What Should Be The Legal Recourse In Cases Of Privacy Policy Breaches?

from the big-questions dept

Privacy is an interesting issue -- where a lot of people have opinions on it that don't match up with either how they act or with what the law actually says. People say privacy is important to them, but then are very open about private things, even to the point of giving out all sorts of private info if someone gives them anything (chocolate, a pen, nothing at all). Yet, at the same time, if you talk to people about privacy, they talk about how important it is, and make silly demands about privacy policies, even though no one actually reads the policies, and assume (incorrectly) that if a site has any privacy policy, it means they'll keep the data completely private.

And, of course, we see privacy breaches on an all too regular basis. They've become a lot more noticeable over the last few years, as new rules required disclosure, but there are still questions about what it means if a company breaches its privacy policy. The traditional recourse has been one free year of credit monitoring service (if the breach included info that could be used for identity fraud). However, there have been some lawsuits over the matter, and as Ethan Ackerman and Eric Goldman discuss, the courts have been very reluctant to reward any damages to those who were "victims" of privacy breaches if there's no clear monetary loss.

This leads to a series of interesting questions. Congress has considered at times creating privacy legislation that could potentially include statutory damages for privacy breaches (and there are a few ideas for such legislation floating around with lobbyists). The problem with this, though, is that in some cases breaches really are inevitable -- and including a monetary reward could clearly (as Goldman notes) "overcompensate the victim or overdeter the defendant." That could have pretty significant unintended consequences, including significantly limiting the availability of certain services as companies don't want to take on the potential liability. At the same time, without any chance of monetary damages, there's a question about leaving little in the way of incentives for companies to actually take privacy seriously.

There's something to be said for the fact that a privacy breach does have a negative reputational impact on the companies who violate people's privacy, but it's reaching a point of saturation, where so many people's private info has been breached so often, that many people don't even register who's involved each time the latest breach comes along. So, it's not clear that there's a really good answer here -- though, I'm sure some folks in the comments will have some strong opinions. Should there be monetary awards for privacy breaches? Should Congress create a privacy law?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 4:03pm

    I think it should depend on how the breach happened. if they willingly allowed the breach (whether through flawed ancient versions of applications, or outright selling of information) then punishments should be high. if it was unavoidable, then the punishment should be low or, depending on how much information was revealed, non-existent. I agree that consumer good-will is very important, but it will not always be a deterrent.

    although I have a suspicion there are already laws that we could use to go after someone who willfully breached the privacy contract.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 4:11pm

    I will settle just for knowing why I cant have my bank call my cell phone to authorize debit card charges, which are frozen at the processing end until I enter my pin number on my cell phone.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 4:35pm

    Unavoidable?

    if it was unavoidable,...

    Can you cite some recent examples of data breaches that have occurred that were absolutely unavoidable?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 4:41pm

    Re: Unavoidable?

    That is partly my point. Most are avoidable. Most happen because people don't treat the data with the respect and care it deserves and they should be punish.

    There are, however, times when the breach was unavoidable, or nearly so. If a cracker uses a flaw that is undiscovered or not documented to gain access, then the company shouldn't suffer unduly.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Thom, Feb 4th, 2009 @ 5:18pm

    Start by

    Start by regulating what data can be stored and for how long, fining anyone who's caught violating those regulations. Also, those who violate the regulations AND suffer breaches should face very severe fines, possible criminal penalties, and absolute mandatory reimbursement of and and all losses the customers face. Oh, and throw in mandatory punative damages awarded to each victim too.

    For those who follow the guidelines, storing minimal data that will lessen the usefulness should breaches occur, the penalties would be lesser.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 5:26pm

    Appropriate Penalty

    I think maybe an appropriate penalty would be for the guilty party to pay for individual lifetime insurance policies to fully cover the victims for any future monetary loses possibly resulting from the breach. That way the insurance companies who are supposed to be risk analysis experts can compute the risk created by the breach and set their policy prices accordingly. The insurance companies would then assume the cost of credit monitoring to reduce their risk. The cost for all this would thus be market driven.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 5:32pm

    Re: Re: Unavoidable?

    I suppose then the answer would be no, you can't cite any such examples.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Dan, Feb 4th, 2009 @ 5:36pm

    The majority of privacy breaches are caused by security negligence, ie: TJ Max, in which case they should be liable. Another blatant case would be the state of Wisconsin printing SS# on address labels on two separate mailings from different agencies, subcontracted to EDS. The first mistake was EDS's, the second was Wisconsin's for sending EDS another job. It is sad when you have to pay someone else to make mistakes for you.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Steve R. (profile), Feb 4th, 2009 @ 5:47pm

    Companies are really not Interested in Data Protection

    This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers.

    Data breaches can be "solved" by companies doing the following:
    1. Don't sell/rent/trade customer data
    2. Add a pin number to all credit cards
    3. Don't send credit card solicitations in the mail.
    4. Don't send those "convenience" checks.
    5. Don't give credit to those who can't afford it.
    6. Don't telemarket
    7. Only use Opt-in strategies.
    8. Banks want to charge for "protection" services that should be provided free of charge as part of their fiduciary duty to protect your money.

    If it crimps business too bad. It's unfortunate that in American culture that corporations seem to be given a free pass to do whatever whimsical action they want to make a buck, but it is the responsibility of the customer to protect themselves. It should not be the sole responsibility of the customer to protect themselves. Corporations need to realize that they are the problem and they can resolve these issues by being responsible.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Feb 4th, 2009 @ 6:13pm

    Re: Companies are really not Interested in Data Protection

    Good list, SteveR!

    But you forgot one thing. This is important, hence the caps:

    DONT DO BUSINESS WITH INSTITUTIONS WHICH HAVE CALLCENTERS OUTSIDE OF THE USA, WHERE US PRIVACY LAWS AREN'T ENFORCEABLE.

    sorry for shouting.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    jonnyq, Feb 4th, 2009 @ 6:48pm

    Would it not fall under advertising law? Should it?

    If I use your service (even for free) and you reneg on your privacy policy, would that be a form of false advertising? Should it?

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Steve R. (profile), Feb 4th, 2009 @ 8:01pm

    Data Breaches More Costly Than Ever

    Brain Krebs of the Washington Post reports Data Breaches More Costly Than Ever

    A short summary, Krebs writes "Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study." Of course the sponsor of the study may not be exactly neutral.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Steve H, Feb 5th, 2009 @ 4:17am

    Maybe we should make the breaches less dangerous

    We should concentrate on making the private information less useful (less dangerous). Your social security number shouldn't be a password that unlocks so much information.

    This is the 21st Century there must be another way of identifying people.

    Then there would be no requirement for a monetary reward.

    A privacy breach is then just a risk you take by partaking in the modern world. Possibly embarassing, but not damaging in nearly the same way.

    That's why people get upset - they aren't worried about the data itself - it's what people can do with it that is the problem.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Feb 5th, 2009 @ 11:07am

    Re: Re: Re: Unavoidable?

    can't and didn't are two different things, as any native english speaker should know.

    Just because he didn't post any examples doesn't mean there aren't. He also didn't even say they were common place and the way he worded what he said could also mean that in the future. Can you conclusively prove that there will never a time where being hacked or having the information otherwise leak out was unavoidable?

    In reality the only way to avoid being hacked if someone truly wants to get in is to not be connected to a network. the only way to stop people getting data to and from the servers is to never let them touch a computer networked to them. A employee with proper motivation could do such things, why should the company be held liable for the employee's actions that violate all company policies and potentially the law?

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Feb 5th, 2009 @ 1:25pm

    Re: Re: Re: Re: Unavoidable?

    can't and didn't are two different things, as any native english speaker should know.

    Any native English speaker should also know the meaning of the word "suppose." Additionally, any native English writer should know to capitalize the word "English" above. Your failure on both counts leads me to suppose that either English is not a native language for you or that you are ignorant.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Feb 9th, 2009 @ 7:17am

    Re: Re: Re: Re: Re: Unavoidable?

    So, instead of replying to the actual meat of the post you simply resort to insults while ignoring all else. That's too bad, I would have liked to have a meaningful discussion.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    John J., Nov 23rd, 2009 @ 7:15am

    "Companies are really not Interested in Data Protection

    This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers."

    Yikes! While I believe and whole-heartedly agree with you that companies do not put anywhere near the amount of effort they should into data protection, I don't think their reasoning is as sinister as you are making it seem. There is a general feeling in business of safety. Unless you have been hacked, you not only think it won't happen, you tend to get more and more lax over time until you are practically inviting an attack. So, I think that these companies DO care, they just need that all too unfortunate reality check before they begin to SHOW that they care. Unfortunately, that reality check usually comes at the loss of massive amounts of data, credibility and money.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This