Suing Our Way to Better Security?

Thursday, June 21, 2012

Jayson Wylie

54a9b7b662bfb0f0445d1661d7ed180b

It is always tragic when news about data breaches and public dumps of said data affect tremendous numbers of victims.

The prevalence of these occurrences devalues each victim's identity to a point as to which I am sure, if asked, the victim would pay the frivolous amounts to the criminal networks to save the greater issues that come with identity theft. 

It does not seem like the top leaders at organizations are as concerned with others' information as they might be with the bottom line. 

What is the incentive? SOX or PCI compliance for stock options, or for the ability to use credit cards in the revenue stream?

We hear about massive compromises, but do not hear much about the repercussions of the breaches or the lack of concern for the security of customer's sensitive information.

If regulations do not influence business and security leaders, maybe fear of being the subject of a class action lawsuit might show the massive cost risk in the business model for security complacency. 

Linkedin.com had about 6.4 million passwords dumped onto a Russian web site in a hashed form to be able to be cracked for those interested. 

A few humorous articles showing the weaknesses of some of the passwords came about as a result, but I don't believe the user names of victims were published leaving this legal filing a little weak.

The punitive damages don't equate either, and I imagine the biggest winners for a situation like this are the litigators involved and the filing defendant.

However, it may open some eyes because money is going to have to be paid to the lawyers to defend against this, even if it does not have a solid legal basis or the show the ability to figure out the class of defendants or the true damages caused.

Whether I agree with this case or not, there has to be something done to generate true concern about the state of today's security and the treasures held on public Internet facing nodes. 

If organizations do not respond to fear of embarrassment for failing at security, should we start taking them to court to formulate better consumer protections? 

Possibly Related Articles:
10814
Enterprise Security
General Legal
Legal breaches Compliance Enterprise Security Data Loss Prevention Liability Lawsuit LinkedIn
Post Rating I Like this!
Default-avatar
Mark Hennon The finance guys will pay for food security when the lawsuits threaten their jobs.
1340408702
Default-avatar
Mark Hennon that sb "good" instead of "foof," er. . . "fod," I mean, "food."
1340408781
94c7ac665bbf77879483b04272744424
Marc Quibell Nice write-up. You're right, I don't believe this case has a leg to stand on. Passwords alone do not equate to PII and the plaintiff clearly relies upon PII being the main course in this case. It is not.

The real crux is your question about how to make big data-handling companies care more about our data. The problem is that that is all relative. There was no PII in this case, so what is the damage to the user in the case with LinkedIn? I would also submit that LinkedIn played it smart by not associating usernames with passwords in the database...
1340455564
94c7ac665bbf77879483b04272744424
Marc Quibell Are you suggesting Terry that LinkedIn is lying about storing the passwords with the userID?
1340650302
C643eec6350152c6c3fbd1288578d98a
Terry Perkins I do believe that LinkedIn stored the email and with the passwords. I had an embarrassing incident occur that proves this theory.
1340654618
94c7ac665bbf77879483b04272744424
Marc Quibell Oh..the comments were deleted...nvm.
1340654644
C643eec6350152c6c3fbd1288578d98a
Terry Perkins Yes. Sorry Marc. :)
1340654701
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.