UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation
Furnished content.
It's well known that the EU has laws offering relatively strong protection for personal data -- some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court's 59-page judgment (pdf), but the basic facts are as follows.In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had "vicarious liability" -- that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:having concluded that Morrisons was entirely legally innocent in respect of Skelton's misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton's misdeeds That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy -- if potentially self-damaging -- route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims. As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 08-Dec-2017
path: /Policy | permalink | edit (requires password)
Opening Statements In The Trademark Battle Of The Comic Cons, While Other Regional Cons Go Full Judas
Furnished content.
Our regular readers will know that we've been covering the years-long trademark lawsuit between the famous San Diego Comic-Con and the Salt Lake ComicCon since the very beginning. The whole thing has been something of a saga, with the SDCC issuing various threats and filing a lawsuit, while the SLCC has managed to fumble its way through court, getting slapped around for attempting various counter-logical defenses and even getting a gag order on it temporarily, unconstitutionally barring it from talking about the case publicly.Well, the court heard opening statements in the case this past week, with the SDCC trotting out the same studies it had presented during the pre-trial motions.Callie Bjurstrom, attorney for San Diego Comic-Con told jurors that Salt Lake Comic Con hijacked the Comic-Con trademark. That it “remained a small, intimate comic convention for decades” and that it wasn’t until the early 2000s that “the secret was out: Comics were cool and Comic-Con was the place to be to catch what was hot and what was next”. And as hundreds of similar conventions sprang up in cities across the country, Salt Lake Comic Con tried to “hijack” the trademark, to “steal the Comic-Con brand” saying “You don’t need to use ‘Comic-Con’ in your name to identify your comic and popular-arts convention… Convention is a generic term. Comic-Con is a brand” and that Salt Lake Comic Con is duping consumers into believing their events are associated, especially when they parked an Audi convertible near the San Diego Convention Center during the 2014 show, wrapped with promotions for the Salt Lake event.SDCC commissioned a study that showed 82 percent of consumers recognize Comic-Con as a brand – a higher brand recognition rate than Jello and that “You don’t take or steal something that’s not valuable.” Of course, the problem with this study is that no matter what the public in the SDCC's sample indicated, the simple fact is that comic conventions throughout the country have been using the term "comic con" with wild abandon. As they did so, it seems that the SDCC was in some sort of trademark hibernation for years, with no action against all of these national comic cons that I can find. SLCC made the same point in its opening argument, their defense seemingly settling on the notion that the term "comic con" had become generic.Attorneys for the Salt Lake Comic Con and Dan Farr Productions said the phrase has become generic, part of the public commons, and therefore unprotectable. Michael Katz with Maschoff Brennan said that “Comic Con” is a generic term used to refer to a type of convention and that the show “looked to the industry” in naming their convention in 2013. “They used the same formula: Salt Lake to refer to where they were, and Comic Con to refer to what they were”. That Comic Con was a “national brand” and there could be no confusion between the one in San Diego and the one in Utah, which he called a “flyover state”, and that theirs was a “homegrown” event where four out of five attendees came from Utah, and it was so specific to the state that it didn’t run on Sundays because of Utah’s large religious population. And that “I don’t think we’re here because of large numbers of people confusing San Diego Comic-Con with Salt Lake Comic Con. … They have not been harmed by little Salt Lake. They have not lost a single customer to us. We are small potatoes”. It seems that the SDCC fully anticipated this defense and decided to attempt to undermine it by finding a comic con out there, any comic con, to enter into a laughably cheap licensing agreement. That SDCC is doing this only at the same time it is bringing this suit to trial makes its motive plain and naked. It's a shameless attempt to give its long-abandoned trademark the imprimatur of now having an actual licensee. As disappointing as the SDCC's actions are, those of the sellout cons are all the more so. Just read the press release from Rose City Comic Con in Portland about how it licensed the "comic con" mark and you'll get an idea of just how likely it is that the SDCC basically scripted this thing for them.“Rose City Comic Con, Portland, Oregon’s largest comics and pop-culture convention, is proud to announce its association with San Diego Comic Convention for its three-day event taking place September 7-9, 2018 at the Oregon Convention Center. Rose City Comic Con received the license at no additional cost to the show, and acknowledges the trademark owned by San Diego Comic Convention and is excited to affiliate itself with the prestigious event.”“Comic-Con, the San Diego convention, is without question the biggest and most important event in the comics and popular arts industry every year. To have the respected event recognize the hard work of Rose City Comic Con by providing a license agreement is really remarkable for the city of Portland and the incredible community of creators we’re lucky to have here,” said Rose City Comic Con founder Ron Brister. So moist does Rose City seem to be over its free license that it must have failed to understand the motive for this free gift by the SDCC and the damage it might do to all of the other comic cons out there that are now or might in the future be under threat by SDCC. Now, I don't believe that SDCC managing to squeeze a few licensees from this national barrel of turnips suddenly means that it didn't long ago abandon the "comic con" mark, but it seems obvious that these sorts of free licenses aren't for everyone. I expect the SLCC, for instance, would have jumped at a free license early on in this process. Perhaps it would instead have stood its ground on principle, but given the enormous cost in time and money, not to mention that this thing has dragged out now for several years, I doubt it.So nice job, Rose City. While one con fights not just for its life, but for the common sense notion that "comic con" should no longer be considered a legit trademark, you went full Judas. Hope those 30 pieces of silver are worth it.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 08-Dec-2017
path: /Policy | permalink | edit (requires password)
|
|