http://www.athensnews.com/issue/article.php3?story_id=29168 By Jim Phillips Athens NEWS Senior Writer 2007-09-04 A lawyer for two Ohio University alumni who sued OU over a computer security breach said Friday that a judge's decision to throw out the suit is sadly typical of how courts are dealing with the growing problem of computer data theft. "It's frustrating," said attorney Marc D. Mezibov. In cases where hackers break into a computer network and access personal information, he said, "courts are reluctant to grant the proposition that when personal data is lost... there is harm," unless those whose data was accessed can clearly link the hacking to a later instance of identity theft. Mezibov represents OU alums Donald J. Kulpa of Cincinnati and Kenneth D. Neben of New Jersey, who sued OU in the Ohio Court of Claims in June 2006. Kulpa and Neben were among tens of thousands of people - alums, employees, students, donors and contractors - whose personal data, including in many cases Social Security numbers - were exposed to hackers who broke into OU's computer network sometime in 2006 and possibly earlier. In their suit, which they had asked Judge J. Craig Wright to certify as a class-action suit, the two demanded that OU pay for a court-administered credit-monitoring program for all victims of the data breach. Last Wednesday, however, according to an OU news release, Wright granted a motion by the university to dismiss the suit. The judge essentially agreed with OU's main argument, that while Kulpa and Neben might be afraid their personal data will be used to rob them, they haven't shown any specific damages they've suffered because of the computer hacking. "Just as patients who fear cancer -- but have not suffered from it -- lack standing to sue unless they have some injury and are 'reasonably certain' to contract cancer, alumni who fear identity theft -- but have not suffered from it -- lack standing to sue unless they have some injury and are 'reasonably certain' to become victims of identity theft," argued assistant state attorney general Randall W. Knutti in a motion on OU's behalf. OU's release quoted President Roderick McDavis as saying that while he sympathizes with those whose information was hacked, he believes Wright made the right decision. "I understand how people felt when they learned that their data may have been exposed, because I was one of those people," said McDavis, a 1970 alum. "It can be frightening to think your personal information could be vulnerable." He added, however, that "no individuals have suffered losses from this, though, and we remain hopeful that no one ever will... I am pleased that the court agrees." Mezibov said it's unfortunate that courts seem to be moving in the direction of ruling "no harm, no foul," when an individual's personal information is hacked from an institution's computer, and the person can't show a specific theft resulting from it. What this approach misses, the attorney argued, is that to avoid or minimize such theft typically involves a cost, to monitor one's credit. "People have to spend money," he said. He noted that the hacking of personal data from large computer networks seems to have become a common occurrence these days, and that courts may be hesitant to set the precedent that the owner of a network is responsible to pay for the impacts of a security breach. "It's all over the media every day, but whenever it happens, they say there's no harm," he said. "I think there are concerns that it would be opening the floodgates." Mezibov said his clients haven't decided what their next step will be. He said options include appealing the Court of Claims decision, filing a new suit for injunctive relief in a county common pleas court, or simply dropping the fight. "There are a couple of options," he said. "We don't know at this point what we're going to do." ____________________________________ Attend HITBSecConf2007 - Malaysia Taking place September 3-6 2007 featuring seven tracks of technical training and a dual-track security conference with keynote speakers Lance Spitzner and Mikko Hypponen! - Book your seats today! http://conference.hitb.org/hitbsecconf2007kl/
This archive was generated by hypermail 2.1.3 : Tue Sep 04 2007 - 22:22:33 PDT