Approximately one year ago, retail behemoth Target experienced one of the largest data breaches in history. The saga still continues; recently, a federal judge rejected the company’s wishes to dismiss a lawsuit filed by banks. The implication, should the banks win, would be that companies can be sued for security failures. For example, perhaps computers that are stolen or mislaid and weren’t protected with laptop encryption software could be seen as a legally actionable event.
Target Played Key Role in Hack
To view Target as anything other than a victim is kind of odd. They didn’t invite the hacking. They didn’t boast about their data security (as far as I know). They aren’t the target of activist actions unlike another ginormous retailer. They were hacked, essentially, for being successful without being too controversial. Willie Sutton said he robbed banks because that’s where the money is, and hackers targeted Target because it had data that could be monetized.
Banks are not viewed as some kind of crime antagonist, only as a victim, if they’re at the center of a robbery. (Of course, there are parts of society that think of banks as a different sort of thief, but that’s neither here nor there). And, yet, when it comes to the Target hack of 2013, I get the feeling that people place as much blame on the company as they do on the hackers.
I can understand the feeling coming from the general public, but in court?
“[The banks] have plausibly alleged that Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began… Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered.” (reuters.com)
Basically, the judge said that the banks’ case won’t be summarily dismissed. Why is this interesting? Because similar arguments have been made in many instances in the past and haven’t seen the light of day in court. For example, if a hospital laptop with patient information is stolen, a federal regulation known as HIPAA requires that the affected people be notified of it. That is, unless strong medical encryption is used to protect it.
Understandably, the notified people file lawsuits. These are thrown out of court despite the fact that the lack of encryption represents, to paraphrase, a disabling of security features and fails to heed plenty of warnings that laptops are lost or stolen.
So what’s different here?
Show Me the Money (You were Cheated Out Of)
No, it’s not a conspiracy to “stick it to the small guys.” It’s not the courts only listening to corporations. What you’ve got here is an instance where the plaintiffs have been demonstrably harmed.
The banks had to pay out a lot of money due to Target being hacked. With the medical information I offered as an example above, individual citizens can also get their day in court if they can show that they were harmed directly by the loss of the laptop. This is not always easy to do, if it can be done at all. Hence the low success rate for people like you and me. But, in the banks’ case, they have incontrovertible proof, since payments were paid as a result of the Target hack.
How will this play out? You guess is as good as mine. However, there’s a good chance that the banks may win this one. In the rare instances where individuals were able to prove a link between a data breach and a financial loss…well, I think the cases were all settled.
Related Articles and Sites: