Pricing Personal Privacy

One perennial problem plaguing plaintiffs pursuing privacy protective pleadings is the difficulty in showing damages. When people have gone to court to try and obtain compensation from companies who exposed their personal data in a security breach incident (e.g., DSW Shoe, TJX, etc...) they have consistently lost because the courts say that they can't show damage, and therefore can't be compensated. One approach to this has been to try and argue that expenditures for dealing with the exposure of personal information (e.g., money spent on credit monitoring) should be compensated. However, courts have by and large rejected that approach, concluding that money spent on credit monitoring is intended to prevent future loss, and therefore isn't damages which the court can compensate.

However, according to this article from C|NET, criminal identity thieves have no problem valuing stolen data which has not yet been used for identity theft. Indeed, there was even a price list found on a server containing stolen business and personal data which said exactly what various accounts were worth (e.g., bank account with $16,040 had an asking price of 700 Euros; bank account with $14,400 had an asking price of 600 Euros, etc...). Now, do I think that courts should start using the price lists of criminal identity thieves to determine how to compensate victims in security breaches? No. I think a much better measure of damages would be quantifiable damages, such as the cost of replacing compromised credit cards (something I discussed here. However, even if the prices given for stolen accounts shouldn't be used as a measure of damages, they should at least be considered evidence that personal data, even if not used in identity theft, has value, and that that value should be recognized, either in current law (where it often isn't) or in future regulatory changes (where it might be).