I think it is unfortunate that this became the focus. There are plenty of cases of real damage done (time served in jail, incorrect treatments due to medical identity theft, jobs lost) that could be successfully prosecuted in other identity theft cases. Now, however, there is another reason for victims to feel that there is no sympathetic ear to their plight. I understand the ruling, and it is consistent with other cases, but I feel the media coverage will further discourage potential customers who already mistrust the e-commerce environment.

I think that the circumstances of the breach need to be taken into consideration. I strongly believe that how the breach occurred is probably the most important factor in determining whether victims could claim damages. Hacking into a network to gain sensitive information is different than if the breach was caused by employee error, employee stealing, or broken business processes. I would say that the courts should determine liability as the first step–asking could have this breach been prevented?

I believe that if a person deserves more compensation or not should be based on how well the company that had the breach was protecting their data. There is a possibility that the company where the breach occurred had good systems in place and had done their very best to secure data but either had a bad employee or there was some intricate manner that allowed the intrusion. On the reverse side of that, if the business that was breached had not done their due diligence in implementing the latest technologies to protect their customers than they should be held accountable and made to pay for their negligence. I talk to countless businesses today who are having their I.T. budgets cut and they are afraid to either spend any money or even suggest to the CEO that they should spend money to protect their data even when they know that they are exposed to data loss or compromise.

I think companies in general, not even necessarily banks could be doing more yes. I remember hearing a comedy sketch and while not even trying to do anything besides be funny, he hit a good point. “Why can’t we verify the companies we talk to on the phone?”

If you think about it, some random person calls you up and says they are from your bank, you have to take it as face value. Granted, I’m not saying a roledex available for every customer, but why can’t banks have a passphrase or something similar that the company have to give the *customer* before they can discuss the account with you while you have to verify yourself to the company?

Many customers may not even notice it but for a few seconds more on a call to customer support, I’m sure the ones that do will really come to appreciate it as it after seeing the fact that it is meant to build trust.

Additionally the question of what the plaintiff is alleging is critical. If a person is claiming financial loss due to identity theft from a specific incident then the judge is right to not reward damages in my opinion. Financial loss or penury loss needs to be linked to a “crime” for there to be an award. When the plaintiff or class is alleging a “failure to adequately protect” such as in the TJX, or VA Administration and other such cases, this does not have the additional burden of proof of identity theft but only the failure of the aggregator to safeguard the data they hold. The award then can be claimed stemming from suffering and even out of pocket expenses related to personal efforts to protect an individual who feels they are more vulnerable to identity theft as the result of the breach.

I’m not familiar with this particular case. Julie is absolutely right about the 60 day thing with one exception. When a bank statement is mailed the account holder has specific requirements to report errors to the bank in writing within 60 days of the statement mailing. After that point then the bank is normally not responsible for the error. Banks do however, on occasion work with depositors to correct error and reimburse monies drained from accounts but they are not responsible to do that.

I am not a big fan of lawsuits and supposed emotional damage. Aside from that, most banks have procedures in place to spot unusual activity on an account and to flag that account to create a stop loss situation.

Actually, victims are responsible for fraudulent losses after 60 days according to legislation. This is not 60 days after they find out about it, but 60 days after it occurs.

Also, they consolidated the case in Maine, so likely it would be subject to that state’s laws. It almost seems that because they were financially compensated that should cover everything else such as the stress associated with being a victim.

My question is, much use of the stolen data occurs months after a breach takes place, because the data isn’t necessarily used immediately. So the “no harm, no foul” they’ve been reimbursed really should be looked at in these situations, just because they can’t trace any direct activity back to the breach and the victims essentially have their money back.

People in positions to make decisions in these types of cases need to be educated as to the real situation of these victims. They’re not just out to get money because they spilled hot coffee on themselves and they’re looking for a quick buck, their lives may have literally been turned upside down.

From a principled point of view (and this seems to be backed up by the California State Privacy Officer, when I asked her about this very issue last week), it’s EXTREMELY difficult to find a true correlation between a data theft and subsequent victimization. As these large scale thefts start happening, there’s a high likelihood that anybody can be a victim from more than 1 incident… and that’s assuming that one of those incidents was the source to begin with.

The simple answer is that it will be INCREDIBLY difficult to assign with absolute proof a causation from one data breach to a subsequent loss (however that’s defined – monetarily, reputation, etc)

A smart lawyer would cross examine a victim and ask them if they’ve ever received breach notifications, then ask how many and then turn to a jury and ask if it’s possible the wrong defendent is being charged with negligence.

The individual(s) who committed the crime should be held responsible. If they are caught, all seized assets should be immediately frozen and put in a trust account until their guilt is determined. The seized assets should be soley for the use of any potential restitution/compensation for stress etc. They should not even have access for legal fees to these funds. If they are found innocent they get the funds back with interest. Let the guilty bear the burden. I recognize the recovery percentage will be small but it will send a message as well. If you start suing who ultimately pays? The taxpayer? The merchant? The consumer due to higher costs? Do you get reimbursed as well for the emotional toll caused by the lawsuit? Once again it seems the lawyers come out on top. (No worries, I have three in my immediate family.) Our society is overly litigious.

This was the right ruling. There is no restitution required in a case like this, and I am glad that this decision was made the way it was. This society has become way too sue-happy, and frankly, it’s disturbing.

And the Hannaford case was NOT about ID Theft anyway. No IDs were stolen – only credit card numbers. Not to mention that Hannaford was compliant with the mandates with which they needed to be compliant.

So the lesson here is that security does not end at compliance – it starts at compliance.