Judge dismisses students' lawsuit in data breach

The Ohio University graduates, Donald Jay Kulpa of Cincinnati and Kenneth Neben of North Bergen, N.J., had filed a lawsuit asking a judge to order the school to pay for credit monitoring services for those whose personal information may have been compromised in security breaches involving school computers.

Judge J. Craig Wright of the Ohio Court of Claims granted the university motion's to dismiss the case. His ruling said that Kulpa and Neben had failed to prove they suffered damages they should be compensated for.

No one has provided proof that victims of the April 2006 breaches have had their identity stolen or been defrauded as a result of the security breaches, Ohio University officials claimed. As a result, the school's attorneys maintained that Kulpa and Neben's claims were based solely on fears, not actual damages.

"Frankly, victims of such breaches have no other avenue" other than to file a lawsuit against those responsible, Avivah Litan, a security analyst with Gartner, told SCMagazine.com.

"If the government's not going to do its job" of protecting consumers, lawsuits are the "only way they can fight" breaches involves their personal information.

The financial services industry "has lobbied against any legislation that restricts the use of Social Security numbers for identification, demanding all kinds of exemptions and exceptions that water down any legislation," she said.

Even the federal laws now on the book, such as Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, don't prohibit the use of Social Security numbers for uniquely identifying individuals, she pointed out.

"The House Ways and Means Committee is drafting legislation" that will limit the use of Social Security numbers for identification purposes, she said, "but the financial services lobby is opposing it."

The university uncovered breaches in four computer systems in April 2006. At first, the school said the breaches exposed about 367,000 files containing Social Security numbers, names, medical records and home addresses; it subsequently said that the breaches impacted only about 173,000 people's records.

An investigation by technology analysts at the school determined that hackers were attempting to share and store music and movie files when the breaches occurred, the university said in a statement.

breachdatadismissesinjudgelawsuitsecuritystudents