"The complaint alleges that "Aetna unlawfully failed to maintain reasonable systems and procedures to protect (Allison's) and (other employees) information."
That blows my mind for a number of reasons. Like I said, I'm typically the first one in line calling for the lynching of careless companies but this doesn't smell right.
First off "unlawfully failed to maintain reasonable systems and procedures"... what is that referring to? What law is this guy citing? If there was a law [not compliance regulation] that had this defined I think a lot of companies would be in serious trouble... but I can't find anything to reference - am I missing something?
I think that in order to prove negligence, breach of implied contract and other nasties you'd have to be able to prove intent... right? This isn't realistic in a case like this unless this guy has an insider that's willing to say "Yes, they were negligent and ignored best-practice and left vulnerabilities in the system". I'm no lawyer -but this strikes me as a fishing expedition against a company who got hacked [as pretty much everyone has by now] and then was responsible and tried to proactively warn people. What's the problem?
I can understand a user's frustration with their personal and private (SSN is pretty private, although it shouldn't be... don't even get me started on that) information being stolen but suing Aetna may not accomplish much of this person's actual goal. Will a law suit make better security happen? Maybe. Will it make companies think twice about disclosing potential breaches for fear of getting sued? Yes... probably. Is that a good thing? No.
For every action, there is an equal and opposite reaction... right? Well... I may be the perpetual cynic but I just don't see the light at the end of this tunnel, here's why:
- From everything I can tell, this wasn't some egregious hack where millions of private records were stolen from a poorly secured site (in fact, we have no idea how the info was stolen)
- From their public releases (and 3rd party investigations) it has not been determined that anything other than email addresses were pilfered! (which isn't exactly private info)
- Additionally, the notification was pro-active, meaning, Aetna was trying to be protective of their users... and I think they did the right thing
- Ultimately - this will lead to more companies being sheepish to talk about breaches (or potential breaches) for fear of suit-happy users...
I can't figure out which is worse here... some guy with his hand out obviously fishing for some free money... OR... a company that really needs to learn the value of their customer's data the hard way.
I welcome your thoughts!