Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« 5 New Anti-Phishing Techniques | Main | Linux Growth Hidden by Poor Statistics »

Can You Sue When Personal Data is Disclosed in a Breach?

Two alumni of Ohio University didn't get far suing the school over a data breach that leaked their personal information. The victims weren't happy but the case makes a good distinction between what might happen with the stolen information and what actually happens. From the Athens News:

"It's frustrating," said attorney Marc D. Mezibov. In cases where hackers break into a computer network and access personal information, he said, "courts are reluctant to grant the proposition that when personal data is lost... there is harm," unless those whose data was accessed can clearly link the hacking to a later instance of identity theft.

This makes sense, my data was exposed in a bank breach a couple of years ago and it hasn't caused me any damage. I'm no lawyer but I don't think I can sue others over what I worry about but doesn't materialize. (Now, if there were violations of regulations then that's a different story and the government would have a case.)

The article goes on to note the same logic applies in the OU case:

The judge essentially agreed with OU's main argument, that while Kulpa and Neben might be afraid their personal data will be used to rob them, they haven't shown any specific damages they've suffered because of the computer hacking.

The alumni do make a good point that this breach will lead them to purchase some kind of credit monitoring service:


What this approach misses, the attorney argued, is that to avoid or minimize such theft typically involves a cost, to monitor one's credit.

"People have to spend money," he said.

He noted that the hacking of personal data from large computer networks seems to have become a common occurrence these days, and that courts may be hesitant to set the precedent that the owner of a network is responsible to pay for the impacts of a security breach.

This should be covered in legislation for this particular type of damage. We can't provide blanket coverage for every fear someone has in this society. If I'm afraid I'll get brain cancer from standing in front of my microwave, I don't expect Sears to cover the cost of medical tests. If Sears makes a defective product, I have laws to fall back on to protect my interests. The same should hold for victims of cybercrimes. These issues should be debated in legislatures and frameworks established so consumers and businesses have clearer ground rules.

Tags:      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on September 5, 2007 8:07 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/407

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net