in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: RockYou Sued After Data Breach

RockYou, a developer of online applications and services--such as slideshow apps and games for Web 2.0 sites like Facebook and MySpace--has been named in a class action lawsuit this past Monday.  Among the complaints lies the fact that RockYou did not use encryption like AlertBoot to safeguard personal information against data breaches.

Will RockYou have a fighting chance against this lawsuit?  Unfortunately, I'm not a lawyer, so I can't give any legal weight on the matter; but, I do know from past cases that suits brought against companies are struck down if actual harm cannot be established.  And, someone having your information is not considered to be harmful in its own right.  It's like when you can't jail a serial killer just for having a knife in his possession; he actually has to commit a crime with said knife.

Likewise, it must be established by people whose information was breached that they suffered some kind of crime/harm: having to pay off credit card bills, for example, because someone opened credit cards in their name and painted the town red with that plastic.

Of course, it must also be established that the identity theft stemmed from the breach at RockYou, a very difficult thing to do.  I mean, data breaches occur left and right.  How can the plaintiffs guarantee that there is a direct link between RockYou and some crime involving personal information?

The most certain way would be to catch the criminals; trace the chain of events, such as the buying of the personal information, all the way to the hackers themselves; and then see if it leads back to RockYou.  The odds of this happening are nil.

I think there may be a flaw in the suit itself, though:

The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database.  As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit. [my emphasis]

Like I said, I'm not a lawyer.  However, I have read (too) many legal documents, including legislation and state and federal bills, and I have never come across instances where e-mail addresses, passwords, and usernames are considered to be "sensitive personal information."

Of course, this case could end up being the watershed moment when such information is considered to be sensitive personal information.  I wouldn't count on it though.


Related Articles and Sites:
http://www.databreaches.net/?p=9196
http://www.prnewschannel.com/absolutenm/templates/?z=0&a=2046

 
<Previous Next>

PHIPA Encryption Checklist

Data Security Via Twitter Password Ban: Obvious Ones Not Permitted

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.