What Should Be The Legal Recourse In Cases Of Privacy Policy Breaches?

from the big-questions dept

Wed, Feb 4th 2009 3:06pm — Mike Masnick

Privacy is an interesting issue -- where a lot of people have opinions on it that don't match up with either how they act or with what the law actually says. People say privacy is important to them, but then are very open about private things, even to the point of giving out all sorts of private info if someone gives them anything (chocolate, a pen, nothing at all). Yet, at the same time, if you talk to people about privacy, they talk about how important it is, and make silly demands about privacy policies, even though no one actually reads the policies, and assume (incorrectly) that if a site has any privacy policy, it means they'll keep the data completely private.

And, of course, we see privacy breaches on an all too regular basis. They've become a lot more noticeable over the last few years, as new rules required disclosure, but there are still questions about what it means if a company breaches its privacy policy. The traditional recourse has been one free year of credit monitoring service (if the breach included info that could be used for identity fraud). However, there have been some lawsuits over the matter, and as Ethan Ackerman and Eric Goldman discuss, the courts have been very reluctant to reward any damages to those who were "victims" of privacy breaches if there's no clear monetary loss.

This leads to a series of interesting questions. Congress has considered at times creating privacy legislation that could potentially include statutory damages for privacy breaches (and there are a few ideas for such legislation floating around with lobbyists). The problem with this, though, is that in some cases breaches really are inevitable -- and including a monetary reward could clearly (as Goldman notes) "overcompensate the victim or overdeter the defendant." That could have pretty significant unintended consequences, including significantly limiting the availability of certain services as companies don't want to take on the potential liability. At the same time, without any chance of monetary damages, there's a question about leaving little in the way of incentives for companies to actually take privacy seriously.

There's something to be said for the fact that a privacy breach does have a negative reputational impact on the companies who violate people's privacy, but it's reaching a point of saturation, where so many people's private info has been breached so often, that many people don't even register who's involved each time the latest breach comes along. So, it's not clear that there's a really good answer here -- though, I'm sure some folks in the comments will have some strong opinions. Should there be monetary awards for privacy breaches? Should Congress create a privacy law?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breaches, privacy, privacy policies, recourse

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 4 Feb 2009 @ 4:03pm

I think it should depend on how the breach happened. if they willingly allowed the breach (whether through flawed ancient versions of applications, or outright selling of information) then punishments should be high. if it was unavoidable, then the punishment should be low or, depending on how much information was revealed, non-existent. I agree that consumer good-will is very important, but it will not always be a deterrent.

although I have a suspicion there are already laws that we could use to go after someone who willfully breached the privacy contract.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Feb 2009 @ 4:35pm
  
  Unavoidable?
  if it was unavoidable,...
  
  Can you cite some recent examples of data breaches that have occurred that were absolutely unavoidable?
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Feb 2009 @ 4:41pm
    
    Re: Unavoidable?
    That is partly my point. Most are avoidable. Most happen because people don't treat the data with the respect and care it deserves and they should be punish.
    
    There are, however, times when the breach was unavoidable, or nearly so. If a cracker uses a flaw that is undiscovered or not documented to gain access, then the company shouldn't suffer unduly.
    [ link to this | view in chronology ]
    - Anonymous Coward, 4 Feb 2009 @ 5:32pm
      
      Re: Re: Unavoidable?
      I suppose then the answer would be no, you can't cite any such examples.
      [ link to this | view in chronology ]
      - Anonymous Coward, 5 Feb 2009 @ 11:07am
        
        Re: Re: Re: Unavoidable?
        can't and didn't are two different things, as any native english speaker should know.
        
        Just because he didn't post any examples doesn't mean there aren't. He also didn't even say they were common place and the way he worded what he said could also mean that in the future. Can you conclusively prove that there will never a time where being hacked or having the information otherwise leak out was unavoidable?
        
        In reality the only way to avoid being hacked if someone truly wants to get in is to not be connected to a network. the only way to stop people getting data to and from the servers is to never let them touch a computer networked to them. A employee with proper motivation could do such things, why should the company be held liable for the employee's actions that violate all company policies and potentially the law?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 5 Feb 2009 @ 1:25pm
        
        Re: Re: Re: Re: Unavoidable?
        can't and didn't are two different things, as any native english speaker should know.
        
        Any native English speaker should also know the meaning of the word "suppose." Additionally, any native English writer should know to capitalize the word "English" above. Your failure on both counts leads me to suppose that either English is not a native language for you or that you are ignorant.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 9 Feb 2009 @ 7:17am
        
        Re: Re: Re: Re: Re: Unavoidable?
        So, instead of replying to the actual meat of the post you simply resort to insults while ignoring all else. That's too bad, I would have liked to have a meaningful discussion.
        [ link to this | view in chronology ]
Anonymous Coward, 4 Feb 2009 @ 4:11pm

I will settle just for knowing why I cant have my bank call my cell phone to authorize debit card charges, which are frozen at the processing end until I enter my pin number on my cell phone.
[ link to this | view in chronology ]
Thom, 4 Feb 2009 @ 5:18pm

Start by
Start by regulating what data can be stored and for how long, fining anyone who's caught violating those regulations. Also, those who violate the regulations AND suffer breaches should face very severe fines, possible criminal penalties, and absolute mandatory reimbursement of and and all losses the customers face. Oh, and throw in mandatory punative damages awarded to each victim too.

For those who follow the guidelines, storing minimal data that will lessen the usefulness should breaches occur, the penalties would be lesser.
[ link to this | view in chronology ]
Anonymous Coward, 4 Feb 2009 @ 5:26pm

Appropriate Penalty
I think maybe an appropriate penalty would be for the guilty party to pay for individual lifetime insurance policies to fully cover the victims for any future monetary loses possibly resulting from the breach. That way the insurance companies who are supposed to be risk analysis experts can compute the risk created by the breach and set their policy prices accordingly. The insurance companies would then assume the cost of credit monitoring to reduce their risk. The cost for all this would thus be market driven.
[ link to this | view in chronology ]
Dan, 4 Feb 2009 @ 5:36pm

The majority of privacy breaches are caused by security negligence, ie: TJ Max, in which case they should be liable. Another blatant case would be the state of Wisconsin printing SS# on address labels on two separate mailings from different agencies, subcontracted to EDS. The first mistake was EDS's, the second was Wisconsin's for sending EDS another job. It is sad when you have to pay someone else to make mistakes for you.
[ link to this | view in chronology ]
Steve R. (profile), 4 Feb 2009 @ 5:47pm

Companies are really not Interested in Data Protection
This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers.

Data breaches can be "solved" by companies doing the following:
1. Don't sell/rent/trade customer data
2. Add a pin number to all credit cards
3. Don't send credit card solicitations in the mail.
4. Don't send those "convenience" checks.
5. Don't give credit to those who can't afford it.
6. Don't telemarket
7. Only use Opt-in strategies.
8. Banks want to charge for "protection" services that should be provided free of charge as part of their fiduciary duty to protect your money.

If it crimps business too bad. It's unfortunate that in American culture that corporations seem to be given a free pass to do whatever whimsical action they want to make a buck, but it is the responsibility of the customer to protect themselves. It should not be the sole responsibility of the customer to protect themselves. Corporations need to realize that they are the problem and they can resolve these issues by being responsible.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Feb 2009 @ 6:13pm
  
  Re: Companies are really not Interested in Data Protection
  Good list, SteveR!
  
  But you forgot one thing. This is important, hence the caps:
  
  DONT DO BUSINESS WITH INSTITUTIONS WHICH HAVE CALLCENTERS OUTSIDE OF THE USA, WHERE US PRIVACY LAWS AREN'T ENFORCEABLE.
  
  sorry for shouting.
  [ link to this | view in chronology ]
jonnyq, 4 Feb 2009 @ 6:48pm

Would it not fall under advertising law? Should it?

If I use your service (even for free) and you reneg on your privacy policy, would that be a form of false advertising? Should it?
[ link to this | view in chronology ]
Steve R. (profile), 4 Feb 2009 @ 8:01pm

Data Breaches More Costly Than Ever
Brain Krebs of the Washington Post reports Data Breaches More Costly Than Ever

A short summary, Krebs writes "Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study." Of course the sponsor of the study may not be exactly neutral.
[ link to this | view in chronology ]
Steve H, 5 Feb 2009 @ 4:17am

Maybe we should make the breaches less dangerous
We should concentrate on making the private information less useful (less dangerous). Your social security number shouldn't be a password that unlocks so much information.

This is the 21st Century there must be another way of identifying people.

Then there would be no requirement for a monetary reward.

A privacy breach is then just a risk you take by partaking in the modern world. Possibly embarassing, but not damaging in nearly the same way.

That's why people get upset - they aren't worried about the data itself - it's what people can do with it that is the problem.
[ link to this | view in chronology ]
John J., 23 Nov 2009 @ 7:15am

"Companies are really not Interested in Data Protection

This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers."

Yikes! While I believe and whole-heartedly agree with you that companies do not put anywhere near the amount of effort they should into data protection, I don't think their reasoning is as sinister as you are making it seem. There is a general feeling in business of safety. Unless you have been hacked, you not only think it won't happen, you tend to get more and more lax over time until you are practically inviting an attack. So, I think that these companies DO care, they just need that all too unfortunate reality check before they begin to SHOW that they care. Unfortunately, that reality check usually comes at the loss of massive amounts of data, credibility and money.
[ link to this | view in chronology ]