Why Bother With Data Protection?

from the thanks-for-the-help dept

We’ve pointed out in our coverage of companies’ data leaks that there’s little incentive for them to spend much time or many resources on data protection, since the repercussions and costs of leaks are minimal. An interesting piece from Security Focus has taken a closer look at a case in which a person sued their student loan company after their information — along with 550,000 other people’s — was leaked when a contractor’s laptop was stolen. The court ruled in favor of the loan company, with the decision resting on whether or not the company had taken “reasonable” precautions to protect data. It’s a totally subjective standard that’s superficially imposed. As the article points out, the court said that the company had security policies and “safeguards” in place, but never actually examined whether or not they were effective, enforced or proper. Apparently the mere existence of some type of policy — regardless of what that policy actually is — is now enough for companies to eschew any liability for leaking consumers’ data.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why Bother With Data Protection?”

Subscribe: RSS Leave a comment
Dan Geer says:

re: Why bother with data protection

The reasonable standards rule is established jurisprudential precedent, specifically the “Hand Rule” for assessing liability, named after Justice Learned Hand in U.S. v. Carroll Towing Co., 159 F.2d 169, 174 (2nd Circuit 1947).

Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL.

But to be less legalistic, everyone should realize that the absence of liability judgements that sting is a temporary condition and, IMHO, the absence of software liability is likewise a temporary condition. The fraction of corporate wealth that is data is rising (i.e., the valuation of data is rising faster than the valuation of the companies who hold it) and thus all the rules about the prudent man, reasonable care, strict liability, tort, and so forth are all in play and must soon conform to a world in which damage to a data asset can only be treated with equivalent gravity to burning down the factory or selling a defective minivan. The larger law firms are all now fielding data liability or data protection practices and it is raining regulations (viz., new ways you can be found to be liable for someone else’s hurt).

Anonymous Coward says:

Re: How lame

And when Congress gets involved it will be to set some kind of cap on the liability that companies face due to “data exposure”.

I can see it now. If your data is “exposed”, you can file a claim with the corporation responsible and, if you claim is legitimate, you will be entitled to $250.

Now, you just have to find the “responsible” company (“Oh, wait, that was a subcontractor, not us!”), find the obscure link on their website, file your claim, have it rejected, appeal the rejection, spend hours gathering information about your claim, spend more hours on hold, have your claim approved, wait six months, receive check, deposit check in bank, while at bank find out that your identity has been stolen, threaten to sue bank, bank manager says that your “claim” has already been resolved, realize that you are completely screwed.

Sound about right?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...