A man whose social security number and other personal data were exposed by a company that processed his job application has no legal claims because no actual damage resulted from the privacy breach, a federal appeals court has ruled. The decision, issued late last week by the Ninth US Circuit Court of Appeals, is likely to make …
So, if I understand correctly, when my privacy is properly assured I do not need special bank monitoring and other measures that are costly.
But when my privacy is breached by incompetent companies and I have to take measures to protect myself and my identity, measures that have a non-negligible financial cost, that cost is not a damage ?
In short, if nobody has done anything with my identity, then I have no reason to claim damages.
In other words, I'll have to wait until the horse has bolted before closing the door and calling the police.
US Privacy Laws
The U.S. has really crappy privacy laws. Unless it is in regards to medical information, or a few other areas then it's almost like a free for all. The damages is the information itself, which is valuable otherwise they would not have been analyzing it. Unfortunately even if they agreed with that, mapping the value to something tangible is difficult.
outed is outed
Of course this also means his info is out there and freely available to whoever wants it, the net never forgets. One day, some time in the future, some ID thief may stumble across his info and use to commit crimes, steal his money, can he then go back and re-sue (is there such a word?) them for damages?
And that is exactly why ``privacy by default'' is important, and the only way to sustainably do that is to not divulge any information except precisely what is needed. Both by removing the need to hand over anything in the first place --and there are quite a few things that require ``ID'' now which could be handled in a way that they don't require ``ID'', only you get no choice now-- and after that by employing fancy math that lets you prove you have/are/know something without divulging what it is: ``zero-knowledge proofs''.
If the government wants to do something useful for a change, they should build an ``ID framework'' not based on pinning people to the rather schizophrenic and out-of-touch current government definition of ``identity'', but based on facilitating privacy by design while at the same time enabling, in a different and more sustainably private way, all those things that require disclosing ``ID'' now.
Or they can hire me to run the scheme. Anonymous Coward for privacy minister.
There are certainly good reasons why we require and are required to provide ``ID''. I'm saying we can and must revisit why we do what we do and find better ways to do it.
It's not exactly rocket science, but it's so outside the ideas entrenched in law and government current practice that the current crop --government and corporate-- can't do it. So the first thing that must happen is for the population, that is you, jill and jack citizen, to realise the current situation is not sustainable and to support, and demand, finding new ways of doing business.
Bloody litigation-minded idiots
A breach of privacy is a breach of privacy. You may not be able to directly apply a price tag to a data leak. Damage, if any, might not turn up for ages, if you're even ever aware of it. How can you quantify something like that? And how quickly would the statute of limitations be invoked? I guess in a way it is partly the fault of the public for "oh, my SSN was set free, I want $$$$ for emotional suffering!", but that aside, the company *has* been negligent and should be penalised. Perhaps a large fine which is put into a fund for helping restore sanity to victims of fraud and identity theft?
But, then, this "no loss no foul" attitude is hardly new to Americans. Look at Castle Bravo...
there is a clear example set by that company who has a service to "protect" your identity and whose manager put his SSN on the advertisement only to see his name/ID used in countless frauds (well they were a dozen plus one if I remember correctly)...
surely having your very personal details published somewhere it's very prone to misuse and crime... sooner or later...
Actual Damage ?
The should apply this principle to all cases brought by the content industries for alleged copyright infringement:
Plaintiff must show that actual damage has arisen from file sharing rather than speculation.