[Dataloss] VISA / 1ST BANK

Marjorie Simmons lawyer at carpereslegalis.com
Fri Oct 20 23:25:34 EDT 2006 

re show of hands: both.

Actually, I had my identity stolen the first time about
30 years ago when a former 'friend' decided to
impersonate me (don't know how) and social engineer
a bank into giving her a loan, which she then promptly
defaulted on.  I was in the military at the time and this
person was hundreds of miles away. I got a call from
my family telling me a bank was looking for me ....

---------------------------------------------------------------------------

A solution that the courts will find comfortable requires
(1) following the money; and
(2) showing how victims are damaged.

All interested researchers should do this, i.e., match up
the data losses with the derivative losses to the victims
in order to show a pattern of risk that legislators will find
helpful, and to show where damages lie and in what
amount so victims can find recompense.

Keeping the relationships straight between the parties to
the compromised transactions as discussed in this instance
is important to a good understanding of the limitations of
available remedies. For example, data compromise scenarios
can include, among others:

  M  = Merchants
  CP = Card Processors
  PB = Presenting Banks of Card Companies
  RB = Receiving Banks of Victims
  VI = Victim Individuals

  M  - often don't keep more than transaction numbers
  CP - keep account & transaction numbers, sometimes more
  PB - present to RB a transaction on an account
  RB - get notified by PB of upstream data losses

So, to put these players into a scenario, we have a VI
who, upon shopping with M, enters into a transaction.
The M then uses the CP to process the transaction, the
CP then submits the transaction to the PB, the PB then
presents the transaction to the RB for payment. At some
point along the way, data is compromised.

Determining where in the stream of this transaction the
compromise takes place is crucial to an ultimate
assignment of fault, thus it is axiomatic that parties in
the stream who are not at fault in the loss would decline
to spread information about the loss since they will be
investigated as part of the discovery of what took place.
Divulging information about the loss before investigations
are completed likely both impairs the investigation and
results in further losses, exposing them to criminal liability.
Most don't need their lawyers explain this since it is self-
evident to them, if not to the general public.

Generally, if a merchant or CP compromises your data, your
bank will instruct you to contact the card issuer to find out
who compromised your data.  If it is known to them, the
card issuer may or may not reveal the source of the breach,
but should. Card agreements often try to preempt this type
of disclosure, and this is where legislation should be
targeted.

====

Here is some legal background on what is needed:

In order to bring a viable lawsuit, a plaintiff must be able to
show they've suffered damages.  One must show:

    Duty --->  Breach ---> Causation ---> Damages

The judiciary concerns itself with things that have a current
or past impact, and if one tries to bring a suit for something
that might happen in the future, the courts will generally
not entertain the suit because it is not *ripe* for judicial
consideration. Ripeness is an essential factor in a lawsuit.
Ultimately this can mean your credit has to be hosed
before you can sue.

The courts generally:

(1) do NOT recognize data losses per se as damages
     (as to the individual victims of data loss) unless
     the loss results in actual injury, e.g., the thief
     uses the data in a way that causes financial loss
     or physical injury to the victim;

(2) DO recognize data losses as a type of damages in a
     suit brought by shareholders, investors, or some
     other classes of persons having a pecuniary interest
     in the 'good will' of a business that has had its
     'good will' damaged by losing data.

In both such cases, the loss of the data CAN result in a
derivative loss to the victim that is measurable, and that
result is litigable.  Non-specific (outrage factor) damages
are not measurable in any way except through speculation
of what might be done with the compromised data in the
future, and are thus called 'speculative damages':  they
don't qualify for consideration as damages primarily
because they cannot be measured and might not happen.
Having one's card(s) cancelled and reissued isn't enough as
that's considered, at this point, an annoyance rather than a
loss.

In the short term, most data losses do not have a measurable
derivative loss to the individual victim whose data has been
compromised, but in the fullness of time, the loss to victims
will be more measurable as thieves begin to use the data
they've compiled.  Connecting the dots here is the tricky
part and following up on this is complex but is nonetheless
absolutely necessary -- one must correlate the losses to get
to damages.

One cannot emphasize strongly enough that the indicators that
compromised data have been used to the detriment of victims
needs to be a primary area of concern for researchers in order
to be able to show damages.

FOIA letters to state's attorneys general requesting statistical
data might yield some helpful results for a roadmap.

Helpful legislation would designate generic data losses as
a per se wrong carrying strict liability, and would require the
data loser to, at minimum, pay for credit monitoring for each
person affected, without regard to whether the feds or other
investigative body think such data is 'safe'.

In the US, write your congress member about this, and vote.

Marjorie Simmons

###

| -----Original Message-----
| From: dataloss-bounces at attrition.org
| [mailto:dataloss-bounces at attrition.org] On Behalf Of blitz
| Sent: Thursday, October 19, 2006 9:22 pm
| To: dataloss at attrition.org
| Cc: kjv
| Subject: Re: [Dataloss] VISA / 1ST BANK
|
|
| I think what we're seeing is the affected companies being
| told by their law-vultures to release as little as possible
| to minimize exposure. This in its essence, limits as well,
| the ability of independent verification and investigation to
| assist others in prevention and bring guilty parties to justice.
| This is a trend that should be stopped ASAP.
 . . . .
|
| One more notable side effect I'm seeing is the taking on
| blind faith that a missing data set has been recovered and
| has not been tampered with.
  . . . .
| Marc
|
| At 16:43 10/19/2006, you wrote:
|
|
| 	The way I read the notification, it didn't sound like
| the processor was affiliated with 1st Bank:
|
. . . .
|
| On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K.
| DeLong wrote:
|
| > Well, whomever it was will probably get wacked with a HUGE fine for
| > violating PCI Security standards. I'm guessing it won't take long to
| > determine who falls under approved card processors for Visa.
|

More information about the Dataloss mailing list