What Should Be The Legal Recourse In Cases Of Privacy Policy Breaches?
from the big-questions dept
Privacy is an interesting issue -- where a lot of people have opinions on it that don't match up with either how they act or with what the law actually says. People say privacy is important to them, but then are very open about private things, even to the point of giving out all sorts of private info if someone gives them anything (chocolate, a pen, nothing at all). Yet, at the same time, if you talk to people about privacy, they talk about how important it is, and make silly demands about privacy policies, even though no one actually reads the policies, and assume (incorrectly) that if a site has any privacy policy, it means they'll keep the data completely private.And, of course, we see privacy breaches on an all too regular basis. They've become a lot more noticeable over the last few years, as new rules required disclosure, but there are still questions about what it means if a company breaches its privacy policy. The traditional recourse has been one free year of credit monitoring service (if the breach included info that could be used for identity fraud). However, there have been some lawsuits over the matter, and as Ethan Ackerman and Eric Goldman discuss, the courts have been very reluctant to reward any damages to those who were "victims" of privacy breaches if there's no clear monetary loss.
This leads to a series of interesting questions. Congress has considered at times creating privacy legislation that could potentially include statutory damages for privacy breaches (and there are a few ideas for such legislation floating around with lobbyists). The problem with this, though, is that in some cases breaches really are inevitable -- and including a monetary reward could clearly (as Goldman notes) "overcompensate the victim or overdeter the defendant." That could have pretty significant unintended consequences, including significantly limiting the availability of certain services as companies don't want to take on the potential liability. At the same time, without any chance of monetary damages, there's a question about leaving little in the way of incentives for companies to actually take privacy seriously.
There's something to be said for the fact that a privacy breach does have a negative reputational impact on the companies who violate people's privacy, but it's reaching a point of saturation, where so many people's private info has been breached so often, that many people don't even register who's involved each time the latest breach comes along. So, it's not clear that there's a really good answer here -- though, I'm sure some folks in the comments will have some strong opinions. Should there be monetary awards for privacy breaches? Should Congress create a privacy law?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaches, privacy, privacy policies, recourse
Reader Comments
Subscribe: RSS
View by: Time | Thread
although I have a suspicion there are already laws that we could use to go after someone who willfully breached the privacy contract.
[ link to this | view in chronology ]
Unavoidable?
Can you cite some recent examples of data breaches that have occurred that were absolutely unavoidable?
[ link to this | view in chronology ]
Re: Unavoidable?
There are, however, times when the breach was unavoidable, or nearly so. If a cracker uses a flaw that is undiscovered or not documented to gain access, then the company shouldn't suffer unduly.
[ link to this | view in chronology ]
Re: Re: Unavoidable?
[ link to this | view in chronology ]
Re: Re: Re: Unavoidable?
Just because he didn't post any examples doesn't mean there aren't. He also didn't even say they were common place and the way he worded what he said could also mean that in the future. Can you conclusively prove that there will never a time where being hacked or having the information otherwise leak out was unavoidable?
In reality the only way to avoid being hacked if someone truly wants to get in is to not be connected to a network. the only way to stop people getting data to and from the servers is to never let them touch a computer networked to them. A employee with proper motivation could do such things, why should the company be held liable for the employee's actions that violate all company policies and potentially the law?
[ link to this | view in chronology ]
Re: Re: Re: Re: Unavoidable?
Any native English speaker should also know the meaning of the word "suppose." Additionally, any native English writer should know to capitalize the word "English" above. Your failure on both counts leads me to suppose that either English is not a native language for you or that you are ignorant.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Unavoidable?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Start by
For those who follow the guidelines, storing minimal data that will lessen the usefulness should breaches occur, the penalties would be lesser.
[ link to this | view in chronology ]
Appropriate Penalty
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Companies are really not Interested in Data Protection
Data breaches can be "solved" by companies doing the following:
1. Don't sell/rent/trade customer data
2. Add a pin number to all credit cards
3. Don't send credit card solicitations in the mail.
4. Don't send those "convenience" checks.
5. Don't give credit to those who can't afford it.
6. Don't telemarket
7. Only use Opt-in strategies.
8. Banks want to charge for "protection" services that should be provided free of charge as part of their fiduciary duty to protect your money.
If it crimps business too bad. It's unfortunate that in American culture that corporations seem to be given a free pass to do whatever whimsical action they want to make a buck, but it is the responsibility of the customer to protect themselves. It should not be the sole responsibility of the customer to protect themselves. Corporations need to realize that they are the problem and they can resolve these issues by being responsible.
[ link to this | view in chronology ]
Re: Companies are really not Interested in Data Protection
But you forgot one thing. This is important, hence the caps:
DONT DO BUSINESS WITH INSTITUTIONS WHICH HAVE CALLCENTERS OUTSIDE OF THE USA, WHERE US PRIVACY LAWS AREN'T ENFORCEABLE.
sorry for shouting.
[ link to this | view in chronology ]
If I use your service (even for free) and you reneg on your privacy policy, would that be a form of false advertising? Should it?
[ link to this | view in chronology ]
Data Breaches More Costly Than Ever
A short summary, Krebs writes "Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study." Of course the sponsor of the study may not be exactly neutral.
[ link to this | view in chronology ]
Maybe we should make the breaches less dangerous
This is the 21st Century there must be another way of identifying people.
Then there would be no requirement for a monetary reward.
A privacy breach is then just a risk you take by partaking in the modern world. Possibly embarassing, but not damaging in nearly the same way.
That's why people get upset - they aren't worried about the data itself - it's what people can do with it that is the problem.
[ link to this | view in chronology ]
This really gets back to corporate ethics. Corporations really have no interest in protecting customer data since it would crimp their ability to extort revenue from their customers."
Yikes! While I believe and whole-heartedly agree with you that companies do not put anywhere near the amount of effort they should into data protection, I don't think their reasoning is as sinister as you are making it seem. There is a general feeling in business of safety. Unless you have been hacked, you not only think it won't happen, you tend to get more and more lax over time until you are practically inviting an attack. So, I think that these companies DO care, they just need that all too unfortunate reality check before they begin to SHOW that they care. Unfortunately, that reality check usually comes at the loss of massive amounts of data, credibility and money.
[ link to this | view in chronology ]