Essay Example on Righteous Music Website Breach Exposes Millions of Customers' Personal Data

Introduction

A company called Righteous Music creates a website to deliver streaming music to customers for a fee. Millions of people sign up and provide credit and debit card numbers, as well as other sensitive personal data, to Righteous Music through its website. The website suffers a breach due to an XSS attack that exposes the sensitive personal data of millions of customers. Without any further information about the security practices of Righteous, can its customers bring an action asserting that Righteous was negligent in its cybersecurity practices? Would the result be the same if the type of attack had been an SQL Injection attack?

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 - Dist. The court, ND Illinois 2014

Concerning the case of Strautins v. Trustwave Holdings, Inc, Righteous Music customers cannot bring an action to ascertain that Righteous Music Company was negligent in these cybersecurity practices. In the case of Strautins v. Trustwave Holdings, the Trustwave admits that it has offered, and continues to offer, products as well as services to the SCDOR but argues that the breach was not accomplished through an "exposed portal" on SCDOR's website "or other external vulnerability," but rather it was executed with accredited user credentials obtained from a "phishing" email that was sent and opened by, a SCDOR employee. More importantly, Trustwave takes matters with Strautins' statement that all of the data possibly exposed by the attack was essentially "stolen and compromised," disagreeing that the complaint does not have allegations to support that claim, stating that many of the credit card numbers that were affected were encrypted, and pointing to media reports that suggested that only tax data of electronic filers was exposed.

Without any other additional information on the security activities of Righteous Company, the customers cannot bring a concrete action stating that the cyber-attack was due to negligence. To ascertain negligence, the customers need to show that they suffered an injury or loss and that the loss is directly traceable to the Righteous Company. Therefore, the lack of fulfillment of the above conditions, the claims made by the customers are termed as insufficient to establish standing for article III standings. However, the customers would have ascertained that the attack was due to negligence if the attack had been an SQL Injection attack since the attackers would have been able to manipulate the data meaning that the Righteous Company had not put enough security measures.

Allen v. SCHNUCK MARKETS, INC., Dist. Court, SD Illinois 2016

The case of Allen v. SCHNUCK MARKETS, INC., can also be used to point out that the customers cannot bring an action to ascertain the Righteous Music Company was negligent in its cybersecurity practices. The Complaint claimed that the hackers were able to gain access to Schnucks' credit/debit card processing systems. The attackers were able to obtain personally-identifying information as well as confidential financial data. After almost a year, Schnucks got reports from banks that customers who had used their plastic cards at Schnucks stores had acquired fraudulent charges but Schnucks did not warn its customers. The plaintiffs blamed the company for the breach of data as well as delayed response hence were suing for negligence, violation of merchandising statutes, breach of implied contract, and violation of Illinois' Personal Information Protection Act. However, the case was dismissed due to a lack of proof of injury due to the lack of properly alleged damages. About this case, the Righteous Music Company customers cannot ascertain that Righteous was negligent in its cybersecurity practices unless it was an SQL Injection attack whereby there would be damages due to failure of the company to properly secure its database.