Consumers look to have their say over data breaches

Major corporate entities will often, after failing to adequately protect countless records of personal information, seek to exonerate themselves as much as possible.  While it’s natural to want to avoid penalties, it is nice when their feet are ultimately held to the fire.

That’s exactly what US District Judge Lucy Koh did last Friday.  Verizon, which had attempted to dismiss the claims of a lawsuit brought against its recent acquisition Yahoo for the compromise of 3 billion users, found itself denied.  From 2013 to 2016, if you recall, Yahoo experienced three massive data breaches, which ultimately put all of its users at risk for identity theft and other types of fraud.  This risk was aggravated by Yahoo’s slothful disclosure, leading Judge Koh to rule that “Plaintiffs’ allegations are sufficient to show that they would have behaved differently had defendants disclosed the security weaknesses of the Yahoo Mail System.”

Coupled with Yahoo’s “liability limits” in its Terms of Service, this failure was especially egregious.  If Yahoo was aware of its security shortcomings and failed to do anything about it (and, clearly, nothing was done about it), there are no excuses.

Anyway, it’s only one step in the overall process, but it’s still a good bit of news whenever consumers are permitted to redress their grievances.  This will remain an issue, however, as long as there is no national standard for data breach notification.  Even with proposals having been advanced in recent years, the state-by-state patchwork of notification laws continues to result in confusion and poor communication.

And this doesn’t even address banks, which are not legally required to publicly disclose data breaches.  Banks and other financial institutions operate under the Gramm-Leach-Bliley Act of 1999, which came into effect before our modern prevalence of breaches and so could not have accounted for them.  Ambiguous language added to the law in 2005 tries to encourage disclosure, but it’s not remotely mandatory.

That might be a topic for another day, but it seems that changes continue to be made across the board.  Slowly but surely.


By: Jonathan Weicher, post on March 14, 2018
Originally published at: http://www.netlibsecurity.com
Copyright: NetLib Security