Security And Privacy Legal Cases Vie For 2013 Headlines

We're not even all the way into the second month of 2013, and it is already shaping up to be a busy year in the realm of security and privacy law. Juicy corporate espionage suits, privacy violation fines from regulatory agencies, and class-action settlements have all abounded in the past month-and-a-half. If the courts keep pace with the current tempo of cases hitting the dockets, then 2013 looks to be a precedent-setting year.

Here's a look at some of the highlights.

$1 Million In Lawsuit Settlements On Poor DMV Access Controls
Former St. Paul, Minn.-police officer Anne Marie Rasmusson scored more than $1 million in lawsuit settlements after filing a spate of privacy violation lawsuits around abuse of DMV user accounts by fellow police officers. Just more than 100 cops looked up her driver's license picture more than 400 times within a two-year window, violating the law and police policies in the process.

Perhaps the most significant part of this case is its exposure of the rampant misuse of Minnesota DMV systems by police officers. Now the state is facing nine more lawsuits from other parties who claim cops used driver and vehicle services databases illegally to access citizen records.

Security Lessons Learned: Access control is more than the act of provisioning users and letting them do their thing. Part of Rasmusson's settlements mandate that the municipalities in question ramp up their monitoring of user behavior to look for anomalous activity that could be a red flag for legitimate users engaging in illicit system use.

Sony Fined £250,000
The privacy regulators at the U.K. Information Commissioner's Office fined Sony £250,000, or just more than $386,000, for lack of due diligence to prevent the PlayStation Network hack that exposed personally identifiable information of 77 million of its customer.

Though many compliance experts regard the fine as a light slap on the wrist, they say it could be a precursor of more substantial financial repercussions in Europe in light of the new EU Data Protection Regulation.

"The ICO determined that Sony failed to take appropriate technical measures to protect the personal data of its users because Sony could have updated its software and prevented the breach," says Sue Foster, an attorney with Mintz Levin in London. "Today that costs £250,000. But in two years, it may cost much, much more."

Security Lessons Learned: Patch management and vulnerability management matter at all levels of IT infrastructure. The ICO levied its fine largely due to Sony's disregard of network vulnerabilities that could have easily been remediated to prevent the attack.

[Are your backup databases putting your organization at risk? See Backup Databases: The Data Security Achilles Heel.]

"It is likely that the attacker gained access to the Network Platform through a vulnerability,"the ICO wrote in a heavily redacted report. "However, the data controller failed to take the action required to address the vulnerability even though appropriate updates were available."

Ernst & Young and Express Scripts Battle Over Insider Charges
Express Scripts Holding Company is throwing down heavy charges in a lawsuit against Ernst & Young that accuses one of its former partners of stealing trade secrets from Express Scripts for the benefit of EY's healthcare business. According to a Reuters report yesterday, the suit claims that an EY employee who worked as a part of the firm's healthcare practice snuck into Express Scripts facilities around the time that the pharmaceutical company wrapped up a $29 billion acquisition of Medco Health Solutions.

The suit says he emailed confidential files to a private email accounts and that the actions were done to help the accounting firm gain more business from Express Scripts, Medco, and competitors in the medical market

Security Lessons Learned: The lawsuit alleges that the former EY employee stole more than 20,000 pages of documents with pricing information, business projections, and strategy. While it's still unclear how Express Scripts found the discrepancies that led the firm to file suit, the insider situation offers a classic use case for monitoring and data loss prevention technology in detection of IP theft.

Cord Blood Registry Sanctioned By FTC, Settles Suit For More Than $112 Million
The legal ramifications of a breach that exposed 300,000 patient records back in December 2010 are just now trickling in for Cord Blood Registry (CBR). Last month the Federal Trade Commission announced that it settled charges against CBR that the company did not hold true to its privacy policy.

"CBR allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft," the FTC said in the announcement, which showed that while regulators didn't fine the company, it did put it under monitoring for 20 years.

That was quickly followed up by a California federal judge giving tentative approval for settlement of a separate class-action suit brought on behalf of affected clients, who will all receive up to two years of credit monitoring and insurance. The settlement package came out to more than $112 million.

Security Lessons Learned: First and foremost, the CBR breach offers a reminder of how important it is to protect data throughout its life cycle -- including backup. The breach was caused by the loss of backup tapes containing relevant customer data. The most recent activity by the FTC offers another valuable lesson in why companies should not be blowing rainbows up their customers' derrieres with optimistic or untrue privacy policies. FTC regulators are starting to crack down on privacy policy violations, and this is just one action among many that they've taken to punish corporate offenders.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.