Wednesday, June 10, 2009

[RANT] When All Else Fails... Sue 'Em

Look, I'm all for changing attitudes and forcing companies to take your privacy and security of your personal and private information secure, but where do we draw the line? In case you haven't heard yet [which means you've likely been living in a cave... or under a rock], Aetna is being sued by Cornelius Allison ...

"The complaint alleges that "Aetna unlawfully failed to maintain reasonable systems and procedures to protect (Allison's) and (other employees) information."

The suit also alleges that the company failed to follow its own privacy policy charging them with negligence, breach of implied contract, negligent misrepresentation, and invasion of privacy."

That blows my mind for a number of reasons. Like I said, I'm typically the first one in line calling for the lynching of careless companies but this doesn't smell right.

First off "unlawfully failed to maintain reasonable systems and procedures"... what is that referring to? What law is this guy citing? If there was a law [not compliance regulation] that had this defined I think a lot of companies would be in serious trouble... but I can't find anything to reference - am I missing something?

I think that in order to prove negligence, breach of implied contract and other nasties you'd have to be able to prove intent... right? This isn't realistic in a case like this unless this guy has an insider that's willing to say "Yes, they were negligent and ignored best-practice and left vulnerabilities in the system". I'm no lawyer -but this strikes me as a fishing expedition against a company who got hacked [as pretty much everyone has by now] and then was responsible and tried to proactively warn people. What's the problem?

I looked up Aetna's Web Privacy Policy and the only thing I can think of that even makes sense is if Aetna was somehow moving this private data between sites within their system carelessly? I don't know... but they do have an extensive disclaimer of liability... which I guess makes sense for a large company to protect itself.

I can understand a user's frustration with their personal and private (SSN is pretty private, although it shouldn't be... don't even get me started on that) information being stolen but suing Aetna may not accomplish much of this person's actual goal. Will a law suit make better security happen? Maybe. Will it make companies think twice about disclosing potential breaches for fear of getting sued? Yes... probably. Is that a good thing? No.

For every action, there is an equal and opposite reaction... right? Well... I may be the perpetual cynic but I just don't see the light at the end of this tunnel, here's why:

  1. From everything I can tell, this wasn't some egregious hack where millions of private records were stolen from a poorly secured site (in fact, we have no idea how the info was stolen)
  2. From their public releases (and 3rd party investigations) it has not been determined that anything other than email addresses were pilfered! (which isn't exactly private info)
  3. Additionally, the notification was pro-active, meaning, Aetna was trying to be protective of their users... and I think they did the right thing
  4. Ultimately - this will lead to more companies being sheepish to talk about breaches (or potential breaches) for fear of suit-happy users...

I can't figure out which is worse here... some guy with his hand out obviously fishing for some free money... OR... a company that really needs to learn the value of their customer's data the hard way.

I welcome your thoughts!


M Puckett said...

As a healthcare provider, they are bound to HIPAA regulations - and I don't know for sure but I'd guess that's what the basis for this law suit is.

alan shimel said...

Raf - Actually intent in negligence is not required. Think of medical malpractice or car accident cases. Do you think they intended to do harm? No the lawful standard here is did Aetna take "reasonable" care that a similarly situated company would take.
This type of lawsuit is exactly how our system works. It is this stuff that have forced manufacturers to correct design defects, etc. Maybe the message will come across that these companies need to take at least reasonable precautions