
Re: (Score:2)
Re: (Score:3)
I congratulate you for having successfully avoided '90s pop culture and therefore remaining ignorant of the zip code for Beverly Hills.
Re: (Score:2)
Re: (Score:1)
If they ask for my phone number, I say (area code) 867-5309.
Re: (Score:2)
Re: (Score:1)
If they are doing it for billing verification like gas stations, yes it has to match.
If they are doing it for marketing, no it doesn't have to match.
The way you can tell, is you put in a wrong zip code, and if it declines transaction, it was billing, not marketing.
Some places that were doing it for both purposes at once got in trouble.
Re: (Score:2)
This doesn't apply to retail stores, but FYI banks are making exceptions for zip codes at gas stations because the fraud levels are so high. :-(
http://www.forbes.com/sites/ad... [forbes.com]
Sorry for the Forbes link.
Re:Home Depot (Score:4)
So the banks rejected secret PINs to go along with the chip, but accept PINs that are publicly availble.
Re: (Score:2)
Convenience versus safety. A PIN would be better, but as often as people forget them it wouldn't be convenient. A ZIP code isn't nearly as secure, but it prevents trivial fraud, and that's good enough.
Re: (Score:2)
Re: (Score:3)
Sorry to waste your time
Re: (Score:2)
Maybe It's Time to Evolve... (Score:3)
Re: (Score:2)
Changing a few words from the summary... (Score:1)
You would think that the "damages" caused by illegal spying, like those leveled against the NSA and GCHQ are self evident. But governments are arguing hard that they can't be sued for damages resulting from spying, because the "victims" can't show that they were harmed by it.
Re: (Score:2)
In this case, quantifying the harm is much harder. The harm is to their rights and constitutional liberties, but the actual day-to-day harm is a lot less simple to quantify than if the data was stolen by people who might steal their money. Unless the governments are using this information to make purchases on Amazon, it would be hard to show that this data is having a monetary cost to the users. So, you have less information to use to set damages. You either set them too low and people think they are po
finally but no surprise (Score:1)
Seeing Anthem is the main health care provider for Gov Officials up to and I believe including Congress, no wonder. Like many people believe, if a breach does not impact the "ruling class" nothing is real is done about the issue. Will be interesting to watch.
OPM/IRS breach: pot meet kettle (Score:2)
Judge Slams Anthem (Score:3, Funny)
Jurisdiction? (Score:2)
Cane somebody explain to me why a U. S. District Judge for the Northern District of California is making a ruling based on New York's General Business Law?
Don't get me wrong, I'm very pleased by this ruling. I'm just curious as to her authority to make it.
Re:Jurisdiction? (Score:5, Informative)
Lucy Koh the Troll (Score:2)
So does Judge Lucy Koh just troll the legal system by siding against companies in what is typically an opinion that differs from many other judges?
Because if she's not doing this for the lulz I suggest we nominate her for a cloning program.
Re: (Score:2)
Ha, good one. If you follow the 9th Circuit (or the 9th circus, as it is commonly called among attorneys) you could be forgiven if you thought that trolling the legal system is a litmus test for getting *any* judgeship in the 9th circuit.
If you look at the history, though, you will see that Lucy Koh has over the years had many high-profile technology cases in her court. She is probably one of the most technologically clue-full judges serving anywhere. This ruling is the result of having a case heard by s
Inexperienced??? (Score:2)
Seems like she just isn't afraid to call "Bullshit" when pushed.
"Theft" (Score:3)
Maybe because nothing was stolen in the first place.
I love these kinds of arguments (Score:3)
Well if that's the case then you won't mind defense counsel and all C-level officers of the company submitting an inventory of their full bank account and credit card information? Sure, such a submission would be on the public record... but you can't prove that any harm will come from it.