RSS
What Should Be The Legal Recourse In Cases Of Privacy Policy Breaches?
from the big-questions dept
Privacy is an interesting issue -- where a lot of people have opinions on it that don't match up with either how they act or with what the law actually says. People say privacy is important to them, but then are very open about private things, even to the point of giving out all sorts of private info if someone gives them anything (chocolate, a pen, nothing at all). Yet, at the same time, if you talk to people about privacy, they talk about how important it is, and make silly demands about privacy policies, even though no one actually reads the policies, and assume (incorrectly) that if a site has any privacy policy, it means they'll keep the data completely private.
And, of course, we see privacy breaches on an all too regular basis. They've become a lot more noticeable over the last few years, as new rules required disclosure, but there are still questions about what it means if a company breaches its privacy policy. The traditional recourse has been one free year of credit monitoring service (if the breach included info that could be used for identity fraud). However, there have been some lawsuits over the matter, and as Ethan Ackerman and Eric Goldman discuss, the courts have been very reluctant to reward any damages to those who were "victims" of privacy breaches if there's no clear monetary loss.
This leads to a series of interesting questions. Congress has considered at times creating privacy legislation that could potentially include statutory damages for privacy breaches (and there are a few ideas for such legislation floating around with lobbyists). The problem with this, though, is that in some cases breaches really are inevitable -- and including a monetary reward could clearly (as Goldman notes) "overcompensate the victim or overdeter the defendant." That could have pretty significant unintended consequences, including significantly limiting the availability of certain services as companies don't want to take on the potential liability. At the same time, without any chance of monetary damages, there's a question about leaving little in the way of incentives for companies to actually take privacy seriously.
There's something to be said for the fact that a privacy breach does have a negative reputational impact on the companies who violate people's privacy, but it's reaching a point of saturation, where so many people's private info has been breached so often, that many people don't even register who's involved each time the latest breach comes along. So, it's not clear that there's a really good answer here -- though, I'm sure some folks in the comments will have some strong opinions. Should there be monetary awards for privacy breaches? Should Congress create a privacy law?
17 Comments | Leave a Comment..
- If The Internet Is Treated Just Like The Offline World, We'd Never Have Ridiculous Laws Like SOPA/PIPA
- Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks
- Lamar Smith: Enemy Of The Internet? Defends Internet Snooping Bill
- Whistle-blowing Scientists (Trying To Prevent Dangerous Products From Reaching The Market) Sue FDA For Snooping On Their Personal Email Accounts
- Why Can't Europe Just Forget The Ridiculous Idea Of A 'Right To Be Forgotten'
Reader Comments (rss)
(Flattened / Threaded)
although I have a suspicion there are already laws that we could use to go after someone who willfully breached the privacy contract.
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Unavoidable?
Can you cite some recent examples of data breaches that have occurred that were absolutely unavoidable?
[ reply to this | link to this | view in thread ]
Re: Unavoidable?
There are, however, times when the breach was unavoidable, or nearly so. If a cracker uses a flaw that is undiscovered or not documented to gain access, then the company shouldn't suffer unduly.
[ reply to this | link to this | view in thread ]
Start by
For those who follow the guidelines, storing minimal data that will lessen the usefulness should breaches occur, the penalties would be lesser.
[ reply to this | link to this | view in thread ]
Appropriate Penalty
[ reply to this | link to this | view in thread ]
Re: Re: Unavoidable?
[ reply to this | link to this | view in thread ]
[ reply to this | link to this | view in thread ]
Companies are really not Interested in Data Protection
Data breaches can be "solved" by companies doing the following:
1. Don't sell/rent/trade customer data
2. Add a pin number to all credit cards
3. Don't send credit card solicitations in the mail.
4. Don't send those "convenience" checks.
5. Don't give credit to those who can't afford it.
6. Don't telemarket
7. Only use Opt-in strategies.
8. Banks want to charge for "protection" services that should be provided free of charge as part of their fiduciary duty to protect your money.
If it crimps business too bad. It's unfortunate that in American culture that corporations seem to be given a free pass to do whatever whimsical action they want to make a buck, but it is the responsibility of the customer to protect themselves. It should not be the sole responsibility of the customer to protect themselves. Corporations need to realize that they are the problem and they can resolve these issues by being responsible.
[ reply to this | link to this | view in thread ]
Re: Companies are really not Interested in Data Protection
But you forgot one thing. This is important, hence the caps:
DONT DO BUSINESS WITH INSTITUTIONS WHICH HAVE CALLCENTERS OUTSIDE OF THE USA, WHERE US PRIVACY LAWS AREN'T ENFORCEABLE.
sorry for shouting.
[ reply to this | link to this | view in thread ]
If I use your service (even for free) and you reneg on your privacy policy, would that be a form of false advertising? Should it?
[ reply to this | link to this | view in thread ]
Data Breaches More Costly Than Ever
A short summary, Krebs writes "Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study." Of course the sponsor of the study may not be exactly neutral.
[ reply to this | link to this | view in thread ]
Maybe we should make the breaches less dangerous
This is the 21st Century there must be another way of identifying people.
Then there would be no requirement for a monetary reward.
A privacy breach is then just a risk you take by partaking in the modern world. Possibly embarassing, but not damaging in nearly the same way.
That's why people get upset - they aren't worried about the data itself - it's what people can do with it that is the problem.
[ reply to this | link to this | view in thread ]
Re: Re: Re: Unavoidable?
Just because he didn't post any examples doesn't mean there aren't. He also didn't even say they were common place and the way he worded what he said could also mean that in the future. Can you conclusively prove that there will never a time where being hacked or having the information otherwise leak out was unavoidable?
In reality the only way to avoid being hacked if someone truly wants to get in is to not be connected to a network. the only way to stop people getting data to and from the servers is to never let them touch a computer networked to them. A employee with proper motivation could do such things, why should the company be held liable for the employee's actions that violate all company policies and potentially the law?
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: Unavoidable?
Any native English speaker should also know the meaning of the word "suppose." Additionally, any native English writer should know to capitalize the word "English" above. Your failure on both counts leads me to suppose that either English is not a native language for you or that you are ignorant.
[ reply to this | link to this | view in thread ]
Re: Re: Re: Re: Re: Unavoidable?
[ reply to this | link to this | view in thread ]
This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers."
Yikes! While I believe and whole-heartedly agree with you that companies do not put anywhere near the amount of effort they should into data protection, I don't think their reasoning is as sinister as you are making it seem. There is a general feeling in business of safety. Unless you have been hacked, you not only think it won't happen, you tend to get more and more lax over time until you are practically inviting an attack. So, I think that these companies DO care, they just need that all too unfortunate reality check before they begin to SHOW that they care. Unfortunately, that reality check usually comes at the loss of massive amounts of data, credibility and money.
[ reply to this | link to this | view in thread ]
Add Your Comment