Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense — including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter.
That's the text of the first sentence of rule 26(b)(1) of the Federal Rules of Civil Procedure. For the non-lawyers out there, I'll unpack it a bit. The first part, about obtaining discovery of any nonprivileged matter, means that, unless information falls into certain narrowly defined categories (e.g., attorney-client, doctor-patient, etc) it is subject to discovery. The next part, about relevant to any party's claim or defense, means (generally) that it has to have some bearing on the subject matter of the litigation. In practice, this means that during pre-trial discovery, litigants can request essentially any records maintained by a business, its principals, and their agents (e.g., vendors). The bottom line is that, if a lawsuit takes place, the parties can request virtually any information, that information has to be provided to them, unless it falls within the narrowly defined (privileged) categories.
While massive security incidents like the TJX breach generate more headlines, these pretrial discovery rules could represent an even bigger threat to consumer privacy. Two instructive cases in this respect are Viacom v. Google and MPAA v. Bunnell. In the Viacom case, Viacom requested, and the judge ordered Google to produce, records showing who watches videos on YouTube and what videos they watch (see article here). This release of data has the potential to be even more damaging to the affected users (including me, since I use YouTube regularly) than the release of information such as social security and credit card numbers, because YouTube viewing records can be used to make out a case for copyright infringement - a charge that can bankrupt all but the super-wealthy (for example, in the case described here the defendant was found liable for almost a quarter million dollars in damages for infringing copyrights on only 24 songs). In the MPAA case, the judge also ordered that user records be turned over - in that case the records showed what users had searched for using the popular bit torrent software. However, there, rather than take an act which it saw as betraying its users privacy expectations, the defendant blocked access to his web site from the U.S. - a radical solution, but the only way the defendant saw to protect his users' privacy.
The cases above showcase a trend which is, to me, highly disturbing. Instead of relying on black hat hackers, businesses can use litigation to obtain consumer information. In the cases above, that result in the exposure of (likely) millions of records from Google, and the complete shutdown of TorrentSpy in the U.S. Those are serious consequences, and they should be considered whenever people think of possible threats to their privacy.