Feeds

Appeals court absolves firm that exposed man's SSN

No harm, no foul

Designing a Defense for Mobile Applications

A man whose social security number and other personal data were exposed by a company that processed his job application has no legal claims because no actual damage resulted from the privacy breach, a federal appeals court has ruled.

The decision, issued late last week by the Ninth US Circuit Court of Appeals, is likely to make life more difficult for people suing Facebook and other companies in California for not adequately protecting user information. It upheld a lower court ruling that said the mere possibility of damage and the cost of monitoring credit reports didn't count as the harm needed to bring a lawsuit under laws in the state.

The case arose from the theft of one or more laptops from Vangent, a company that processed job applications for clothing retailer The Gap. We're guessing it's the same mega breach The Gap reported in late 2007 warning that sensitive information for more than 800,000 individuals was exposed when laptops with unencrypted contents were stolen.

Applicant Joel Ruiz sued the two companies for a raft of violations, including negligence, breach of contract, unfair competition and invasion of privacy. But the federal judge hearing the case rejected each cause of action on the grounds the plaintiff failed to state actual damages that resulted from the breach.

“No one can doubt that those individuals whose private information was potentially exposed by the theft of the laptop have reason to be aggrieved and concerned,” the three-judge panel for the appeals court wrote in its decision. “However, the sole question for us is whether the district court properly analyzed the legal claims raised by Ruiz. We conclude that it did.”

The ruling largely echoes decisions by other courts, including a case against online prescription drug processor Express Scripts, which leaked highly sensitive subscriber information. Under the statutes invoked in the cases, plaintiffs were required to show actual damage arising from the breaches, rather than the speculation, however well founded, that they are more susceptible to harm, the courts have in essence ruled.

Last week's decision is evidence that appeals courts are inclined to agree with that reasoning. And according to The Technology & Marketing Law Blog that isn't likely to fare well for two separate lawsuits pending against Facebook for sharing users' personal information with advertisers despite assurances such information would never be shared without explicit permission.

“Both of these lawsuits allege that Facebook improperly disclosed the user name and other information of Facebook users who accessed content on the web,” blogger Venkat Balasubramani wrote. “Claims in both lawsuits are premised around Facebook's violation of its privacy policy. As this case makes clear, the plaintiffs in these cases are unlikely to be able to show actual damages, and their breach of contract, negligence, and unfair competition claims are likely dead on arrival.”

The virtual immunity companies have when they lose your data is worth remembering the next time one of them makes solemn promises that your data is safe with them. They may sound assuring, but when push comes to shove, they don't mean very much. Just ask Joel Ruiz. ®

Application security programs and practises

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.