Police Misconduct, Data Breaches, And The Ongoing Lack Of Accountability That Allows These To Continue

from the bad-cops-and-bad-corps dept

Data breaches occur daily, affecting thousands of people. And everyone shrugs and moves on with their lives, especially those running the affected companies. Why? Because nothing ever happens to companies which have carelessly exposed data, as Cory Doctorow points out:

Data breaches keep happening, they keep getting worse, and yet companies keep collecting our data in ever-more-invasive ways, subjecting it to ever-longer retention, and systematically underinvesting in security.

Why does this keep happening? Because it's affordable. In 2014, Home Depot breached more than 50,000,000 credit-cards; in 2016, they paid less than $0.34/customer in restitution.

There are longer-term reputational costs associated with breaches, but these are not generally factored into the quarterly-earnings-focused mindsets of corporate execs and strategists.

Two of the most damaging breaches in recent years involved millions of people who were given little or no choice in how much personal data of theirs was held by these entities. One was the Office of Personnel Management. Those seeking government jobs turn over a lot of info to the government, which then handles it carelessly.

The other -- Equifax -- was even worse, at least in terms of consent. There was none. No one voluntarily hands information to Equifax. It's gathered by Equifax which sells access to any number of companies seeking credit records. No one opts in and, more importantly, there's no way to opt out.

No one can hold these entities accountable, at least not to the extent it will deter future breaches. Because of that, the only thing we're guaranteed is more breaches. These companies and agencies will continue to exist, hoovering up even more personal data, and, eventually, leave it exposed where criminals can make the most of other people's finances.

From one wheelhouse to another, the same can be said for law enforcement agencies and police misconduct. In almost every case, a police officer sued for rights violations pays nothing for the wrongs committed. Neither does the agency employing the officer. This is from a study of police indemnification published by the New York University Law Review:

During the study period, governments paid approximately 99.98% of the dollars that plaintiffs recovered in lawsuits alleging civil rights violations by law enforcement. Law enforcement officers in my study never satisfied a punitive damages award entered against them and almost never contributed anything to settlements or judgments—even when indemnification was prohibited by law or policy, and even when officers were disciplined, terminated, or prosecuted for their conduct.

Officers are never made to personally feel the pain of a settlement. The officer often returns to work with only the minor black mark of a lost lawsuit on their record. Consequently, the violations continue because officers have nothing at stake. If they screw up, another government entity picks up the tab using taxpayer dollars.

The solution to this problem isn't as readily apparent as it might seem. Personal indemnification -- forcing officers to be held personally responsible for settlements stemming from rights violations -- seems like a good deterrent, but it has its downsides. Scott Greenfield has examined the issue and the flaws are right below the satisfying gloss covering the surface.

Often, the argument is that the solution to police violence is to make the cop personally liable for his conduct, shift the incentive system from the municipality, or more accurately its taxpayers, to the bad dude who did the dirty. Make him suffer.

The problem is that the cop may be judgment proof. If the cop has no wealth or assets, there is no fund from which to collect a judgment. You can’t get blood from a rock.

While this may be an effective deterrent, it doesn't do anything to make the plaintiff whole. Having a city cover the cost ensures the victim will be paid, but it lets the officer off the hook.

What's the solution? Perhaps it's a sharing of the burden. Officers could be made to carry their own litigation insurance. This would eliminate the free pass of outside indemnification by making every act of misconduct count. Get sued often enough and the insurance company will drop the officer. An officer without insurance is pretty much unemployable.

It's also a win for officers, who would no longer gripe about cities settling too easily with plaintiffs and other besmirching the barrel of apples by proxy. Sure, they won't be nearly as vocal about it when their own insurance coverage is on the line, but it will put their own insurance premiums where their mouths are, which would be small victory in and of itself.

Circling back outside to the original wheelhouse, what can be done to make companies actually care about data breaches? So far, nothing seems to be slowing the flow of carelessly exposed data. Doctorow has a suggestion, and it runs along the lines of the solution that (might!) work for law enforcement:

If companies were paying out damages commensurate with the social costs their data recklessness imposes on the rest of us, it would have a very clarifying effect on their behavior -- insurers would get involved, refusing to write E&O policies for board members without massive premium hikes, etc. A little would go a long way, here.

There are no perfect solutions. But we simply shouldn't settle for the status quo. Neither group will welcome increased accountability, but there's simply no reason we should continue to let them skate, either.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, data breach, police, police misconduct
Companies: equifax

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Anonymous Anonymous Coward (profile), 19 Nov 2018 @ 4:45pm

    Re: Re: Another profit center.

    I am not against the idea of insurance. The way it has been implemented however. Insurance companies should be not for profit and with strict controls over administrative and compensation costs.

    There should also be controls over how they go about deciding whether or not to pay on claims. Indirectly, this would put a control on rates.

    There are probably more things needed to make the system work properly, making sure they retain sufficient funds for those payouts and how they are audited and invested, for example.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.