Jeff, On Wed, Apr 11, 2012 at 8:02 AM, Jeffrey Walton <[email protected]> wrote: > On Wed, Apr 11, 2012 at 1:22 AM, Kevin W. Wall <[email protected]> wrote: >> On Tue, Apr 3, 2012 at 9:35 AM, ianG <[email protected]> wrote: >>> >>> [Big SNIP] >>> >> >> The big risk in having CCs or banking info stolen is the subsequent >> (usually class action) lawsuits that usually follow. So these things are >> done as part of following industry "best practice", in which case you can >> at least claim that you've done due diligence and if you lose, at least the >> claimants in the lawsuit are awarded treble damages > > Rarely (if ever) happens. Judges usually don't certify the suit > because claimants cannot demonstrate loss. > > I am only aware of one recent case that showed otherwise.
If you go back and read carefully, you will see that I was never claiming that. If a company can show that a breach happened _despite_ them doing due diligence and following generally accepted industry "best practice", then generally a judge or jury will not find them "negligent". If one is found negligent, in some states at least (at least what I've been told by corporate attorneys) the claimants can be awarded treble the damages. So I guess the "shit happens" defense is somwhat useful after all, as long as you cover your bases. ;-) -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
