Recompense for Incompetance
March 21, 2007 12:13 PM   Subscribe

I received a letter last December from UCLA stating that "a restricted campus database containing personal information has been illegally accessed by a sophisticated computer hacker" (gotta love the assumption of "sophisticated there"). And that they regret to inform me my name is in the database. My question is, can I sue for damages? Is there already a class action lawsuit for damages against UCLA? What are my options? What traditionally happens to victims in these cases in terms of compensation?
posted by about_time to Law & Government (11 answers total) 1 user marked this as a favorite
Best answer: In the past, victims have been received free subscriptions to credit monitoring services. Until you have actual damages, however, I don't think you'll get much more.
posted by Mr. Gunn at 12:32 PM on March 21, 2007

Very little happens. When UC let an unsecured laptop with my info (and that of many others) get stolen a few years ago, they offered me free credit monitoring (already free), and recommended I monitor my credit. There was a bit of an apology, but not a lot. That was it.
posted by gingerbeer at 12:46 PM on March 21, 2007

Have you been damaged? Can't sue for damages unless there are damages to sue for....
posted by mr_roboto at 1:01 PM on March 21, 2007

I got the same letter. And what mr_roboto said is true.

Can't sue for damages unless you've actually incurred damage. If you have your identity stolen, and it can be reasonably traced directly to the UCLA leak and no other source, then you may be able to get a few bucks for the cost of all the paperwork and time and money you will certainly have to spend to get your credit back in line.

And even in that case, good luck on proving it was because of the UCLA breach, and not someone swiping a bank statement or the like.
posted by chimaera at 1:21 PM on March 21, 2007

My institution has had to send out these notices lately. They do not necessarily mean that a hacker got your information, nor do they mean that someone is out there ruining your credit. They merely mean (in the case of my institution) that someone accessed the server/network through unauthorized means. In our situation, our server was most likely being used for proxy re-routing for spam. Heck, we are required to report any access by the state, so even if it was just a hacker testing the security and getting through, those letters go out.

Unless something actually turns up on your credit report, or there is proof that your information was used in someway, I highly doubt that you have a legal action.

Due to the difficulty in completely securing digital information, many universities are moving away from using students' social security numbers as ids. But this is something that may happen with more and more frequency. Be alert, monitor your credit, but I wouldn't get to bent about it.
posted by teleri025 at 1:22 PM on March 21, 2007

Best answer: I got the same letter and was pissed.

Several people in my department have said that their identities have been stolen and many charges have been made on their bank accounts. Credit cards have been issued in their names without their knowing about it, also.

I don't know anything about a class action lawsuit against our school, but I'm definitely interested to find out. There's one thing you do need to make sure of: sign up for a credit monitoring service and watch your credit very closely.

Call one of the credit reporting agencies and have them issue a fraud alert on your account. If one agency issues a fraud alert, they will pass the info along to the other credit monitoring services so that you don't have to. The alert lasts 6 months, so you should renew it when it expires.
posted by HotPatatta at 1:25 PM on March 21, 2007

What traditionally happens to victims in these cases in terms of compensation?

I got a similar letter because my SSN was stolen in this hack on Univ of Texas. It's irritating, sure, but as has already been posted, you're not actually a victim.

If you got the letter three months ago, surely you've already notified the credit agencies and have been dutifully monitoring for unusual activity ever since, right? Is there something that has renewed your concern?
posted by pineapple at 1:43 PM on March 21, 2007

You need to have suffered damages. My SIN (SSN), full resume and other details were stolen when a Canadian government computer was taken. Can't do a thing without damages, unfortunately.
posted by acoutu at 2:28 PM on March 21, 2007

A friend of ours got this letter also. But a lawsuit was not at the top of his list of to-do's. Neither, I think, should it be at the top of yours unless you have genuinely suffered and think UCLA's negligence is the reason.
posted by yellowcandy at 2:33 PM on March 21, 2007

Response by poster: Thanks everyone for the answers. They are all useful.
posted by about_time at 2:54 PM on March 21, 2007

You could certainly try, but understand what educational institutions are up against in trying to secure data in the first place. Each school or department is steadfastly fighting against any sort of central control or oversight on their resources (be they computing or otherwise) even though there are countless people at the institution aware of the potential security issues but powerless to do anything about it.

In most instances, the registrar handles the student information and owns those records. Schools and departments request that data for any number of reasons and without any reliable controls in place to ensure that the data is secured properly, they are usually required by the institution to provide it anyway.

The unfortunate turnaround is that your situation sometimes happens. The benefit is that (hopefully) it wakes up a lot of people in the institution and assist in getting their houses in order. I know it doesn't help you much now, but it will help countless others. My recommendation is to contact someone of influence at the institution and tell them how important privacy is and extra, centralized effort is required to ensure that it remains private.

Hopefully they listen. Unfortunately for me, my institution still hasn't listened and I'm expecting something like this to happen any day now.
posted by purephase at 5:16 PM on March 21, 2007

« Older Overactive imagination. Disorder?   |   Is it possible to run Flash projector files (EXEs)... Newer »
This thread is closed to new comments.