from Hacker News

Zappos 2012 data breach settlement

by wills_forward on 10/17/19, 10:09 PM with 113 comments

  • by jdoliner on 10/17/19, 10:40 PM

    I just got an email about this settlement telling me that I've been awarded a 10% off coupon for Zappos due to this ruling. So I actually have to give them more business to recoup anything... it's almost as if this settlement is going to be good for business.
  • by Townley on 10/17/19, 11:51 PM

    This is an absurd sum, both in the fees:rewards ratio, and in the total amount ($22,500 might as well be nothing for all of the people involved).

    That said, I'm a bit surprised to see a "Rake them over the coals" attitude on HN. They leaked a DB with hashed passwords, user data, and last 4 digits of credit cards. That happens to even the most responsible websites all the time, even with seven years of best practices to build upon. I know it would have absolutely happened to the awful, framework-less PHP I was writing back in 2012.

    Without letting Zappos off the hook for not taking security more seriously, it seems to me that substantial, non-ridiculous monetary punishments should be reserved for instances of deliberate recklessness, or at least clear, preventable negligence.

  • by thomascgalvin on 10/17/19, 10:50 PM

    The argument is that the total amount of the settlement is important as a disincentive to corporations to engage in negligent behavior, and that the disproportionate amount of money that goes towards the attorneys is necessary to convince said attorneys to take up such cases.

    Of course, one could also argue that this has just created a new form of venture lawyering, with attorneys who give zero shits about their clients chasing compliance violations rather than ambulances, and businesses baking these lawsuits into their profitability calculations.

  • by saagarjha on 10/17/19, 10:41 PM

    There’s so much wrong with settlement payouts, but one of the less talked about problems is how all of them get .com domains that look straight out of “How to Spot Phishing 101”. Can someone please tell lawyers to figure out how to make these not look super sketchy?
  • by CryoLogic on 10/17/19, 10:40 PM

    Would this have played out differently in a country known for its government-backed consumer protection laws, maybe Norway or Sweden?

    In other words - is this an "American corporate greed" sort of tragedy, or is this standard result of such a lawsuit in all major countries?

    By tragedy, I mean over 90% of the proceeds of the lawsuit going to lawyers rather than individuals affected in the data breach.

  • by jedberg on 10/17/19, 10:57 PM

    As my lawyer friend says, a class action lawsuit is the startup of the lawyering world. Get one good one and you're set for life.
  • by timavr on 10/17/19, 10:49 PM

    US legal system is broken af.

    The point of legal system should be to compensate the wronged party, not to enrich lawyers.

  • by m4tthumphrey on 10/17/19, 10:42 PM

    That's $22,500 TOTAL, not per plaintiff, i.e. $2,500 per plaintiff.
  • by NelsonMinar on 10/17/19, 11:42 PM

    Can anyone put this in perspective for penalties for other data breaches? Honestly I'm used to data breaches having no penalties other than maybe "we'll sign you up for credit monitoring" (that I don't want or need).
  • by Waterluvian on 10/17/19, 10:55 PM

    The problem I see is that lawyers then only care to recoup enough to make their ledger work out.

    If you said my settlenent is $80 I'd say go for broke. Take it all the way or go home. No but the lawyer sees a perfectly cromulent payday for themselves so they'll encourage the class to accept the deal.

  • by hanniabu on 10/17/19, 10:54 PM

    Is that even supposed to be considered a win for anybody other than the lawyers?
  • by Sephr on 10/18/19, 6:37 AM

    I wasn't aware that there were any laws about data breach settlements from 2012. I detected a breach at Macmillan Publishers around that time[1] and have been wondering if they were still liable.

    1. https://eligrey.com/blog/bedford-st-martins-data-breach/

  • by RcouF1uZ4gsC on 10/18/19, 5:12 AM

    Don’t lawyers have a fiduciary duty to their clients to act in their best interests? This is definitely not in their clients best interests. I wonder if people in the class action can bring a bar complaint against the lawyers in the case and have them disbarred?
  • by nothinghere789 on 10/18/19, 5:28 PM

    10% coupon, really? How much of this is Amazon's legal department. It's time to make an annual cancel Prime day
  • by 0x262d on 10/18/19, 12:31 AM

    so I guess the previous title listing the fees and payment to plaintiffs was a little too edgy huh
  • by noonespecial on 10/18/19, 12:09 AM

    Think of how much more the victims would have if they just put the $1.6M in a mutual fund in 2012.
  • by mirimir on 10/18/19, 4:36 AM

    Huh?

    I thought that fees and expenses were generally 30%-40% of settlements.

  • by nothinghere789 on 10/18/19, 5:27 PM

    Would it do anything to boycott them
  • by OrgNet on 10/18/19, 12:35 AM

    at least there was more then one attorney getting that fee /s
  • by bradhe on 10/17/19, 10:39 PM

    Pretty standard.