By Jim Phillips
Athens NEWS Senior Writer
A lawyer for two Ohio University alumni who sued OU over a computer
security breach said Friday that a judge's decision to throw out the
suit is sadly typical of how courts are dealing with the growing problem
of computer data theft.
"It's frustrating," said attorney Marc D. Mezibov. In cases where
hackers break into a computer network and access personal information,
he said, "courts are reluctant to grant the proposition that when
personal data is lost... there is harm," unless those whose data was
accessed can clearly link the hacking to a later instance of identity
Mezibov represents OU alums Donald J. Kulpa of Cincinnati and Kenneth D.
Neben of New Jersey, who sued OU in the Ohio Court of Claims in June
Kulpa and Neben were among tens of thousands of people - alums,
employees, students, donors and contractors - whose personal data,
including in many cases Social Security numbers - were exposed to
hackers who broke into OU's computer network sometime in 2006 and
In their suit, which they had asked Judge J. Craig Wright to certify as
a class-action suit, the two demanded that OU pay for a
court-administered credit-monitoring program for all victims of the data
Last Wednesday, however, according to an OU news release, Wright granted
a motion by the university to dismiss the suit. The judge essentially
agreed with OU's main argument, that while Kulpa and Neben might be
afraid their personal data will be used to rob them, they haven't shown
any specific damages they've suffered because of the computer hacking.
"Just as patients who fear cancer -- but have not suffered from it --
lack standing to sue unless they have some injury and are 'reasonably
certain' to contract cancer, alumni who fear identity theft -- but have
not suffered from it -- lack standing to sue unless they have some
injury and are 'reasonably certain' to become victims of identity
theft," argued assistant state attorney general Randall W. Knutti in a
motion on OU's behalf.
OU's release quoted President Roderick McDavis as saying that while he
sympathizes with those whose information was hacked, he believes Wright
made the right decision.
"I understand how people felt when they learned that their data may have
been exposed, because I was one of those people," said McDavis, a 1970
alum. "It can be frightening to think your personal information could be
He added, however, that "no individuals have suffered losses from this,
though, and we remain hopeful that no one ever will... I am pleased that
the court agrees."
Mezibov said it's unfortunate that courts seem to be moving in the
direction of ruling "no harm, no foul," when an individual's personal
information is hacked from an institution's computer, and the person
can't show a specific theft resulting from it.
What this approach misses, the attorney argued, is that to avoid or
minimize such theft typically involves a cost, to monitor one's credit.
"People have to spend money," he said.
He noted that the hacking of personal data from large computer networks
seems to have become a common occurrence these days, and that courts may
be hesitant to set the precedent that the owner of a network is
responsible to pay for the impacts of a security breach.
"It's all over the media every day, but whenever it happens, they say
there's no harm," he said. "I think there are concerns that it would be
opening the floodgates."
Mezibov said his clients haven't decided what their next step will be.
He said options include appealing the Court of Claims decision, filing a
new suit for injunctive relief in a county common pleas court, or simply
dropping the fight.
"There are a couple of options," he said. "We don't know at this point
what we're going to do."
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!