Occasionally, we find out about a data breach via court filings instead of notifications or media coverage. This is one of those times, it seems. As far as I can determine, the incident discussed in the court case was not reported to the NYS Consumer Protection Board by either Cambridge Who’s Who or Proactive Technology Group.
Andrew Keshner writes:
A Long Island marketing company has suffered a setback in its bid to block a former employee from what it says is a relentless campaign to disparage the business through online posts and reports to law enforcement authorities.
Supreme Court Justice Stephen Bucaria in Nassau County ruled in Cambridge Who’s Who Publishing v. Sethi, 009175-2010, that the First Amendment gave the ex-employee the right to disseminate his claims that the company had lost personal data about its customers.
Read more on Law Technology News. (h/t, @meerkat)
I accessed the order of January 25 through NYS’s web site, and found the following reference to allegations about a data breach in the short form order:
Also submitted is an email dated October 25 2010 from defendant to the Consumer Frauds Bureau of the New York Attorney General. In the email, defendant stated that he believed that tapes containing personal data on 400 000 members was lost or stolen from Cambridge Who s Who Publishing. Defendant stated that the data included names, addresses, social security numbers, drivers license numbers, payroll data, checking account numbers, and credit card information. Defendant stated that as director of MIS he advised plaintiffs management to “log and report the data loss to the people compromised.” Defendant further stated that he believed that nothing was done to “report the matter to the state and federal authorities.” Defendant stated that the tapes had been lost or stolen by an “outsourced tech” and defendant had been harassed and discriminated against by Cambridge when he “questioned” them about the data loss. Defendant also stated that the Attorney General of every state had received complaints about plaintiff’s “bait and switch practices misrepresentations, and questionable business practices.”
Additionally, plaintiff submits a series of emails between plaintiff and Stuart Ebner of Proactive Technology Group, which is apparently the “outsourced tech” to which defendant was referring in his email to the Attorney General. In an email to plaintiff dated October 20, 2010, Ebner stated that the tapes had been stored in a “tape library,” or drive which was not functioning properly and had been shipped back to the supplier, Tandberg, for repair. Ebner further stated that although the tapes should have been removed, they were shipped to Tandberg with the drive. Ebner claimed that Proactive’s technician had removed the tapes the day before shipment and theorized that defendant, as the MIS director, must have reinserted the tapes into the drive. Although Ebner acknowledged responsibilty for the data loss, he also attributed some of the fault to defendant.
Importantly, the judge recognized that a data breach is a matter of public concern:
The claimed data loss, involving social security numbers and credit card information implicates the economic interests of a large number of people. Thus, the content of defendant’ s communication is a matter of public concern, even though its intent and effect may have been to disparage plaintiff’s business, retaliate for defendant’ s discharge, or shift responsibility for the data loss. Thus, the court must give the benefit of any doubt to protecting defendant’ s right to free speech.
Update: A spokesperson for the NYS Attorney General’s Office confirmed to DataBreaches.net that they have not received any breach report from Cambridge or Proactive Technology Group.