This article from Computer World asks the question "When Does a Privacy Breach Cause Harm?" and then proceeds to take U.S. courts to task for failing to recognize damages from security breaches beyond verifiable damages from identity theft or account fraud. While I agree that U.S. courts have done an atrocious job with respect to protecting privacy (see, e.g., here, describing the 7th Circuit's statement that plaintiffs could not proceed on a action based on a data security breach, despite circumstances showing that the breach was caused by identity thieves), I have to take issue with the analysis offered in the article. The article states that the problem with what courts have done is that they have overlooked "[t]he assault to personality and feelings [that is] is the quintessential privacy injury." That rationale just doesn't work for me. Human feelings are notoriously hard to quantify, which means that damages based on assaults to personality and feelings would likely swing wildly from case to case and judge to judge, even if the actual underlying facts in particular cases are similar. Moreover, basing damages on feelings of loss and assault to personality runs the significant risk that juries will simply decide that those losses are too small to justify compensating, since studies (e.g., here) have shown that most people place little to no value on the privacy of their personal information.
A better option, and one I happen to agree with, is for businesses which suffer a security breach through their own fault (e.g., negligence) should be held responsible for the quantifiable damages caused by that breach, even if there is no subsequent identity theft. For example, time spent by customers replacing credit cards with stolen numbers, or the cost of various identity theft protection services are easily determined, and would serve as a measure of damages that courts could easily compute and assess. Indeed, since limiting damages to those directly caused by identity theft or account fraud provides an incentive for consumers not to prevent identity theft, making companies responsible for quantifiable costs would improve the status quo by increasing the level of protection given to privacy by courts, while avoiding the difficulties of trying to quantify injuries to personality. To me, that's a far superior alternative to relying on damages to personal integrity, which are both hard to quantify, and easy to undermine.
via The Dunning Letter.
PostScript: I am well aware that laws vary tremendously from state to state. My statements regarding the state of current privacy laws reflect the holding in Pisciotta v. Old National Bancorp, in which the 7th circuit addressed the issue of damages for a data security breach in the absence of subsequent identity theft.