The future belongs to the quants
The title is of course stolen from Dan Geer.
By now, many readers of these words will be familiar with the recent finding in Guin v. Brazos Higher Education Services [pdf] that a financial Institution has no duty to encrypt a customer database.
In dismissing the case with prejudice, the court took note of an earlier case:
The facts of this case are closely analogous to Stollenwerk v. Tri-West Healthcare
Alliance, No. Civ. 03-0185, 2005 WL 2465906 (D. Ariz. Sept. 6, 2005). In Stollenwerk,
the defendant’s corporate office was burglarized and a number of items stolen, including
computer hard drives containing the personal information of defendant’s customers.
In support of their negligence claim, two plaintiffs relied on the opinion of an expert who
described their injury as “an increased risk of experiencing identity fraud for the next seven
years.???
The district court expressly rejected the expert testimony because
“the affidavit of plaintiffs’ expert conclusorily posits that plaintiff’s risk of identity fraud is
significantly increased without quantifying the risk.???
(emphasis mine)
IANAL, and I apologize to any lawyers reading this for my selective quotation and elision of case citations and footnotes. I have no opinion on the merits of this case because I do not know the law, particularly the case law.
That having been said, the juicy part is the part I emphasized — you want to say you were harmed because you were put at increased risk? You need to quantify that risk. I may be reading too much into this, but this looks to me like the judge in Stollenwerk was saying “Don’t bring me experts who draw conclusions they don’t back with data. Don’t give me a ‘red-yellow-green’ dashboard. I want to see how much additional risk you now are burdened with”.
Actually, I think its worse. They quantified the risk wrongly.
There’s no form of ID theft that leads to 7 years of increased risk. SSN fraud puts you at risk forever. CC fraud, a few years at most.