(Edward Magarian, Dorsey.com Attorney)


From: "Magarian, Edward" (Magarian.Edward@dorsey.com)
To: root[at]attrition.org, jericho[at]attrition.org, comega[at]attrition.org, 
    munge[at]attrition.org, bmartin[at]attrition.org
Date: Fri, 12 Jan 2007 10:00:34 -0600
Subject: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM
Parts/Attachments:
   1 Shown    ~7 lines  Text (charset: ISO-8859-1)
   2          58 KB     Application
----------------------------------------


Enclosed please find a letter on behalf of my client Medica Health Plans.  I trust that we can quickly 
address and resolve this issue.  Ed Magarian


(attrition letter .pdf)



From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Fri, 12 Jan 2007 11:17:36 -0500 (EST)
Subject: Re: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM

: Enclosed please find a letter on behalf of my client Medica Health
: Plans.  I trust that we can quickly address and resolve this issue.  Ed
: Magarian

Hello,

Please find an e-mail on behalf of attrition.org:

We do not read PDF or DOC files from strangers. Please read
http://www.us-cert.gov/cas/tips/ST04-010.html for details.

Please re-send whatever this is in plain text, which is perfectly
acceptable (and safe) for all mail readers.

Jared E. Richo
attrition.org




From: "Magarian, Edward" (Magarian.Edward@dorsey.com)
To: security curmudgeon (jericho[at]attrition.org)
Cc: legal[at]attrition.org, root[at]attrition.org, jericho[at]attrition.org, comega[at]attrition.org, 
    munge[at]attrition.org, bmartin[at]attrition.org
Date: Fri, 12 Jan 2007 11:00:55 -0600
Subject: RE: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM


January 12, 2007
VIA ELECTRONIC SUBMISSION
TO:  www.attrition.org

        Re:     Medica Health Plans and Your Web Site attrition.org

Dear attrition.org:

I have been retained by Medica Health Plans ("Medica") in connection 
with false and defamatory statements we learned you published about my 
client which can be found at http://attrition.org/dataloss; 
http://attrition.org/dataloss/dldos.html; and http://attrition.org/dataloss/dataloss.csv 
(see item #110). I am sending this letter to the contact on your website 
because it appears to be your preferred method of communication.

You have published and continue to publish to this day statements that 
Medica had a data loss on June 29, 2005 affecting 1,200,000 members 
related to "fraud."  This defamatory information has been picked up by 
other websites including www.emergentchaos.com.  These statements which 
have been republished are simply false and defamatory.

The issue referenced by your site had nothing to do with any member data, 
personal or otherwise, and there are no facts to support such an assertion. 
Your publication of statements which expressly targets Medica with the 
stain of exposing or even allegedly exposing personal information of its 
1.2 million members is false, defamatory, damaging and constitutes 
defamation per se.

It is imperative that we move to address this defamation immediately before 
further damage is done to my client.  To start the process, you must remove 
any such reference to Medica from your materials and disclose to us whether 
you republished these false statements in any other materials.  We also 
expect your cooperation removing that material from other websites such as 
www.emergentchaos.com.

If you or your organization elect to retain counsel, please have that counsel 
contact me immediately. I can be reached at my office (612-340-7873).  If you 
or your company elect not to retain counsel, then please contact me 
immediately so that we can discuss measures to attempt to mitigate the 
damage done.

If we do not hear from you or any counsel you or your company might retain, 
you may leave us with little choice but to pursue our legal remedies.

                                                                        Very truly yours,
                                                                                /s/
                                                                        EDWARD B. MAGARIAN



From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org, denver@dorsey.com, carter.cheri@dorsey.com, 
    meltzer.curt@dorsey.com, media@medica.com
Date: Sun, 14 Jan 2007 02:26:11 -0500 (EST)
Subject: RE: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM


Hello Edward,

When I last replied, I added the appropriate address for contact regarding
this matter; myself and the legal[at]attrition.org address. You opted to once
again send this to several people that are not involved with the main
attrition.org web site and do not have access to update it. In return, I
am going to include some extra folks at Dorsey & Whitney LLP in our
dialogue. You may drop them from the CC if you also drop the irrelevant
attrition.org addresses in future correspondance.

:       Re: Medica Health Plans and Your Web Site attrition.org
:
: I have been retained by Medica Health Plans ("Medica") in connection
: with false and defamatory statements we learned you published about my
: client which can be found at [..]

: You have published and continue to publish to this day statements that
: Medica had a data loss on June 29, 2005 affecting 1,200,000 members
: related to "fraud."  This defamatory information has been picked up by
: other websites including www.emergentchaos.com.  These statements which

Your wording makes several implications that are simply false and
misleading. First, the information regarding the Medica breach originated
with an article written by Glenn Howatt of the Star Tribune, which was
originally located at http://www.startribune.com/stories/535/5481317.html.
The Star Tribune cycles their articles so that it now costs $2.75 to see
it, but the same article is still there in its entirety. The original
article has not been edited, revised or retracted as far as we can tell
(after paying the fee to see it). After that article, hundreds of other
web sites and mail lists 'picked up' on it and either republished it or
summarized the content. We (attrition.org) do not make false or defamatory
statements regarding Medica.

: have been republished are simply false and defamatory.

Given that you are a partner at Dorsey & Whitney LLP I assume that means
you are a lawyer. If so then you of all people should be aware of several
things related to your allegations. First and foremost, the article is not
defamatory toward your client.

  DEFAMATION - An act of communication that causes someone to be shamed,
  ridiculed, held in contempt, lowered in the estimation of the community,
  or to lose employment status or earnings or otherwise suffer a damaged
  reputation. Such defamation is couched in 'defamatory language'. Libel
  and slander are defamation. - http://www.lectlaw.com/def/d021.htm

Since the work in question is not spoken I will assume that you or your
client is claiming that the article is libelous. As best I know, and I am
not a lawyer, there are a few keep points of libel / slander; it must be
harmful, it must be untrue and it must be done with malicious intent.
Please feel free to quote the exact wording of the law if one of these
points is not true. That said, let's examine your claims:

: The issue referenced by your site had nothing to do with any member
: data, personal or otherwise, and there are no facts to support such an
: assertion.

Quoting from the Star Tribune article:

  Still, it took Medica's security investigators at least 45 days to
  detect problems and another 20 days before the company took direct
  action to stop the employee alleged to have done the most damage,
  according to court documents.

  [..]

  During that time, the system was sabotaged four times, limiting
  legitimate access by employees and vendors. Confidential business
  documents were copied, including personnel information about the
  information technology department as well as letters to outside
  attorneys concerning lawsuits, according to court documents.

  And even after Medica had identified the suspects, they erased the hard
  drives of their company laptops without interference, destroying
  critical evidence, according to court documents.

  [..]

  In the end, Medica did find the alleged perpetrators, and even though it
  is not completely certain about what information was downloaded, the
  evidence suggests that it did not include personal information about
  Medica members.

  [..]

  Medica said it has enough evidence to prove that the two former
  employees were responsible for the security breaches.

If you read these quoted portions, and further assume that Glenn Howatt
was not fabricating his information, it is abundantly clear that Medica
acknowledges the breaches and specifically says they are "not completely
certain about what information was downloaded" and that the remaining
evidence *suggests* personal information was not downloaded.

Just like I must assume your knowledge of the legal system is more
thorough than mine, you should probably assume my knowledge of computer
security and forensics is more thorough than yours. Since Medica
acknowledges that evidence was destroyed and they can't even ascertain
what information was stolen from their computers, there is basically no
chance that Medica will *ever* be able to say what happened with any
certainty, and the forensics will back my claim.

: Your publication of statements which expressly targets Medica with the
: stain of exposing or even allegedly exposing personal information of its
: 1.2 million members is false, defamatory, damaging and constitutes
: defamation per se.

We do not "expressly target" Medica in any way. Please re-read the URLs
you originally quoted and you will see that we collect information from
third parties regarding dataloss incidents, including possible breaches
(which Medica would classify as). According to the original article,
Medica says they can "not [be] completely certain about what information
was downloaded." So, how are they not certain what information was
downloaded, but now certain enough to claim that the Star Tribune article
is defamatory in saying that the information may have been breached?
Medica can't have it both ways.

: It is imperative that we move to address this defamation immediately
: before further damage is done to my client.  To start the process, you
: must remove any such reference to Medica from your materials and
: disclose to us whether you republished these false statements in any
: other materials.  We also expect your cooperation removing that material
: from other websites such as www.emergentchaos.com.

You were doing so well up until this point. You actually expect us to not
only do your job for you, but do so when there was no defamatory comment
made? Are you lazy or naive as to how the internet works? We have no
control over Emergent Chaos or any other web site out there. If you want
to know where the Medica information was posted to (in general, not
necessarily by us), then use Google (http://google.com) and search for the
title of the Star Tribune article. We can and will not assist you in
threatening other web sites to remove content.

The fact that you apparently haven't contacted the Star Tribune, as the
original source of this article, suggests you are randomly targeting sites
that you have a notion will cave in to legal threats. In addition to the
Star Tribune still publishing the article, this same information is
currently hosted by the Department of Health And Human Services (hhs.gov),
Frank Crystal & Co., Inc. (fcrystal.com), Cygnus Business Media
(securityinfowatch.com), Phoenix Health Systems (hipaadvisory.com),
California Health Care Foundation (ihealthbeat.org), World Privacy Forum
(worldprivacyforum.org), and *hundreds* of other sites on the internet.

Finally, in case it was not abundantly clear, the only statement that
attrition.org made regarding the Medica incident can be found on
http://attrition.org/dataloss/ in which we summarize:

   (System administrators may have had access to around 1.2 million member
    records)

Please note that in keeping with the information available in the article,
we specifically said "may have had access". That is the only comment that
we (attrition.org) made regarding the incident, and it is hardly
defamatory in nature. Further, it most certainly isn't made with malicious
intent or intent to harm Medica in any way.

: If you or your organization elect to retain counsel, please have that
: counsel contact me immediately.

At this point I see no reason to retain legal counsel. You have provided a
poorly justified letter with no legal foundation expressing your wish that
we remove content that is not defamatory and that we should further help
your company remove that content from web sites that we have no control
over.

: If you or your company elect not to retain counsel, then please contact
: me immediately so that we can discuss measures to attempt to mitigate
: the damage done.

Being a volunteer run security resource, attrition.org would love to be
able to discuss measures to attempt to mitigate the damage done. However,
to do this, we would need extensive information regarding Medica and their
network systems in order to help provide a security plan, security policy
and auditing services to help test the security of Medica to ensure they
are properly mitigating risks and vulnerabilities in their IT department.
Further, we would need physical access to all of the machines believed to
be compromised to do a complete forensic examination of them in order to
determine what information may have been compromised. Please have someone
from Medica contact me directly and we can work out a plan and
compensation to begin this process.

In the mean time, if you would share with us any correspondance between
the Star Tribune and Dorsey & Whitney LLP regarding this, specifically the
Star Tribune's acknowledgement that what they published was false and
defamatory, along with a copy of their retraction, we will immediately
post it on our site and consider removing the original article. Without
that, i'm afraid I can't see how anything we have done is false or
defamatory and I honestly don't understand how a registered lawyer in good
standarding with the Minnesota State Bar Association could claim this in
good faith.

Jared E. Richo
attrition.org



From: "Magarian, Edward" (Magarian.Edward@dorsey.com)
To: jericho[at]attrition.org
Date: Thu, 18 Jan 2007 16:56:55 -0600
Subject: FW: Attrition.org letter


VIA E-MAIL

Jared E. Richo
attrition.org
jericho[at]attrition.org

Re:     Attrition.org

Dear Mr. Richo:


Thank you for your e-mail dated January 14, 2007.  Unfortunately, I was out of 
the office and out of state until today.  I have now had an opportunity to 
review your letter with my client.  I appreciate the lengthy explanation of how 
the letter ended up on your website.  However, the explanation does not change 
two essential facts:  First, your response ignores two locations on your website 
containing the offending material.  Second, even if you believed the information 
contained on your site to be true at the time you published it, we are telling 
you now that there are no facts to support any allegation that Medica had a data 
loss on June 29, 2005 affecting 1.2 million members related to "fraud."  Every 
day that you leave that information on your website is a day in which you are 
publishing information that is simply not truthful.

First, you claim that the "only statement that attrition.org made regarding the 
Medica incident can be found on http://attrition.org/dataloss/ in which we 
summarize:  (System administrators may have had access to around 1.2 million 
member records).  Your assertion is simply not true.  When I wrote to you last 
week, there were two other locations which I identified in my letter that 
contained relevant material.  The first location was at http://attrition.org/dataloss/dldos.html.  
It noted (and continues to note) that your organization tracks data loss and 
data theft incidents and has identified over 136 million records compromised in 
over 300 incidents across six years.  Your statement at http://attrition.org/dataloss 
must be read in that context and clearly (and inaccurately) conveys that Medica 
is one of the incidents referenced.  Certainly that is how emergentchaos.com 
understood your comments.  The second location was at http://attrition.org/dataloss.csv.  
I specifically addressed your attention to item number 10 on the chart contained 
at that location because it specifically referenced Medica and its 1.2 million 
subscribers.  There was no qualifying language.  From my review or your site 
today, it appears as though you have chosen to remove that chart from your site.  
I appreciate your willingness to do so.  Please confirm that you have not placed 
that chart elsewhere in your website, or if you have, that it no longer includes 
Medica.

Second, the qualifying language you point to (i.e., the word "may") does not change
the fact that the information is false.  There is no evidence that the data was 
compromised for the 1.2 million members as a result of the conduct you reference.  
Therefore, to suggest that it remains a possibility that member data was compromised, 
is to falsely suggest something that is not true.  Moreover, given your broader 
language at http://attrition.org/dataloss/dldos.html, readers (and other information 
providers) are left with the false impression that you have concluded that the data
was in fact compromised.  Again, any such conclusion is simply not true.

Even if you believed all of this was true at the time you wrote it, we have 
corrected that misimpression.  Publishing statements which we have now informed you 
have no basis in fact based on your reading of a newspaper article does not provide 
you or your web site with any protection against a defamation suit.  This is 
especially true, where, as here, you are drawing wrong conclusions from the very 
article you quote.  If you read the article you quote carefully, you will see that 
it is all in the context of certain kinds of documents, none of which have anything 
to do with member data.  The article even states that the evidence suggests that it 
did not involve member data.  You, however, choose to turn that into a conclusion 
either that it includes member data sufficient to count this incident as one of your 
136 million records compromised.

Your legal discussion of defamation is amusing, but irrelevant.  I suggest you contact 
a lawyer who can appropriately advise you on the issues we have raised.  Any such 
lawyer will also tell you that "libel" is written false statements; "slander" is 
oral false statements; but both are defamation.

Finally, you threaten to publish our letter, as well as your response even though it 
was sent to you in a manner suggested by you and solely in an attempt to see if we 
can amicably resolve this matter.  If you elect to publish the letters, please 
understand you do so without our consent and with knowledge that your response 
contains additional defamatory material (asserting that member data was compromised) 
which does nothing to resolve, but merely exacerbates, the current situation.

The web is a powerful and important tool to provide information to people throughout 
the world.  It is important that we utilize this tool in a responsible fashion.  I 
trust we can move forward and amicably resolve this dispute.  Other information 
sources we have contacted appear to have appreciated our bringing the error to their 
attention and giving them an opportunity to correct the problem short of litigation.  
The same offer remains open to you.  I hope that you take a similar view.

                                                Ed Magarian
                                                Partner
                                                Dorsey & Whitney LLP



From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Thu, 18 Jan 2007 20:43:03 -0500 (EST)
Subject: Re: FW: Attrition.org letter (fwd)


VIA E-MAIL

Dear Ed,

While these lengthy e-mails are sometimes amusing, it really is
unfortunate that you get to bill someone $250/hr to read and write them.
Every time I try to bill someone for my e-mail I get laughed at.

:  Thank you for your e-mail dated January 14, 2007.  Unfortunately, I was
: out of the office and out of state until today.  I have now had an
: opportunity to review your letter with my client.  I appreciate the
: lengthy explanation of how the letter ended up on your website.
: However, the explanation does not change two essential facts:  First,
: your response ignores two locations on your website containing the
: offending material.  Second, even if you believed the information
: contained on your site to be true at the time you published it, we are
: telling you now that there are no facts to support any allegation that
: Medica had a data loss on June 29, 2005 affecting 1.2 million members
: related to "fraud."

"You keep using that word. I do not think it means what you think it
means." -- Inigo Montoya

'Fact' is the key point here. Just to make sure we're on the same
page, let's refresh both of our memories on what a 'fact' is:

fact
     n 1: a piece of information about circumstances that exist or
          events that have occurred; "first you must collect all
          the facts of the case"
     2: a statement or assertion of verified information about
        something that is the case or has happened; "he supported
        his argument with an impressive array of facts"
     3: an event known to have happened or something known to have
        existed; "your fears have no basis in fact"; "how much of
        the story is fact and how much fiction is hard to tell"
     4: a concept whose truth can be proved; "scientific hypotheses
        are not facts"

That said, there are a few 'facts' that keep coming to my mind that you
and/or Medica seem to be forgetting:

1. The original article by Glenn Howatt of the Star Tribune is still
available on their web site, unedited, without retraction. Why? Have you
not contacted them about their alleged defamation? If you have, why hasn't
a retraction been issued? We offered to post that retraction and clear all
of this up if you or the Star Tribune would provide a copy. Failing that,
if Medica would like to provide us with a public statement regarding the
incident, the court case against the two former employees and a summary of
the digital forensic evidence that backs their statement, we will be happy
to publish it.

2. Quoting from the original article, "And even after Medica had
identified the suspects, they erased the hard drives of their company
laptops without interference, destroying critical evidence, according to
court documents." Unless the court documents that were filed are false or
unless the Star Tribune article made up this information, then the fact is
*evidence was destroyed* which lead Medica reprepsentatives to say
something leading to Howatt's comment of "In the end, Medica did find the
alleged perpetrators, and even though it is not completely certain about
what information was downloaded."

3. Based on the news article published by the Star Tribune, attrition.org
summarized the information and clearly gave Medica benefit of the doubt by
saying the records "may" have been compromised. Without digital forensic
evidence conclusively proving what occured, it will remain an unknown. A
year later, Medica may restate their opinion, try to alter the wording of
the facts or use legal threats to suppress this information, but it will
always remain a possibility that customer information was compromised.

: Every day that you leave that information on your website is a day in
: which you are publishing information that is simply not truthful.

We are re-publishing a news article that remains the same since it was
published.

:  First, you claim that the "only statement that attrition.org made
: regarding the Medica incident can be found on
: http://attrition.org/dataloss/ in which we summarize:  (System
: administrators may have had access to around 1.2 million member
: records).  Your assertion is simply not true.  When I wrote to you last
: week, there were two other locations which I identified in my letter
: that contained relevant material.  The first location was at
: http://attrition.org/dataloss/dldos.html.

Since you are trying to get technical and lay a virtual smack down on me,
please allow me to retort. The name 'Medica' appears on
/dataloss/index.html on the main list of dataloss incidents and in the
downloadable database located at /dataloss/dataloss.csv. The name 'Medica'
does not appear on /dataloss/dldos.html like you maintain. This is *fact*
and if you try to dispute this then I know this is a completely frivilous
venture and nothing more than a legal scare tactic. Please observe:

Checking all HTML files in the dataloss directory for "medica " (so it
doesn't find "medical"):

forced /home/web/dataloss$ grep -i "medica " *html
index.html:Medica Health Plans - [2005-06-29]
forced /home/web/dataloss$ To verify the name 'Medica' does not occur in dldos.html as you maintain: forced /home/web/dataloss$ grep -i "medica " dldos.html forced /home/web/dataloss$ To show the other occurance, in dataloss.csv: forced /home/web/dataloss$ grep -i "medica " dataloss.csv 06/29/2005,Medica Health Plans,US,Med,Ins,Fraud - SE,MISC,?,Inside - Malicious,No,, 1200000,medica01.html,DL-0089,, forced /home/web/dataloss$ You may argue until you are blue in the face or until you have drained Medica of every last cent, but it will not change the *fact* that you are wrong on this point and that the only time we make a commentary on the incident is the main page (/dataloss/index.html): forced /home/web/dataloss$ egrep -A1 -i "medica " index.html Medica Health Plans - [2005-06-29]
(System administrators may have had access to around 1.2 million member records) forced /home/web/dataloss$ Again, i'll point out that we are summarizing the article from the Star Tribune, in which it appears to be written based on statements made by Medica. This is not defamatory in any way. : It noted (and continues to : note) that your organization tracks data loss and data theft incidents : and has identified over 136 million records compromised in over 300 : incidents across six years. Your statement at : http://attrition.org/dataloss must be read in that context and clearly : (and inaccurately) conveys that Medica is one of the incidents : referenced. The phrase "data loss and data theft incidents" does not implicitly say who obtained the records or if they were used for fraudulent activity. The fact is, a breach occured at Medica in which the records *may* have been accessed by two employees (since terminated) and that the lack of digital forensic evidence makes it impossible to conclusively state what information was taken. We also list the breach at the Department of Veterans Affairs which was later said "not to expose the information". The FBI went so far as to release a statement that was 'understood' by others in a manner that has nothing to do with reality or fact: http://www.internetnews.com/security/article.php/3617601 [..] According to Nicholson, initial FBI forensics on the laptop appear to indicate that no one compromised the personal data, including veterans' names and Social Security numbers. Although the FBI has not completed its investigation, Nicholson said the government is "optimistic" the chances of identity theft have been minimized. [..] The fact is, FBI forensics could not conclusively state what happened with the laptop once it was out of VA custody. Digital forensics can not tell you if someone removed the hard drive and performed a bit-by-bit copy of it before replacing the drive in the laptop and turning it in. The FBI can issue press statements all day long, but it does not change this "fact" "see above definitions). Likewise, if evidence was destroyed in the Medica incident, they can not conclusively state what information was or was not taken by the rogue employees. : The second location was at http://attrition.org/dataloss.csv. : I specifically addressed your attention to item number 10 on the chart : contained at that location because it specifically referenced Medica and : its 1.2 million subscribers. There was no qualifying language. From my : review or your site today, it appears as though you have chosen to : remove that chart from your site. I appreciate your willingness to do : so. We did not host a chart with an item "number 10" or "Medica". I am not sure to which page you are referring but I have a feeling that you are confusing us with another site. We have not removed any content from the Dataloss page as of this mail. : Please confirm that you have not placed that chart elsewhere in : your website, or if you have, that it no longer includes Medica. Without an exact citation URL I have no idea what chart you are referring to. : Second, the qualifying language you point to (i.e., the word "may") : does not change the fact that the information is false. So it is your contention that the two employees never had access to those records in any fashion? This directly contradicts the Star Tribune article that appears to quote Medica officials on what occured. At this point I must note that you are saying our page implies the loss of 1.2 million records by Medica if one were to read two HTML pages and one CSV database, and then make such a conclusion. Despite that, you still don't seem to understand or care that all of this is based on our conclusion based on an article in a news publication. : There is no evidence that the data was compromised for the 1.2 million : members as a result of the conduct you reference. There is no evidence that the data was not compromised for the 1.2 million members as a result of the conduct the Star Tribune references. -- Evidence was destroyed -- Please, take this time to consult a computer forensics specialist on what this means and the implications surrounding it. : Therefore, to suggest that it remains a possibility that member data was : compromised, is to falsely suggest something that is not true. : Moreover, given your broader language at : http://attrition.org/dataloss/dldos.html, readers (and other information : providers) are left with the false impression that you have concluded : that the data was in fact compromised. Again, any such conclusion is : simply not true. It is still a possibility, and this is fact. The actions of those two employees were not monitored, and in fact, could not be monitored at key times during this incident. You and Medica are falsely suggesting that they had no desire and ability to access that information when in fact, they certainly could have. : Even if you believed all of this was true at the time you wrote it, we : have corrected that misimpression. A biased legal threat from the law office retained by Medica does not correct any impressions. When the Star Tribune releases a retraction, that will possibly change my impression of what may have happened. : Publishing statements which we have now informed you have no basis in : fact based on your reading of a newspaper article does not provide you : or your web site with any protection against a defamation suit. This is : especially true, where, as here, you are drawing wrong conclusions from : the very article you quote. If you read the article you quote : carefully, you will see that it is all in the context of certain kinds : of documents, none of which have anything to do with member data. [..] And even after Medica had identified the suspects, they erased the hard drives of their company laptops without interference, destroying critical evidence, according to court documents. [..] In the end, Medica did find the alleged perpetrators, and even though it is not completely certain about what information was downloaded, the evidence suggests that it did not include personal information about Medica members. [..] There are two key points to this article: 1. Evidence was destroyed according to court documents. 2. The remaining evidence 'suggests' that it did not include personal information about Medica members. "You keep using that word. I do not think it means what you think it means." -- Inigo Montoya Again, there is no *fact* that the member information was not compromised. In fact, *if* the member information was compromised and downloaded to one of those laptops, destroying that evidence would likely have been the first thing the rogue employees would have done due to the severity of the information and implications if they were caught. Bottom line, we are dealing with a lot of speculation as to what happened during this incident, and attrition.org has properly referenced this as a 'possible' breach. : The article even states that the evidence suggests that it did not : involve member data. You, however, choose to turn that into a : conclusion either that it includes member data sufficient to count this : incident as one of your 136 million records compromised. The article states evidence was destroyed. What if that evidence was of the records being compromised? Too many unknowns. : Your legal discussion of defamation is amusing, but irrelevant. I : suggest you contact a lawyer who can appropriately advise you on the : issues we have raised. Any such lawyer will also tell you that "libel" : is written false statements; "slander" is oral false statements; but : both are defamation. Are you mocking me? Re-read the e-mail I sent: DEFAMATION - An act of communication that causes someone to be shamed, ridiculed, held in contempt, lowered in the estimation of the community, or to lose employment status or earnings or otherwise suffer a damaged reputation. Such defamation is couched in 'defamatory language'. Libel and slander are defamation. - http://www.lectlaw.com/def/d021.htm Since the work in question is not spoken I will assume that you or your client is claiming that the article is "libelous." As best I know, and I am not a lawyer, there are a few keep points of libel / slander; it must be harmful, it must be untrue and it must be done with malicious intent. Please feel free to quote the exact wording of the law if one of these points is not true. Again, let's examine the facts of the e-mail I sent: 1. I cite my source for the definition of defamation so that we make sure we're on the same page. 2. I clearly indicate that the work in question is written and therefore your client thinks it is 'libelous'. 3. I mention a few points of "libel / slander" because they both go to the definition of defamation, one being spoken, the other written. At this point you could have quoted the law showing me where I was wrong but instead, you decided to ignore what I wrote and mock me saying I need to consult a lawyer. It is clear from our e-mails that you need to consult a computer forensic specialist much more than I need to consult a lawyer. : I suggest you contact a lawyer who can appropriately advise you on the : issues we have raised. Do you think they could also advise me on SLAPP suits? : Finally, you threaten to publish our letter, as well as your response : even though it was sent to you in a manner suggested by you and solely : in an attempt to see if we can amicably resolve this matter. If you : elect to publish the letters, please understand you do so without our : consent and with knowledge that your response contains additional : defamatory material (asserting that member data was compromised) which : does nothing to resolve, but merely exacerbates, the current situation. Nice try buddy. All of this pedantic dribble is essentially Medica saying we defamed them. If I publish these letters it isn't "additional defamatory material" because I stated my opinion about the content of our web page, explained it, cited my source / reasoning and asked you to refute any of it with fact. You could not do so. : The web is a powerful and important tool to provide information to : people throughout the world. It is important that we utilize this tool : in a responsible fashion. I trust we can move forward and amicably : resolve this dispute. Other information sources we have contacted : appear to have appreciated our bringing the error to their attention and : giving them an opportunity to correct the problem short of litigation. : The same offer remains open to you. I hope that you take a similar : view. Other information sources blindly removing content regardless of fact doesn't make their actions right or Medica right. Because other web sites will instantly cave in to legal threats means very little to me other than the fact that I can't trust their data or numbers. This is not our first trip to the legal threat rodeo, sir. Jared E. Richo attrition.org p.s. As our system disclaimer says, all mails regarding this will be published on our web site and distributed to parties we feel would be interested in this matter, including security groups, journalists and more.


From: "Magarian, Edward" 
To: jericho[at]attrition.org
Date: Fri, 2 Feb 2007 13:36:40 -0600
Subject: FW: Medica/attrition.org Letter


VIA E-MAIL
Jared E. Richo
attrition.org
jericho[at]attrition.org
Re: Attrition.org

Dear Mr. Richo:

I received your most recent e-mail.  We were prepared to resolve this matter 
after our exchange of letters because it appeared you had removed the chart 
listing my client on line 110, noting a loss related to 1,200,000 members 
due to fraud.  As you appeared to recognize in your e-mails to me, that chart 
does not contain any of the qualifying language upon which you rely, 
and we can find none.  Therefore, we appreciated your decision to remove the 
chart from your web site.

Unfortunately, we have recently checked your site again and discovered that 
the information has been reposted. I hope that this was in error, and in that 
spirit, am writing you to request that you simply remove the one reference to 
my client on that chart.

I look forward to your reply and confirmation.
Ed Magarian
Partner
Dorsey & Whitney LLP



From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Thu, 8 Feb 2007 01:37:17 -0500 (EST)
Subject: Re: FW: Medica/attrition.org Letter


Hello Edward,

: I received your most recent e-mail.  We were prepared to resolve this
: matter after our exchange of letters because it appeared you had removed
: the chart listing my client on line 110, noting a loss related to
: 1,200,000 members due to fraud.  As you appeared to recognize in your
: e-mails to me, that chart does not contain any of the qualifying
: language upon which you rely, and we can find none.  Therefore, we
: appreciated your decision to remove the chart from your web site.

As I will show, my response to your previous email points out three
issues, neither of which you either clarified or appear to have
understood:

First, you originally wrote:

  : I specifically addressed your attention to item number 10 on the chart
  : contained at that location because it specifically referenced Medica
  : and its 1.2 million subscribers.  There was no qualifying language.
  : From my review or your site today, it appears as though you have
  : chosen to remove that chart from your site.  I appreciate your
  : willingness to do so.

To which I replied:

  : We did not host a chart with an item "number 10" or "Medica". I am not
  : sure to which page you are referring but I have a feeling that you are
  : confusing us with another site. We have not removed any content from
  : the Dataloss page as of this mail.

The "chart" you are referring to is the Data Loss Database - Open Source
(DLDOS), a comma delimited database. This file was *never* removed from
our site. Your claim that we removed it to comply with your threat and
then subsequently added it back to the site is false.

Second, you originally wrote:

  : Please confirm that you have not placed that chart elsewhere in
  : your website, or if you have, that it no longer includes Medica

You failed to give a citational URL for the "chart" originally and made us
go through some 40,000 pages of content trying to figure out how a "chart"
was supposedly added to our site that referenced your client, without our
permission. I can confirm that the database (not "chart") does not
appear elsewhere in our website.

Third, you originally wrote:

  : As you appeared to recognize in your e-mails to me, that chart does
  : not contain any of the qualifying language upon which you rely, and
  : we can find none.

You then followed up with:

  : Second, the qualifying language you point to (i.e., the word "may")
  : does not change the fact that the information is false.

You now say you can find no "qualifying language" on a "chart" that you
can't point me to, but then admit that there in fact is, by your own
admission, qualifying language (i.e., the word "may")?

That's a non-sequitor, Ed.  Look it up.

: Unfortunately, we have recently checked your site again and discovered
: that the information has been reposted. I hope that this was in error,
: and in that spirit, am writing you to request that you simply remove the
: one reference to my client on that chart. I look forward to your reply
: and confirmation.

Nothing was removed or reposted, because per my comment previously mailed
to you, which you apparently either ignored or neglected to fathom:

  : We have not removed any content from the Dataloss page as of this
  : mail.

It should also be noted that in your original email, you mentioned THREE
references to your client on either our "chart" or site. In your most
recent email, you now say "the one reference". Which is it, Ed? Three?
One? Chart? Site? Does your client even know you're spending this much
time on what amounts to a SLAPP suit? Think the StarTribune might be
interested? Speaking of, did you ever get them to retract the article that
is still available on their web site?

That said, here is where we are. In the spirit of good-will, and in the
spirit of being fair and accurate, we have added additional language
explaining our resources:

http://attrition.org/dataloss/dldos.html

  "This list includes incidents that may or may not have resulted in
  information exposure."

http://attrition.org/dataloss/dataloss.csv

  # Please read http://attrition.org/dataloss/dldos.html for details 
    about this database. ,,,,,,,,,,,,,,,,,,
  # This list includes incidents that may or may not have resulted in 
    information exposure.,,,,,,,,,,,,,,,,,,

And finally, to help educate consumers and companies that were impacted by
such incidents, we have written an article explaining that digital
forensics can not conclusively prove data was or was not accessed. If you
re-read my last mails to you this should be a familiar point I made. The
Star Tribune article that seemingly quotes someone from Medica indicates
that forensic evidence was destroyed. Given the unreliable evidence, the
period of access the former employees enjoyed and the uncertainty of the
events during that time, Medica simply can not truthfully and factually
state beyond reasonable doubt that the information was not accessed or
disclosed.

  http://attrition.org/dataloss/forensics.html

If the Star Tribune retracts, corrects or updates their article we will
reevaluate the information we have posted and consider removing or editing
as needed.


Jared E. Richo
attrition.org


At this point, Ed stopped mailing us and we haven't heard anything since. As promised, we are sharing the mails in full. A few other pieces of information we dug up while laughing through this legal masturbation.

Our friend Ed has been on the other side: http://www.wal-martlitigation.com/99verdic.htm

Minnesota Man Sues Wal-Mart for Defamation, False Imprisonment and Negligent Infliction of Emotional Distress After Store Employee Detains and Accuses Plaintiff . Judgment for Plaintiff on Defamation Affirmed, Judgments for Plaintiffs on False Imprisonment and Negligence Reversed, $180,000 General Damages Award Remanded for New Trial - Gregg J. Smits v. Wal-Mart, 525 N.W.2d 554 (Minn. App. 1994). Ronald H. McLean and Jane L. Dynes, Fargo, ND for plaintiff. David A. Ranheim, Michael J. Wahoska and Edward B. Magarian, Minneapolis, MN for Wal-Mart.

At the time these emails were received, the Director of Security at Medica was Chris Grillo (chris.grillo@medica.com) who was previously an instructor at Computer Security Institute. Perhaps he could have explained how Medica was so certain nothing happened despite having previously admitted that evidence was destroyed. Perhaps he could have taken a CSI course on forensics?

[an error occurred while processing this directive]