Sunday, March 16, 2008

Problems with U.S. Courts' Treatment of Security Breach Damages

This article from Computer World asks the question "When Does a Privacy Breach Cause Harm?" and then proceeds to take U.S. courts to task for failing to recognize damages from security breaches beyond verifiable damages from identity theft or account fraud. While I agree that U.S. courts have done an atrocious job with respect to protecting privacy (see, e.g., here, describing the 7th Circuit's statement that plaintiffs could not proceed on a action based on a data security breach, despite circumstances showing that the breach was caused by identity thieves), I have to take issue with the analysis offered in the article. The article states that the problem with what courts have done is that they have overlooked "[t]he assault to personality and feelings [that is] is the quintessential privacy injury." That rationale just doesn't work for me. Human feelings are notoriously hard to quantify, which means that damages based on assaults to personality and feelings would likely swing wildly from case to case and judge to judge, even if the actual underlying facts in particular cases are similar. Moreover, basing damages on feelings of loss and assault to personality runs the significant risk that juries will simply decide that those losses are too small to justify compensating, since studies (e.g., here) have shown that most people place little to no value on the privacy of their personal information.
A better option, and one I happen to agree with, is for businesses which suffer a security breach through their own fault (e.g., negligence) should be held responsible for the quantifiable damages caused by that breach, even if there is no subsequent identity theft. For example, time spent by customers replacing credit cards with stolen numbers, or the cost of various identity theft protection services are easily determined, and would serve as a measure of damages that courts could easily compute and assess. Indeed, since limiting damages to those directly caused by identity theft or account fraud provides an incentive for consumers not to prevent identity theft, making companies responsible for quantifiable costs would improve the status quo by increasing the level of protection given to privacy by courts, while avoiding the difficulties of trying to quantify injuries to personality. To me, that's a far superior alternative to relying on damages to personal integrity, which are both hard to quantify, and easy to undermine.

via The Dunning Letter.

PostScript: I am well aware that laws vary tremendously from state to state. My statements regarding the state of current privacy laws reflect the holding in Pisciotta v. Old National Bancorp, in which the 7th circuit addressed the issue of damages for a data security breach in the absence of subsequent identity theft.

3 comments:

Runescape Money said...

The reason why tend to be their particular accounts are already compromised or somebody possess stole their particular consideration products inside the sport RS Gold, each of the players need to get things for their consideration nevertheless you are able to identify that the gamers are simply play in the online game simply by themselves, and they'll receive the items according their own difficult working within the video game Buy Runescape Gold. So if they track down the gamers they are going to point out it is in reality undoubtedly the silly actions inside the game.

Anonymous said...

It can be seriously worth considering the possibility of changing your character to use a hugely superior style of weaponry.However,buy wow gold those caster classes like Druid, Mage and Warlock have much more key point placed upon the WOW weapon's improvement to statistics

Anonymous said...

Good news! There is an easy solution, just drop your buy FIFA 13 coins smartphone or mp3 player into an empty glass.