Shorts: Neiman Marcus, UCLA Healthcare, OPM, USPS Breach, National Breach Law
The Seventh Circuit Appeals Court, normally pro-business, has reversed a lower court ruling and said that the class action lawsuit against Neiman Marcus can go forward. Often, these suits are dismissed saying that plaintiffs haven’t experienced any harm since fraudulent credit card charges have been removed. This decision means that businesses hopes that class action suits will get dismissed as long as they reverse customer’s fraudulent charges is an argument that is holding less weight. One interesting point that came out was that even though Neimans discovered the breach during the Christmas shopping season, they waiting until after New Years to disclose it so as to not hurt Christmas sales. The court did not rule on the merits of the case, so stay tuned.
Source: IAPP
A UCLA Healthcare patient has filed a class action lawsuit against the hospital system in light of their recently announced breach. While this is not a surprise, they are suing under the concept of breach of contract. Part of the reasoning is that medical ID theft, unlike credit card theft, cannot be resolved by issuing a new piece of plastic, but instead can last for decades. On the black market, a credit card might sell for $5, while a medical file might sell for $60+ based on that theory.
Under California law, patients could be awarded up to $1,000 in statutory damages and $3,000 in punitive dames for each violation. If each record is a violation, 4.5 million records could generate a large invoice.
Source: Consumer Affairs
The Senate appropriations committee voted to fund at least 10 years of credit monitoring plus a $5 million fund for reparations for the 22 million victims of the OPM breach, but no funding of OPM itself.
This ensures that the lax security and antiquated software will continue to run the country’s largest personnel department, leaving it vulnerable to the next group of hackers. I have no question that Congress was and continues to be responsible for the OPM breach.
Source: Rollcall
The Postal Service Inspector General released a report blaming the USPS breach last year on poor training (their fault), lack of accountability for risk acceptance decisions (shared fault) and continued use of antiquated, unsupported systems (Congress’ fault).
The IG said that the Postal Service cannot attract qualified cyber security personal because they offer salaries of about HALF of what industry offers. The blame for this lies with Congress, who sets government salaries.
As a result of this and other reasons, the IG says that the Postal Service was unable to prevent, detect or respond to threats.
Until Congress decides that cyber security is important government wide and passes laws that force agencies to treat cyber security seriously, we will continue to see more government breaches. Given that Federal, state and local governments are not treating cyber security with any urgency, they are likely to be a popular target for years.
Source: Fierce Government IT
Just in case you have any doubt that I totally blame Congress for this cyber security mess….
It appears that hopes for any kind of national cyber breach bill are pretty dim after Republicans watered down the bills in committee to to pointing of meaningless to attempt to get something passed, which the Democrats rebelled against.
Passing a useless bill would allow politicians to say “see how wonderful we are” while not requiring big campaign donors to do anything meaningful. Credit card fraud is no longer the big problem as the banks, for the most part, are doing a much better job of catching it. Unlike Congress, the banks are worried about losing their own money, Below is an example of a text that I got from the bank the other day:
Source: Rollcall