AOH :: ISN 2007 :: ISNQ4504.HTM

AOH :: ISNQ4504.HTM
Judge throws out lawsuit by two OU alums related to IT security breach
Judge throws out lawsuit by two OU alums related to IT security breach Judge throws out lawsuit by two OU alums related to IT security breach

http://www.athensnews.com/issue/article.php3?story_id=29168 

By Jim Phillips
Athens NEWS Senior Writer
2007-09-04

A lawyer for two Ohio University alumni who sued OU over a computer 
security breach said Friday that a judge's decision to throw out the 
suit is sadly typical of how courts are dealing with the growing problem 
of computer data theft.

"It's frustrating," said attorney Marc D. Mezibov. In cases where 
hackers break into a computer network and access personal information, 
he said, "courts are reluctant to grant the proposition that when 
personal data is lost... there is harm," unless those whose data was 
accessed can clearly link the hacking to a later instance of identity 
theft.

Mezibov represents OU alums Donald J. Kulpa of Cincinnati and Kenneth D. 
Neben of New Jersey, who sued OU in the Ohio Court of Claims in June 
2006.

Kulpa and Neben were among tens of thousands of people - alums, 
employees, students, donors and contractors - whose personal data, 
including in many cases Social Security numbers - were exposed to 
hackers who broke into OU's computer network sometime in 2006 and 
possibly earlier.

In their suit, which they had asked Judge J. Craig Wright to certify as 
a class-action suit, the two demanded that OU pay for a 
court-administered credit-monitoring program for all victims of the data 
breach.

Last Wednesday, however, according to an OU news release, Wright granted 
a motion by the university to dismiss the suit. The judge essentially 
agreed with OU's main argument, that while Kulpa and Neben might be 
afraid their personal data will be used to rob them, they haven't shown 
any specific damages they've suffered because of the computer hacking.

"Just as patients who fear cancer -- but have not suffered from it -- 
lack standing to sue unless they have some injury and are 'reasonably 
certain' to contract cancer, alumni who fear identity theft -- but have 
not suffered from it -- lack standing to sue unless they have some 
injury and are 'reasonably certain' to become victims of identity 
theft," argued assistant state attorney general Randall W. Knutti in a 
motion on OU's behalf.

OU's release quoted President Roderick McDavis as saying that while he 
sympathizes with those whose information was hacked, he believes Wright 
made the right decision.

"I understand how people felt when they learned that their data may have 
been exposed, because I was one of those people," said McDavis, a 1970 
alum. "It can be frightening to think your personal information could be 
vulnerable."

He added, however, that "no individuals have suffered losses from this, 
though, and we remain hopeful that no one ever will... I am pleased that 
the court agrees."

Mezibov said it's unfortunate that courts seem to be moving in the 
direction of ruling "no harm, no foul," when an individual's personal 
information is hacked from an institution's computer, and the person 
can't show a specific theft resulting from it.

What this approach misses, the attorney argued, is that to avoid or 
minimize such theft typically involves a cost, to monitor one's credit.

"People have to spend money," he said.

He noted that the hacking of personal data from large computer networks 
seems to have become a common occurrence these days, and that courts may 
be hesitant to set the precedent that the owner of a network is 
responsible to pay for the impacts of a security breach.

"It's all over the media every day, but whenever it happens, they say 
there's no harm," he said. "I think there are concerns that it would be 
opening the floodgates."

Mezibov said his clients haven't decided what their next step will be. 
He said options include appealing the Court of Claims decision, filing a 
new suit for injunctive relief in a county common pleas court, or simply 
dropping the fight.

"There are a couple of options," he said. "We don't know at this point 
what we're going to do."


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/