Sunday, February 17, 2008

An Interesting Application of Privacy Laws

Here's an interesting article about a consumer who has used a data exposure notification law for an novel purpose: punishing an electronics distributor for bad customer service. What happened was as follows:
1) Raelyn Campbell brings her laptop into Best Buy for service.
2) Best Buy loses laptop.
3) Raelyn contacts best buy asking when her laptop will be ready.
4) Best Buy gives Raelyn the runaround
5) Steps 3-4 repeated for four months.
6) Realyn sues Best Buy...for $54,000,000.
So where's the privacy angle in all this? It turns out, that the sequence of events describes above should have included a step 2a) Tell Raelyn that her laptop, which contained her tax returns, was lost. The reason (other than the fact that it's the right thing to do from a moral and customer relations standpoint) is that such notification seems to be required by the District of Columbia's security breach notification act. That law, which it appears that Best Buy did not comply with, is the basis for Raelyn's $54,000,000 suit.

The next question, of course, how much this is going to end up costing Best Buy. The short answer is: not $54,000,000. The relevant statute does authorize individuals to file suit against entities who have not complied with the statute's requirements (see here). However, it allows a recovery of actual damages plus costs (including attorney's fees), and Raelyn admits that the $54,000,000 figure was pulled out of the air for the purpose of making a statement. However, Best Buy isn't going to get off cheap either. When Raelyn originally learned that the laptop had been lost, she offered to settle with Best Buy for $2,100. As an attorney, I can safely say that Best Buy will spend more (likely much more) in legal fees just dealing with the case. Moreover, there's the cost of actually paying Raelyn's damages (cost of the laptop and any data stored on it, time wasted trying to get the laptop back, attorney's fees, and court costs). All in all, my guess is that before the end of this suit, Best Buy will institute a policy of simply replacing lost laptops for customer in states with security breach notification laws that allow for individual suit.

If that prediction turns out to be correct, it would be a powerful example of how allowing consumers to protect the security of their own data can have beneficial effects beyond consumer privacy (in this case improving customer service); something to consider when people ask why they should care about the privacy of information.

No comments: