It looks like the third-party vendor that did some data processing for the The Gap, and created one of the bigger data breaches to date in the US, back in 2007, has finally been revealed. It looks like that company is Vangent. If you'll recall, two laptops were stolen. These were supposed to be protected with laptop encryption software which turned out not to be the case. Vangent's name came to light during a Ninth US Circuit Court of Appeals judgment. The court upheld a lower court's decision that a person could not seek redress against Gap, Inc. because of a mere data breach.
It looks like the third-party vendor that did some data processing for the The Gap, and created one of the bigger data breaches to date in the US, back in 2007, has finally been revealed. It looks like that company is Vangent. If you'll recall, two laptops were stolen. These were supposed to be protected with laptop encryption software which turned out not to be the case.
Vangent's name came to light during a Ninth US Circuit Court of Appeals judgment. The court upheld a lower court's decision that a person could not seek redress against Gap, Inc. because of a mere data breach.
This is actually a common decision: the idea is that you can't sue a company because you feel threatened because of a data breach. You have to prove that you've been affected, that you've experienced real harm. In other words, if a computer is stolen with your SSN, and you sue a company for that data breach, you'd better be able to prove that the incident resulted in your identity being stolen. The fact that you're at increased risk of identity theft in the future ("speculative harm")--while the courts are willing to admit is a real risk--is not grounds for winning a lawsuit.
This is actually a common decision: the idea is that you can't sue a company because you feel threatened because of a data breach. You have to prove that you've been affected, that you've experienced real harm.
In other words, if a computer is stolen with your SSN, and you sue a company for that data breach, you'd better be able to prove that the incident resulted in your identity being stolen.
The fact that you're at increased risk of identity theft in the future ("speculative harm")--while the courts are willing to admit is a real risk--is not grounds for winning a lawsuit.
As I've mentioned, full disk encryption was supposed to be on the two stolen laptops. It's never been revealed, as far as I know, why these machines used by the third party (to The Gap, that is) were not protected. It could be that they forgot about it. Or that the machines just fell through the cracks. I mean, Vangent is a pretty big consultancy. A review of their history shows growth via acquisitions, and that means lots of complications when integrating companies. Interestingly enough, they have a page of customers which list the Department of Defense, a number of health care institutions, and other corporations like Toys R Us. The Gap is not listed. Which could mean be meaningless. Or not.
As I've mentioned, full disk encryption was supposed to be on the two stolen laptops. It's never been revealed, as far as I know, why these machines used by the third party (to The Gap, that is) were not protected.
It could be that they forgot about it. Or that the machines just fell through the cracks. I mean, Vangent is a pretty big consultancy. A review of their history shows growth via acquisitions, and that means lots of complications when integrating companies.
Interestingly enough, they have a page of customers which list the Department of Defense, a number of health care institutions, and other corporations like Toys R Us.
The Gap is not listed. Which could mean be meaningless. Or not.
Related Articles and Sites:http://www.theregister.co.uk/2010/06/04/privacy_suit_absolution/http://www.scribd.com/doc/32496484/Ruiz-v-Gap-9th-Cir-Apr-12-2010