Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/21/2017
09:23 AM
50%
50%

OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal

A judge ruled federal employees cannot sue for damages from the 2015 Office of Personnel Management data breach.

Federal employees plan to appeal a judge's decision stating they cannot sue for damages from the 2015 Office of Personnel Management (OPM) data breach, The Washington Times reported this week.

The workers won't be able to sue because they cannot show the stolen data has been used by attackers, said US District Judge Amy Berman Jackson. Compromised information includes sensitive personal details like financial and health data, taken from about 22 million personnel files. Experts have not been able to determine whether the stolen data was sold or used.

Judge Jackson's ruling is getting pushback from employee labor unions, which had filed a class action lawsuit to help workers whose data had been stolen and force the government to better protect information. The National Treasury Employees Union announced plans to appeal on Sept. 19; the American Federation of Government Employees National is debating the next steps.

OPM responded to the data breach with new security tools and launched multi-factor authentication for employees. The agency also made plans to hire a cybersecurity advisor.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/26/2017 | 12:59:15 PM
Re: Interesting
Alas, the main reason it doesn't make sense is because reporters misreport and don't care enough to understand it themselves. (Scientists refer to this phenomenon as "Wet Roads Cause Rain".)

The law is not barring people from suing organizations who have wronged them by contributing to the compromise of their data. But if you have no actual damages to show/prove, then you generally have no remedy under the common law.

 A victim of actual identity theft or the like would have to be the plaintiff in such a case.

Does this seem draconian in the modern data age? Perhaps. But the common law doesn't concern itself with hypotheticals so much as actual damage. Maybe it's time for legislation to create a separate right of action for individuals independent of the common law, but fat chance seeing that, I suspect.

Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/26/2017 | 12:52:31 PM
Re: Interesting
That's not really the point. It's not about standing to sue.

The point is that one of the essential elements to prove a negligence case is damages. If damages cannot be proven/shown, then a negligence suit must fail as a matter of law.

And even other types of common-law actions generally won't yield favorable plaintiff results if actual damage cannot be shown.

And this will remain the case until and unless legislation gets passed giving private citizens a separate private right of action in these data-breach cases, with its own damages/award rubric that is independent of common-law actions.

(Disclaimer: This post/comment is provided for informational, educational and/or entertainment purposes only. Neither this nor other posts/comments on this website constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/25/2017 | 1:55:12 PM
One real question ... Thefr of "what" exactly
If a thief takes a physical thing - car, wallet, jewelry, etc --- then that can be defined with a serial number and such and retrieved, also with a hard currency value for the loss.   DATA is somehing else and to a degree, even a license plate on our car exposes us.  This is VISIBLE stuff, not hard value stuff, so what is stealing it?  Writing down with pen and paper?  Nope.  It gets nasty when thieves break into a secure value (Equifax) and steal data which is theft from Equifax of propety under contract.   Technically, the law should probably extend Contract law to include the invidiaul whose data has been compromised.  Fine legal argument there.  But a VALUE cannot be placed on the data UNLESS probably it is USED to something else.  Then the LOSS value kicks in.  If I have a lost credit card but do NOT use it, I have not invoked a loss per se.  I have no bought anything.  What harm then is done?  Now, if I then start to buy stuff ON the stolen card, a hard dollar value can be kicked in for recovery.  

Interesting fine points indeed. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:48:12 AM
Re: Based on outcome
An actor may wait weeks or months or have to dig through the 143 million stolen from Equifax before action is indeed taken I would agree, otherwise why attack in the first place, they will eventually use it what they captured.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:46:48 AM
Re: Based on outcome
lack of evidence that attackers maliciously used the data in question but is there a statute of limitation for instances like this? This would be a good question to ask, they may not have used it yet, that does not mean they will not.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:44:51 AM
Re: Interesting
Equifax should not be allowed to continue as a business I think there should be consequence for them, we are not sue how secure other two credit status firmss network.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:43:17 AM
Re: Interesting
This is a common probelm, the judiciary does not understand technology and they consequently make idiotic rulings based on that lack of understanding. That makes sense. It would be hard to find a judge who understands the technology well enough tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:41:55 AM
Re: Interesting
a precedent that Equifax will surely jump on to ward off the class action suits against them. That would be my guess too. This will be a long legal battle I would guess.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:40:13 AM
Re: Information vs Money
The answer to your question is WHO was guarding the vault? Who has responsibility for the vault? I would say that is the organization itself. Data maybe in all over the network, no breach should have happened.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/25/2017 | 11:38:51 AM
Re: Information vs Money
information theft is invisible if compared to car or money theft That makes sense however data/information is value to the owners of that, and stolen so there should be consequence on that.
Page 1 / 2   >   >>
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.
CVE-2021-23135
PUBLISHED: 2021-05-12
Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.
CVE-2020-28722
PUBLISHED: 2021-05-12
Deskpro Cloud Platform and on-premise 2020.2.3.48207 from 2020-07-30 contains a cross-site scripting (XSS) vulnerability that can lead to an account takeover via custom email templates.
CVE-2020-18165
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
CVE-2020-19275
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.