BreachExchange mailing list archives
Re: VISA / 1ST BANK
From: "Marjorie Simmons" <lawyer () carpereslegalis com>
Date: Fri, 20 Oct 2006 20:25:34 -0700
re show of hands: both. Actually, I had my identity stolen the first time about 30 years ago when a former 'friend' decided to impersonate me (don't know how) and social engineer a bank into giving her a loan, which she then promptly defaulted on. I was in the military at the time and this person was hundreds of miles away. I got a call from my family telling me a bank was looking for me .... --------------------------------------------------------------------------- A solution that the courts will find comfortable requires (1) following the money; and (2) showing how victims are damaged. All interested researchers should do this, i.e., match up the data losses with the derivative losses to the victims in order to show a pattern of risk that legislators will find helpful, and to show where damages lie and in what amount so victims can find recompense. Keeping the relationships straight between the parties to the compromised transactions as discussed in this instance is important to a good understanding of the limitations of available remedies. For example, data compromise scenarios can include, among others: M = Merchants CP = Card Processors PB = Presenting Banks of Card Companies RB = Receiving Banks of Victims VI = Victim Individuals M - often don't keep more than transaction numbers CP - keep account & transaction numbers, sometimes more PB - present to RB a transaction on an account RB - get notified by PB of upstream data losses So, to put these players into a scenario, we have a VI who, upon shopping with M, enters into a transaction. The M then uses the CP to process the transaction, the CP then submits the transaction to the PB, the PB then presents the transaction to the RB for payment. At some point along the way, data is compromised. Determining where in the stream of this transaction the compromise takes place is crucial to an ultimate assignment of fault, thus it is axiomatic that parties in the stream who are not at fault in the loss would decline to spread information about the loss since they will be investigated as part of the discovery of what took place. Divulging information about the loss before investigations are completed likely both impairs the investigation and results in further losses, exposing them to criminal liability. Most don't need their lawyers explain this since it is self- evident to them, if not to the general public. Generally, if a merchant or CP compromises your data, your bank will instruct you to contact the card issuer to find out who compromised your data. If it is known to them, the card issuer may or may not reveal the source of the breach, but should. Card agreements often try to preempt this type of disclosure, and this is where legislation should be targeted. ==== Here is some legal background on what is needed: In order to bring a viable lawsuit, a plaintiff must be able to show they've suffered damages. One must show: Duty ---> Breach ---> Causation ---> Damages The judiciary concerns itself with things that have a current or past impact, and if one tries to bring a suit for something that might happen in the future, the courts will generally not entertain the suit because it is not *ripe* for judicial consideration. Ripeness is an essential factor in a lawsuit. Ultimately this can mean your credit has to be hosed before you can sue. The courts generally: (1) do NOT recognize data losses per se as damages (as to the individual victims of data loss) unless the loss results in actual injury, e.g., the thief uses the data in a way that causes financial loss or physical injury to the victim; (2) DO recognize data losses as a type of damages in a suit brought by shareholders, investors, or some other classes of persons having a pecuniary interest in the 'good will' of a business that has had its 'good will' damaged by losing data. In both such cases, the loss of the data CAN result in a derivative loss to the victim that is measurable, and that result is litigable. Non-specific (outrage factor) damages are not measurable in any way except through speculation of what might be done with the compromised data in the future, and are thus called 'speculative damages': they don't qualify for consideration as damages primarily because they cannot be measured and might not happen. Having one's card(s) cancelled and reissued isn't enough as that's considered, at this point, an annoyance rather than a loss. In the short term, most data losses do not have a measurable derivative loss to the individual victim whose data has been compromised, but in the fullness of time, the loss to victims will be more measurable as thieves begin to use the data they've compiled. Connecting the dots here is the tricky part and following up on this is complex but is nonetheless absolutely necessary -- one must correlate the losses to get to damages. One cannot emphasize strongly enough that the indicators that compromised data have been used to the detriment of victims needs to be a primary area of concern for researchers in order to be able to show damages. FOIA letters to state's attorneys general requesting statistical data might yield some helpful results for a roadmap. Helpful legislation would designate generic data losses as a per se wrong carrying strict liability, and would require the data loser to, at minimum, pay for credit monitoring for each person affected, without regard to whether the feds or other investigative body think such data is 'safe'. In the US, write your congress member about this, and vote. Marjorie Simmons ### | -----Original Message----- | From: dataloss-bounces () attrition org | [mailto:dataloss-bounces () attrition org] On Behalf Of blitz | Sent: Thursday, October 19, 2006 9:22 pm | To: dataloss () attrition org | Cc: kjv | Subject: Re: [Dataloss] VISA / 1ST BANK | | | I think what we're seeing is the affected companies being | told by their law-vultures to release as little as possible | to minimize exposure. This in its essence, limits as well, | the ability of independent verification and investigation to | assist others in prevention and bring guilty parties to justice. | This is a trend that should be stopped ASAP. . . . . | | One more notable side effect I'm seeing is the taking on | blind faith that a missing data set has been recovered and | has not been tampered with. . . . . | Marc | | At 16:43 10/19/2006, you wrote: | | | The way I read the notification, it didn't sound like | the processor was affiliated with 1st Bank: | . . . . | | On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. | DeLong wrote: | | > Well, whomever it was will probably get wacked with a HUGE fine for | > violating PCI Security standards. I'm guessing it won't take long to | > determine who falls under approved card processors for Visa. | _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 137 million compromised records in 430 incidents over 6 years.
Current thread:
- Re: Personal experiences? Was Re: VISA / 1ST BANK, (continued)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Joshua Fritsch (Oct 20)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Al Mac (Oct 20)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Henry Brown (Oct 23)
- Re: Personal experiences? Was Re: VISA / 1ST BANK ziplock (Oct 21)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Chris Walsh (Oct 21)
- Re: Personal experiences? Was Re: VISA / 1ST BANK ziplock (Oct 22)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Doctor Spook (Oct 22)
- Re: Personal experiences? Was Re: VISA / 1ST BANK dano (Oct 21)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Ivan Junge (Oct 23)
- Re: Personal experiences? Was Re: VISA / 1ST BANK Nick Lewis (Oct 23)
- Re: VISA / 1ST BANK Marjorie Simmons (Oct 20)