I am horrified by a story I read today that ran on BBC News. It was about the recent LVO key leak, but the horror rested at the end of the article, where the following appeared (sic):
“A US judge has thrown out a mass lawsuit brought by users of the PlayStation Network, following a huge security breach in May 2011 which saw the user information of 69 million customers exposed.
The suit accused Sony of failing to adequately protect information and exposing users to identity theft. Judge Battaglia from the US District Court of Southern California pointed to a clause in the user agreement which noted that “there was no such thing as perfect security” and said that the disclaimers meant there were no grounds for the lawsuits.
The plaintiffs have until 9 November to appeal against the decision.”
It seems that it has actually come to this level of astonishing, full-on ignorance, whereby any asinine statement made by a company is now sufficient grounds to absolve them of any and all responsibility for what I find to be blatant (and apparently), remorseless mismanagement of data entrusted to them….. or worse.
“There’s no such thing as perfect security.” Well duh. That’s only RULE NUMBER ONE of security practice. Judge Battaglia, I don’t suppose you’ve ever read about this rule or did even the lightest pass on “homework”, eh?
Maybe here: http://technet.microsoft.com/en-us/library/cc512671.aspx
Or hell, even HERE would have been a start: http://www.scribd.com/doc/441763/The-New-Law-of-Information-Security-Negligence
But that is also to completely miss the point.
The question isn’t “Should SONY perfectly protect user data?”
It is: “Did SONY have in place the best practices, standards, and technology to demonstrate that they were making reasonable effort TO protect user data?”
And: “Is a single line in an ocean of legalese that pays lipservice (and little more?) to security reasonably sufficient to absolve SONY of ALL responsibility?”
Of course, these questions require a judge with at least SOME grasp OF technology, or to at least the sense to have consultation with those who do. Instead, as I see it, Judge Battaglia has decided in his/her “infinite wisdom” that the above questions not only do not deserve a response, but that those who have been compromised as a result are undeserving of consideration because SONY’s legal team included this statement in a user agreement.
So, essentially, a company is no longer responsible for mismanaging (or deliberately not addressing?) basic security practices in technology if they include “nothing’s perfect” in their user agreement.
Awesome. Great job protecting consumers, Judge Battaglia. Why don’t you just decide that consumers have no right to expect reasonable precautions at all? That’s essentially what you’ve now entered to the case law library with this ridiculous decision. You didn’t even try to discover it. You essentially stopped at the first excuse to clear your case log and, it seems, didn’t much give a damn what that actually means to those affected.
Battaglia, have you heard of PCI? Are you even remotely aware of the activity and effort in the technology industry to manage it? Just wondering.
On the other hand, putting on my Devil’s Advocate hat (and believe me, considering this is SONY, it couldn’t be more aptly named)…
Any consumer who agrees to something that fundamentally strips them of recourse in the event of mismanagement or deliberate negligence is a fool.
THAT said… as it well known and damn well documented, the software, gaming, and technology industry (along with a number of others) have made something of a game (cough) of screwing the customer out of due and proper legal resource. And, from all appearances, it seems Battaglia has no issue with this, either. Indeed, I think I’ll just add a disclaimer to my contracts and invoices that reads, “There’s no such thing as a perfect human” and, if we’re to use Battaglia’s rule of law, I can pretty much do as I damn well please…. fraud laws, tort, and contract law be damned.
Like I said… nice work, Battaglia. Well, for corporations, if not for the public you’re supposed to be protecting.
I kicked SONY to the curb years ago over similar concerns. You couldn’t PAY ME or GIFT ME a SONY product or service. Primarily because of crap like this, but also because any company who can have the same damn thing happen repeatedly, in my opinion as a technical analyst, security architect, and business analyst, not only does not deserve my business, they quite obviously wouldn’t know how to appropriately PROTECT my business if they DID have it.
I sincerely hope the people involved in this suit DO appeal, have the sense to get EPIC, EFF, and the ACLU involved, and I wish to them the fortitude, persistence, and gumption to take this kind of corporate callousness and judicial ignorance to the damned mat.