By Joel B. Hanson
4 Shidler J. L. Com. & Tech. 11 (2008)
Commercial and Corporate
5/23/2008
For several years, hackers taking advantage of security holes in the information system of TJX Companies, Inc. stole sensitive credit and debit card information belonging to at least 45.7 million customers. The TJX breach is one of the largest thefts of consumer information in history and is illustrative of the recent wave of security breaches. Private lawsuits against companies that fail to protect consumer information have typically failed. However, the Federal Trade Commission has taken enforcement action against such companies that fail to implement reasonable security measures to protect customers’ personal information. These complaints have resulted in settlement agreements requiring the businesses to implement comprehensive security programs, complete with third party auditing, for up to 20 years. This Article analyzes the various types of legal violations alleged by the FTC in security breach cases, the factors cited as contributing to the violations, and the remedies typically agreed upon when the complaints are settled. This Article also distinguishes different violations that may result depending on the type of information stolen through a security breach.
By Derek A. Bishop
4 Shidler J. L. Com. & Tech. 12 (2008)
Litigation
5/23/2008
Recently TJX, Inc. announced that computer hackers breached several of TJX’s databases containing the driver’s license and credit card numbers of over 47 million customers. Within a month, a class action lawsuit attempting to hold TJX responsible for losing control of this information was filed. In the past, class action lawsuits based on the release of consumer’s personal data have failed because the plaintiffs have not alleged sufficient harms. This article examines legal claims relating to the release of personal data by companies during security breaches. To date, courts have refused to find individuals harmed by the negligent release of information, without proof that the information has been misused by a third party. In addition, courts have not found a substantial enough causal link between the release and the fraudulent use. This article also examines several doctrines which may in the future be used to limit potential defendant liability from class action claims stemming from the release of personal information.
By Boris Reznikov
4 Shidler J. L. Com. & Tech. 13 (2008)
Commercial and Corporate
5/23/2008
The American Bar Association recently decided that attorneys are not violating the Model Rules of Professional Conduct by reviewing opposing parties’ electronic documents for metadata. The stance taken by the American Bar Association contradicts views from ethics committees in other jurisdictions that have determined that lawyers who examine metadata are acting unethically. This Article summarizes the American Bar Association’s decision, as well as the other opinions on metadata, to help practicing attorneys understand the proper ethical considerations they must make when determining whether to look into an electronic document’s metadata.