
Zappos 2012 data breach settlement - wills_forward
http://www.zapposdatasettlement.com/frequently-asked-questions.aspx#a10
======
jdoliner
I just got an email about this settlement telling me that I've been awarded a
10% off coupon for Zappos due to this ruling. So I actually have to give them
more business to recoup anything... it's almost as if this settlement is going
to be good for business.

~~~
nitwit005
Not to mention you'd have to give your personal information to the company
with a data breach again.

I'm sure your credit card is 100% safe.

~~~
b0ner_t0ner
> _I 'm sure your credit card is 100% safe_

Thanks for reminding me about that. Credit cards I get cancel and get new
ones, but my passport data which Cathay Pacific failed to protect, this
unfortunately cannot be changed and the data is floating around somewhere.

------
Townley
This is an absurd sum, both in the fees:rewards ratio, and in the total amount
($22,500 might as well be nothing for all of the people involved).

That said, I'm a bit surprised to see a "Rake them over the coals" attitude on
HN. They leaked a DB with hashed passwords, user data, and last 4 digits of
credit cards. That happens to even the most responsible websites all the time,
even with seven years of best practices to build upon. I know it would have
absolutely happened to the awful, framework-less PHP I was writing back in
2012.

Without letting Zappos off the hook for not taking security more seriously, it
seems to me that substantial, non-ridiculous monetary punishments should be
reserved for instances of deliberate recklessness, or at least clear,
preventable negligence.

~~~
colechristensen
Their settlement ended up costing as much as a few good engineers for a year.
Consequences like that will mean it makes financial sense to ignore security
and just pay the settlements as they come.

Consequences should motivate companies to be secure. _i.e._ it should be much
cheaper to hire a large competent security team who has a chunk of engineer
time than it is to pay tiny settlements to teams of lawyers.

Data breaches aren't just necessary evils, they can be prevented, but not
without a lot of extra work. Companies should consider a data breach to be an
existential threat, not a cost of business.

~~~
oconnor663
> Consequences like that will mean it makes financial sense to ignore security
> and just pay the settlements as they come.

If judgments like this were the _only_ reason to prioritize security, then
sure. But hopefully there are at least some market/reputational forces at work
too.

~~~
nickcox
I honestly don't think the general public cares enough for reputational
effects to be particularly important.

Can you think of an incident, however heinous, that materially impacted a
company's bottom line?

~~~
christopheraden
The Ashley Madison Breach comes to mind. If the core demographic cares about
not wanting their data on the platform to get out, they will vote with their
feet. That said, I think this example is not the norm, and most people
probably won't care for most applications.
[https://en.wikipedia.org/wiki/Ashley_Madison_data_breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)

~~~
0_gravitas
I mean wasn't it also revealed that an overwhelming amount of people on the
site were male in the same breach? Id guess that would be a motivating factor
more than the privacy

------
thomascgalvin
The argument is that the total amount of the settlement is important as a
disincentive to corporations to engage in negligent behavior, and that the
disproportionate amount of money that goes towards the attorneys is necessary
to convince said attorneys to take up such cases.

Of course, one could also argue that this has just created a new form of
venture lawyering, with attorneys who give zero shits about their clients
chasing compliance violations rather than ambulances, and businesses baking
these lawsuits into their profitability calculations.

~~~
RcouF1uZ4gsC
Due to health care inequalities people are talking about single payer where
the government is the only payer.

However, an even bigger problem is legal inequalities. Rich people can afford
top legal representation and poor people cannot. We should instead have single
payer legal representation. Lawyers are required to charge a standard fee and
are paid by the government for their work. They are not allowed to accept
payments in addition to the standard government payment or to take contingency
fees.

Doing this would ensure that the poor in America are not disadvantaged due to
the rich having better lawyers.

~~~
AstroChimpHam
I don't know why more people don't say this. I agree 1000%. This should
absolutely be the case. Why should anyone have a lower probability of winning
a lawsuit just because they're poor?

~~~
lotsofpulp
Because no one has yet come up with a better system that works.

If there exists differences in skill, then there exists arbitrage opportunity.
How one can prevent that arbitrage opportunity from being used in order to
keep things “fair”, I do not know and have not heard of any compelling ideas.

------
saagarjha
There’s so much wrong with settlement payouts, but one of the less talked
about problems is how all of them get .com domains that look straight out of
“How to Spot Phishing 101”. Can someone _please_ tell lawyers to figure out
how to make these not look super sketchy?

~~~
therealx
They have a formula for it and don't care one bit about it. Often times theres
no SSL and many other security options are ignored.

I was shocked how much of law was simple find/replace on templates.

------
CryoLogic
Would this have played out differently in a country known for its government-
backed consumer protection laws, maybe Norway or Sweden?

In other words - is this an "American corporate greed" sort of tragedy, or is
this standard result of such a lawsuit in all major countries?

By tragedy, I mean over 90% of the proceeds of the lawsuit going to lawyers
rather than individuals affected in the data breach.

~~~
nerfhammer
yes

the legal theory is that

1) punishing the bad actor is more important than restitution. it's more
important that Zappos is punished to discourage bad behavior from Zappos or
anyone else, less important how exactly the punishment money is split up

2) since lawyers can get paid out of the settlement, it incentivizes
independent lawyers to go after bad companies wherever they may be rather than
needing regulators. so you don't need to maintain and hire a bunch of
regulators and their legal teams, which will often be too many or too few.

other countries may prefer things the other way around and often do. it's easy
to think of pros and cons either way.

------
jedberg
As my lawyer friend says, a class action lawsuit is the startup of the
lawyering world. Get one good one and you're set for life.

~~~
asdfasgasdgasdg
This must not be a good one, then, because $1.5M is barely enough to set one
attorney up for life, let alone however many folks were presumably involved in
this case.

~~~
jedberg
Just like startups, class actions are a lot of risk and sometimes the rewards
don't make up for it. This is basically a middling exit in the startup world.

------
timavr
US legal system is broken af.

The point of legal system should be to compensate the wronged party, not to
enrich lawyers.

~~~
landryraccoon
I agree, but I think most people wouldn't agree with the conclusions.

For example - if someone is criminally wronged in a property crime, wouldn't
it make more sense to leave them free but garnish their wages to make the
wronged individual whole instead of putting them in prison for decades? Yet if
you bring up the idea of compensating the victim instead of punitive justice,
a majority of people are extremely offended by the idea.

From that point of view, it isn't surprising at all that class action lawsuits
are much more about retribution than restoration in the adversarial system.

------
m4tthumphrey
That's $22,500 TOTAL, not per plaintiff, i.e. $2,500 per plaintiff.

~~~
koolba
Per _primary_ plaintiff.

The rest of us schmucks get a 10% off coupon.

~~~
rolltiide
decent business model fwiw

get a little price discovery on how much data is worth while re-targeting a
bunch of customers that stopped using your service sometime over the last
decade

------
NelsonMinar
Can anyone put this in perspective for penalties for other data breaches?
Honestly I'm used to data breaches having _no_ penalties other than maybe
"we'll sign you up for credit monitoring" (that I don't want or need).

------
Waterluvian
The problem I see is that lawyers then only care to recoup enough to make
their ledger work out.

If you said my settlenent is $80 I'd say go for broke. Take it all the way or
go home. No but the lawyer sees a perfectly cromulent payday for themselves so
they'll encourage the class to accept the deal.

------
hanniabu
Is that even supposed to be considered a win for anybody other than the
lawyers?

------
Sephr
I wasn't aware that there were any laws about data breach settlements from
2012. I detected a breach at Macmillan Publishers around that time[1] and have
been wondering if they were still liable.

1\. [https://eligrey.com/blog/bedford-st-martins-data-
breach/](https://eligrey.com/blog/bedford-st-martins-data-breach/)

------
RcouF1uZ4gsC
Don’t lawyers have a fiduciary duty to their clients to act in their best
interests? This is definitely not in their clients best interests. I wonder if
people in the class action can bring a bar complaint against the lawyers in
the case and have them disbarred?

------
nothinghere789
10% coupon, really? How much of this is Amazon's legal department. It's time
to make an annual cancel Prime day

------
0x262d
so I guess the previous title listing the fees and payment to plaintiffs was a
little too edgy huh

------
noonespecial
Think of how much more the victims would have if they just put the $1.6M in a
mutual fund in 2012.

------
mirimir
Huh?

I thought that fees and expenses were generally 30%-40% of settlements.

------
nothinghere789
Would it do anything to boycott them

------
OrgNet
at least there was more then one attorney getting that fee /s

------
bradhe
Pretty standard.

