When the bank reimburses the consumer, I wish the bank would go after the thieves instead of writing it off as a business loss. As long as it is a business loss and thieves get away with this crime, it will keep happening. As to going after Hannaford, people don’t always realize this, but they are a victim too in this mess.

From Linked-In:

Why was a federal judge deciding the case involving a Maine law? It also sounds like a poorly written law. If you negligently cause damage to me either through direct action or indirectly you should be liable. Victims of fraud are not responsible for the bad charges but should also be compensated for any indirect damage to things like credit ratings. It appaers tha Maine law for this case did not take that into account.

From Linked-In:

Only Money Damages should be entitled restitution.

From Linked-In:

When the bank reimburses the consumer, I wish the bank would go after the thieves instead of writing it off as a business loss. As long as it is a business loss and thieves get away with this crime, it will keep happening. As to going after Hannaford, people don’t always realize this, but they are a victim too in this mess.

I believe prosecution is key to reducing this crime.

From Linked-In:

I think you have to look at this on a breach by breach basis. What I mean is, if the breach only involved credit card info and no SSN was leaked; and the account was closed, new one opened and the money taken restored, then there shouuldn’t be any lawsuits. Now, if the stolen NPPI included SSN, just restoring the money isn’t good enough in my book. There should be some civil course of action to deal with the angish knowing that your info is still out there and someone can use at any time.

From Linked-In:

I have no real problem with the decision for a number of reasons: (even though I have never read the case).

1) As you said, because the injury has been restored, the point is moot. No injury, no claim. Justice don’t like it when you get two bites of the apple.

2) So why not pain and suffering damage? First, who’s directly responsible for the stress? That is, who are the bad guys? The hackers. Who are the potentially negligent, but not so bad guys? Hannaford Bros. Who is being sued? Not the bad guys, but the negligent guys because the negligent guys got the $hing. Of these two, it seems to me, the hackers are responsible (mostly) for the stress damage so punishing Hannaford for more than the direct injury seems excessive, and in a class action crushing. Expenses for data breach recovery with no fraud for a business can be devastating.

3) How stressful is a data breach injury, really? When it happened to me, it was more hassle stress versus say the fearful stress one would experience from a physical robbery or breaking and entering, which I also experienced and can attest, was very stressful on a whole different level.

Also how long till plaintiffs were made whole or at least assured they would be? A week, a month, years? Ten years ago businesses had no effective operational policy in place to deal with ID theft. Recovery process was brutal and people fought for years to straighten things out. Now businesses have processes in place to deal with the aftermath of data breaches better than before. I’m not saying they are great, just better, and it will likely get better as time goes on.

Which leads me to think that as data breaches and identity theft become a life event that everyone goes through at sometime, (like the measles) then it seems the more common the injury becomes and the faster businesses can restore the injured, the less stress will be experienced, the less likely pain and suffering would even be considered.

But for a judge managing a heavy docket, dismissal for lack of standing is an easy out.

From Linked-In:

This was the right ruling. There is no restitution required in a case like this, and I am glad that this decision was made the way it was. This society has become way too sue-happy, and frankly, it’s disturbing.

And the Hannaford case was NOT about ID Theft anyway. No IDs were stolen – only credit card numbers. Not to mention that Hannaford was compliant with the mandates with which they needed to be compliant.

So the lesson here is that security does not end at compliance – it starts at compliance.

From Linked-In:

The individual(s) who committed the crime should be held responsible. If they are caught, all seized assets should be immediately frozen and put in a trust account until their guilt is determined. The seized assets should be soley for the use of any potential restitution/compensation for stress etc. They should not even have access for legal fees to these funds. If they are found innocent they get the funds back with interest. Let the guilty bear the burden. I recognize the recovery percentage will be small but it will send a message as well. If you start suing who ultimately pays? The taxpayer? The merchant? The consumer due to higher costs? Do you get reimbursed as well for the emotional toll caused by the lawsuit? Once again it seems the lawyers come out on top. (No worries, I have three in my immediate family.) Our society is overly litigious.

From Linked-In:

From a principled point of view (and this seems to be backed up by the California State Privacy Officer, when I asked her about this very issue last week), it’s EXTREMELY difficult to find a true correlation between a data theft and subsequent victimization. As these large scale thefts start happening, there’s a high likelihood that anybody can be a victim from more than 1 incident… and that’s assuming that one of those incidents was the source to begin with.

The simple answer is that it will be INCREDIBLY difficult to assign with absolute proof a causation from one data breach to a subsequent loss (however that’s defined – monetarily, reputation, etc)

A smart lawyer would cross examine a victim and ask them if they’ve ever received breach notifications, then ask how many and then turn to a jury and ask if it’s possible the wrong defendent is being charged with negligence.

From Linked-In:

Actually, victims are responsible for fraudulent losses after 60 days according to legislation. This is not 60 days after they find out about it, but 60 days after it occurs.

Also, they consolidated the case in Maine, so likely it would be subject to that state’s laws. It almost seems that because they were financially compensated that should cover everything else such as the stress associated with being a victim.

My question is, much use of the stolen data occurs months after a breach takes place, because the data isn’t necessarily used immediately. So the “no harm, no foul” they’ve been reimbursed really should be looked at in these situations, just because they can’t trace any direct activity back to the breach and the victims essentially have their money back.

People in positions to make decisions in these types of cases need to be educated as to the real situation of these victims. They’re not just out to get money because they spilled hot coffee on themselves and they’re looking for a quick buck, their lives may have literally been turned upside down.

From Linked-In:

I am not a big fan of lawsuits and supposed emotional damage. Aside from that, most banks have procedures in place to spot unusual activity on an account and to flag that account to create a stop loss situation.

From Linked-In:

Additionally the question of what the plaintiff is alleging is critical. If a person is claiming financial loss due to identity theft from a specific incident then the judge is right to not reward damages in my opinion. Financial loss or penury loss needs to be linked to a “crime” for there to be an award. When the plaintiff or class is alleging a “failure to adequately protect” such as in the TJX, or VA Administration and other such cases, this does not have the additional burden of proof of identity theft but only the failure of the aggregator to safeguard the data they hold. The award then can be claimed stemming from suffering and even out of pocket expenses related to personal efforts to protect an individual who feels they are more vulnerable to identity theft as the result of the breach.

I’m not familiar with this particular case. Julie is absolutely right about the 60 day thing with one exception. When a bank statement is mailed the account holder has specific requirements to report errors to the bank in writing within 60 days of the statement mailing. After that point then the bank is normally not responsible for the error. Banks do however, on occasion work with depositors to correct error and reimburse monies drained from accounts but they are not responsible to do that.

From Linked-In:

I think companies in general, not even necessarily banks could be doing more yes. I remember hearing a comedy sketch and while not even trying to do anything besides be funny, he hit a good point. “Why can’t we verify the companies we talk to on the phone?”

If you think about it, some random person calls you up and says they are from your bank, you have to take it as face value. Granted, I’m not saying a roledex available for every customer, but why can’t banks have a passphrase or something similar that the company have to give the *customer* before they can discuss the account with you while you have to verify yourself to the company?

Many customers may not even notice it but for a few seconds more on a call to customer support, I’m sure the ones that do will really come to appreciate it as it after seeing the fact that it is meant to build trust.

From Linked-In:

I believe that if a person deserves more compensation or not should be based on how well the company that had the breach was protecting their data. There is a possibility that the company where the breach occurred had good systems in place and had done their very best to secure data but either had a bad employee or there was some intricate manner that allowed the intrusion. On the reverse side of that, if the business that was breached had not done their due diligence in implementing the latest technologies to protect their customers than they should be held accountable and made to pay for their negligence. I talk to countless businesses today who are having their I.T. budgets cut and they are afraid to either spend any money or even suggest to the CEO that they should spend money to protect their data even when they know that they are exposed to data loss or compromise.

From Linked-In:

I think that the circumstances of the breach need to be taken into consideration. I strongly believe that how the breach occurred is probably the most important factor in determining whether victims could claim damages. Hacking into a network to gain sensitive information is different than if the breach was caused by employee error, employee stealing, or broken business processes. I would say that the courts should determine liability as the first step–asking could have this breach been prevented?

From ITAC Linked-In Feed:

I think it is unfortunate that this became the focus. There are plenty of cases of real damage done (time served in jail, incorrect treatments due to medical identity theft, jobs lost) that could be successfully prosecuted in other identity theft cases. Now, however, there is another reason for victims to feel that there is no sympathetic ear to their plight. I understand the ruling, and it is consistent with other cases, but I feel the media coverage will further discourage potential customers who already mistrust the e-commerce environment.