The Epsilon data breach just got more serious — or at least, more
embarrassing. When the database hack that compromised the subscriber
lists of over 100 companies was first revealed, Epsilon said that only
names and email addresses were exposed — meaning all the millions of
people affected had to fear was a lot of spam and possibly some
targeted phishing attacks. But now there’s a drug company on the
Epsilon breach list; its client list included the drug websites to
which its customers subscribed — and thus implies which medical
conditions they may suffer from.
The Wall Street Journal reports that GlaxoSmithKline sent a letter to
consumers over the weekend who had “registered with Glaxo Web sites
for some prescription and nonprescription drugs and products,” warning
them that their email addresses and names had been hacked, and that
the stolen information “may have identified the product website on
which you registered.”
Glaxo has websites for products ranging from HIV, bipolar disorder,
and depression medication to Nicorette gum. And if you’re a Beano
registrant, some hacker out there may be having a gas at your expense.
As the law stands now, it’s still unlikely Epsilon and Glaxo would get
into legal trouble for this breach, as there’s no direct financial
harm from the information being exposed. But that could change in the
future.
“The Johns” (a.k.a. Senators Kerry and McCain) are pushing for a new
commercial privacy bill of rights that would put the onus on companies
to keep data secure — one interpretation of this is as a requirement
that companies encrypt the user information they keep in their
databases. Meanwhile, in California, a federal judge has set an
unusual legal precedent in letting a lawsuit against social media game
developer RockYou move forward based only on the 2009 exposure of its
users’ email addresses after its database was hacked, asserting that
our email addresses are a kind of “property” with some “ascertainable
but unidentified ‘value.’”
Technology lawyer Eric Goldman predicts the case against RockYou is
ultimately doomed, because the plaintiffs still have to prove some
kind of damages. That usually means financial damage. The
inconvenience of a deluge of junk mail post-hack doesn’t suffice.
No comments:
Post a Comment