Search This Blog

Thursday, March 20, 2008


Once again the question has arisen of when harm has been done in a data breach. To prep you on just how serious this issue is nationally, Privacy Rights clearinghouse released the 2007 Javelin Research and strategy Survey that provides foundation for our concern. There were 8.4 million victims suffering a total loss of $49.3 billion (that’s around $5,720 per victim) spending 25 hours to clean up someone else’s mess. If that isn’t enough, the Federal Trade Commission reports identity theft as the top complaint at 32 percent in their 2008 Release on Consumer Fraud and ID Theft. From the FTC complaints, they are projecting fraud loss at $1.2 billion. Needlessly to say, it is a big problem. In a article by Jay Cline, the U.S. courts fall behind other countries in recognizing that data breaches do in fact harm people. My opinion is that the U.S. should get together with the European Union—whose protection of consumer privacy is way ahead of this country—as well as other countries where consumer personal data is outsourced, and figure out how to draw up a standard policy of data security. In the Computerworld piece, Cline interviews a law professor from the U. of Pennsylvania who says “The assault to personality and feelings is the quintessential privacy injury.” Now, I don’t even think I would go that far. Fellow blogger William Morriss, who is also an attorney specializing in consumer privacy law, says: “That rationale just doesn't work for me.” Continuing, he makes the point that human emotions are “notoriously” hard to quantify in a court of law. And yet another observation that is so true, “that most people place little to no value on the privacy of their personal information.” Pathetic, but that’s the real world. Morriss has a better option, which is to hold business responsible for quantifiable damages caused by a breach of their own making, even if it doesn’t result in ID theft. Cost of the individual’s time and the cost of protection services should be recoverable. Consumers should not be hung out to dry when a company gives up their private information, particularly when it is a result of negligence. My approach to solving the identity crisis would be to put the consumer in charge of their name and personal data. At the same time, compensate the individual when this private information is sold to give them the incentive to take control over their sensitive data. This would require either a coalition between business and government to implement the program—not likely in today's environment—or pass federal legislation that would grant this control. I have even entertained the idea of approaching states individually, but that would be a genuine nightmare for both business and government. But somehow this dilemma must be solved, and it must happen soon. How many more billions of dollars must go down the drain before we come up with the right answer to the identity crisis?

No comments: