RSS
Twitter
Judge Says Don't Sweat The Data Leaks
from the thanks-for-looking-out dept
A judge in Minnesota ruled last month that Wells Fargo wasn't negligent in a recent data leak when a contractors' laptop was stolen -- not because they took adequate precautions to prevent the leak, but rather because the thieves never used any of the data. The bank was sued by two customers, whose claim for damages was rejected because they couldn't show they'd actually been harmed, which on one level, makes sense. But to say that Wells Fargo or its contractor wasn't negligent in storing customer data unencrypted on a laptop is a stretch. A court ruled in a similar case earlier in the year (also in US District Court in Minnesota) that a company wasn't liable because it had taken "reasonable" precautions to protect data, which, in the case, included storing unencrypted information on a laptop. So with that standard, and this new ruling that says companies are negligent not when unencrypted information is stolen, but only if it's used, do legal consequences give companies much motivation to actually bother to protect customer information in a meaningful way? Of course not. So basically, if customer information gets stolen by a thief that just wants to hawk the laptop, companies have nothing to worry about -- but why should their negligence be defined by the actions of the thief, and not on the actual theft itself?
Reader Comments (rss)
(Flattened / Threaded)
it dosent matter if the data was used against customers or not, that type of data should not have been stored on a laptop to begin with.
Wells fargo is obiviusly negligent.
(reply to this comment) (link to this comment)
Hmmm
I have to admit that I can see the judges point (although I disagree with him). Imagine you build a bridge with no guard rails (there's no law stating you must have guard rails) Someone falls off the bridge but doesn't get hurt. Are you negligent? What if there was a law but it didn't indicate how big and strong the rails had to be? You put up a bit of rail but someone still falls off, but doesn't get hurt. How can you be negligent? Of course if someone DOES get hurt ... well, that's different case, isn't it?
(reply to this comment) (link to this comment)
I think in Jezsik's analogy it's more accurate to say "what if someone sues the bridge builder for mental anguish from fear of falling off the bridge".
Wells Fargo are definately negligent, but I don't think that people that have not been harmed by such mitigating factors should benefit financially when they haven't actually been affected by it.
(reply to this comment) (link to this comment)
I have to agree with the first poster, you just dont put unencryptd data ANYWHERE, especially data of this nature.
poster #2's bridge rail analogy just dosent make any sense to me.
(reply to this comment) (link to this comment)
"I don't think that people that have not been harmed by such mitigating factors should benefit financially when they haven't actually been affected by it."
Quoted for truth.
(reply to this comment) (link to this comment)
The judge didn't rule that Wells Fargo wasn't negligent. He ruled there were no damages, so there were no grounds to bring an action. Do you really want to give our out of control trial attorneys the ability to sue for potential damage?
(reply to this comment) (link to this comment)
There is such a thing as punitive damages-- the jury handing back a number that will make it too expensive for the given party, in this case Wells Fargo, to continue it's negligent behavior.
(reply to this comment) (link to this comment)
They haven't been harmed so far. But what if the data was actually circulated and will cause a harm in the future. How can the future damage is guaranteed by this decision. Do the plaintiffs have a recourse to come back to court again. And why should they have to bear the burden of linking such possible future damage to the actions of WF?
(reply to this comment) (link to this comment)
The word Negligence has two meanings in court
In court the word negligence means two things. Negligence the claim (what you get sued for) requires that your negligence(screwing something up) caused the plaintiff damage. Wells fargo certainly seems like they acted negligently, but in order to get sued for that their negligence would have actually had to cause damages.
(reply to this comment) (link to this comment)
Donald has the right of it. Even though the company acted in an inappropriate manner by storing sensitive data in an insecure environment, it DOES matter if the customers were harmed or not. You can't just assume an arbitrary amount of harm given the worst-case scenario. To what extent does the harm go?
Unfortunately, being stupid isn't against the law... although it probably should be.
I think another suit in the future could be brought if harm is shown.
(reply to this comment) (link to this comment)
He doesn't bank at Wells Fargo
There are several obvious point to make here. The first is that the judge doesn't have even a basic understanding of technolog and how simple it is to encrypt data. The resolution to this situation would be to contact your state represenatives and lobby for laws on how personal and financial data is handled.
The second point is that the judge is not a Wells Fargo customer, if he was he would have to recuse himself, but also he has never had any of his financial data lost by a financial institution, otherwise he would have been a little more concerned.
My wife was one of the people who's data was on the laptop. She was contacted by Wells Fargo and they gave her free credit checks for two years. There haven't been any problems with her account (I believe the theft actually happened several years ago), but if there are how do we prove the theives got the information from the laptop. Pretty much impossible, I guess that is the problem that the plaintives had.
(reply to this comment) (link to this comment)
How difficult is it to read data when you have access to the computer, encrypted or not? If the guy who owned the laptop could get at the data, then it's likely not overly hard for anyone who stole the laptop. Biggest risk is biometric encryption, which would put the kibosh on thieves stealing the data. Anything else could be broken with a password cracker.
(reply to this comment) (link to this comment)
Re:
I would agree that they were negligent, but data like that *can* be stored on a laptop, provided the drive is encrypted - we use Pointsec which encrypts the entire contents of a drive as you work, so that if the laptop is lost or stolen, you don't have to worry what was stored on it. Given the relative low cost of encryption software, compared with the value of the data contained on the laptop, I think this just exacerbates their irresponsibility and negligence. Another example of consumers being screwed at the hand of big business. The consumer data may not have been used, but it is probably only a matter of time. Many identity thefts don't occurr right away.
(reply to this comment) (link to this comment)
Re: Hmmm
Actually, there is a building code in place in most localities that states that any pedestrian walkway where there is more than a 30-inch drop-off requires a guardrail that is 42" high and won't allow a 4-inch sphere to pass through it at any point. They also specify that these rails must resist a 200-pound point load and a 50-pound-per-foot distributed load. Although failure to adhere to these codes is not a criminal act, it does not absolve a fabricator of these rails from responsibility in the event of an accident. So you don't go to jail when a kid falls through a hole in the rail, but you DO lose the lawsuit for $XX million.
(reply to this comment) (link to this comment)
Wells Fargo is Negligent and will not acknowledge
Yeah I think it is pure negligence. The bridge analogy isn't so compatible because he or she was not paying for the bridge service, and the agreement was not made that it would safely carry the user across the river. At Wells Fargo or any other financial institution, your privacy is paramount and an agreement is made. Having personal unencrypted data outside of the premise is straight negligence to the customer's privacy. Bottom line, the customer has placed trust in ensuring the bank manages personal finance data and information and regardless of what happens the bank should be liable. Really, what kind of bank would go, "Sorry dude, some thief just swipped your money from your account." We cannot do anything about it. That's just simply bad service and untrustworthy.
I am not exactly sure what the appropriate conclusion would be though. After all, I doubt some common thief used the personal data for his or her gain. But I would think that more appropriate and necessary measures should be taken to gain back the trust of their clients. I think the judge should have awarded some kind of penalty for a violation in the customer's privacy contract. Really that is the only way for the company to learn and where you really want the law to extend to at its maximum. It is also sad that the company didn't settle at all under some halfway point to express their apologies. However, laws should not be in place to forcefully tell the bank to encrypt their data, but they should have ruled for a violation of a contract.
I am glad it ended up here at techdirt though, because I will not use Wells Fargo after this story.
(reply to this comment) (link to this comment)
The Judge wouldn't
be thinking that if his information was on that laptop. As a secuirty professional there is a lot of risks to that. I don't agree with the judges decision on this considering mobile computing (laptops) should not be the medium for transpoting customer data. There are laws governing transport/secuirty (Sarbanes/Oxley) and FISMA regs that shul have been followed here.
(reply to this comment) (link to this comment)
By the Judge's Logic
...it's OK for Wells Fargo execs to take a dump out of their office windows, so long as the people walking below are lucky enough that the shit misses them.
(reply to this comment) (link to this comment)
Re: Hmmm
Great analogy!
(reply to this comment) (link to this comment)
I guess the judge has a point-technically. Despite of that, one should take note that companies should protect data given to them by customers because failure to do so would result to neglect and negligence. Its good news that no harm has been done to the stolen data but one could not predict the course of things in the years to come.
(reply to this comment) (link to this comment)
Harumph
Well, I would like to know what they are defining as customer data. Are they talking about a customer upload IP, are they talking about a spreadsheet of networks available in wells, WAN interfaces things of that nature. Or. Are we talking about real customer information such as SSN, DOB, CC# and so on.. I would think that the type of information that is defined combined with how it was used after the fact would determine this.
That being said.... Worst case if they get bob's info is that bob my suffer identity theft. Now if they have a network computer (probably with VPN) and use something like an LSA cracker or some other canned toy.... well now that would be something to kick someone in the ****s for...
Most companies do not encrypt laptops though most companies usually keep mapped drives on the network for the purpose of storing that kind of data in a place less easy to access.
(reply to this comment) (link to this comment)
breathe a sigh of relief
I worked for 1 1/2 years at WF (until last fall) and in late 2004 IIRC they started putting Pointsec on every machine.
(reply to this comment) (link to this comment)
August 28 Notification of another employee data le
Wells Fargo performed an audit of employee benefits that concluded by allowing the auditor to loose the employee data for thousands of employees via the UNENCRYPTED laptop and disks of the auditor.
The letter I have received detailed the loss and offered 1 year of credit reporting paid for by Wells Fargo. HOWEVER........
Since my children's ssn and other information was available I think they should provide many more years due to the risk and their complete stupidity.
(reply to this comment) (link to this comment)
Add Your Comment