An interesting development in the judicial world should have companies pondering whether they need to use data encryption software like AlertBoot to secure their client data that doesn’t appear to be sensitive.
A lawsuit against RockYou has been green-lighted, which is something of a surprise. I had made note of the lawsuit over a year ago. The cursory details are: 32 million usernames, passwords, and email addresses belonging to RockYou customers were breached in an on-line hacking incident. RockYou was subsequently sued because they had stored the information in unencrypted format (aka, plaintext).
My own observation was that the lawsuit wouldn’t go anywhere: there have been many other similar cases, such as with Hannaford, the grocery chain, where a lawsuit was tossed because the plaintiffs could not prove that they had been harmed.
Indeed, theregister.co.uk had this observation:
The finding that the loss of PII [personally identifiable information] is sufficient grounds for a lawsuit is in stark contrast to rulings in other cases that have held that the exposure of social security numbers and other sensitive data gives rise to valid legal claims only when it results in actual damage to its owner, such as identity theft.
These “actual damages” are known as legally cognizable harm.
If Not Valuable, Why are You Offering Services in Exchange for PII?
The position taken by the plaintiff is that something of value was taken during the breach: the names, passwords, and e-mail addresses that are traditionally viewed as being not-so-sensitive data. Otherwise why would RockYou be offering their services in exchange for these? RockYou would be only do so because they were of value, after all.
Emphasizing the fact that I’m not a lawyer, I have to admit that it’s an interesting position to take. The courts certainly thought so. On the other hand, they too realize that the argument stands on shaky ground:
For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage. [infolawgroup.com]
If I’m understanding this correctly, the plaintiff must identify a cognizable harm. Whether a criminal third party having a name, password, and email address can be classified as such will probably be what the lawsuit is about.
A potential precedent-setting legal case is started because encryption software is not used on what most people would agree doesn’t require encryption. Ain’t that a kick in the head.
Related Articles and Sites: