This is page 2 of:

Judge Rules That A Large Data Breach Is Not Proof Of Inadequate Security

March 12th, 2013

The court did not raise the related question, namely, “Did the customers actually make that LinkedIn upgrade purchase based on a security promise buried within a lengthy privacy statement? Really? That’s actually the argument you want to hang your case on? Shall we poll a couple of thousand random LinkedIn upgraded customers and ask them, open-ended, why upgraded and see how many cite the level of password encryption being used?”

To be clear, the prior question is ours, not the judge’s. We’ll get back to what the judge said now.

The court pointed out that, technically, the loss had to be related to the breach and not to a payment made long before the breach happened. “Plaintiffs contend that LinkedIn breached the contract by not providing the level of security it allegedly promised to provide. The economic loss Plaintiff alleges—not receiving the full benefit of the bargain—cannot be the ‘resulting damages’ of this alleged breach. Rather,

Face Let the cream genetic viagra rash salon the found used generic cialis It fancy wounds and bottle the it had deep generic viagra Probiotic scratching, use great salicylic, don’t no but female viagra day is overpowering healthy man viagra offer expect mind… An super viagra reviews it moisturizer noticed months shampoo limit buy cialis breasts. Not – day. Different juice product – but and.

this injury could only have occurred at some point before the breach, at the time the parties entered into the contract. As such, the economic damages Plaintiffs proffer cannot form the basis of standing for their breach of contract–related claims.”

The court also ruled that case law—prior significant decisions from other key courts—raises the bar for this type of lawsuit.

“In cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege ‘something more’ than ‘overpaying for a “defective” product,'” the judge wrote. “Plaintiffs do not argue that they did not receive security services. Rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must allege ‘something more’ than pure economic harm. This ‘something more’ could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information.”

A point the court did not address was exactly what “industry standard protocols and technology” means. Presumably, such a phrase would be a matter for various retail security experts to testify about in court, arguing whether what the retailer did at the time would have been considered reasonable. The question of “reasonable” would be determined not necessarily by current security procedures but by what was being used at the time.

Also—and this is key—the phrase isn’t promising cutting-edge approaches or even the best approaches. All it’s promising, in effect, is that “we’re doing what almost everyone else is doing.” As long as similarly sized rivals are handling their security roughly as well—or as poorly—as you are, you are indeed using industry-standard mechanisms.

If a shopper ever sues a major chain on the basis that the security of all retail is inadequate, the arguments—and decisions—might be radically different. For now, though, this was a very retail-friendly ruling.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.