Shostack + Friends Blog Archive


Proskauer Rose Crows "Rows of Fallen Foes!"

Over on their blog, the law firm announces yet another class action suit over a breach letter has been dismissed. Unfortunately, that firm is doing a fine business in getting rid of such suits. I say it’s unfortunate for two reasons: first, the sued business has to lay out a lot of money (not as much as a full trial, but it’s not socially useful to transfer money from shareholders to lawyers after a breach). Secondly, there may be some real harms, but those are not the subject of most of these suits.

As we see more and more breach notices, and as the number of social security numbers exposed comes to exceed the number issued, showing that a particular crime can be traced to a particular breach is going to get harder. The data is traded freely in markets and aggressively stirred together to make it harder to track origins.

Putting together a real case that this breach lead to that problem and thus that company is liable is going to be tricky. (And then there’s the question of what actions must a company take, but that’s another post.)

So having learned to mow down all these lawsuits (and Prokauser has it down to a science), I’m going to propose that there’s something else they should be advising their clients: notify early and often. The more notices that are out there, the harder it becomes to pin liability for any incident on any one company. So embrace the brave new world in which disclosure is required, and don’t worry about it so much. And while you’re at it, tell us what happened so we can learn from it and start making new and innovative mistakes.