What’s your privacy worth?
That’s not a theoretical or hypothetical question. Give me a dollar value. If someone were to read your bank statement, view your medical record, know your driving history, or even details of your sex life, how much – in a dollar figure – would you be harmed or damaged?
C’mon. Give me a dollar figure. It’s hard to do. And that’s the problem.
One of the principal goals of information security is to protect the confidentiality of information. By that we mean to make sure that the people who need to get the data get it, and the people who don’t need to get it don’t.
So part of privacy protection is ensuring that only those who should have your data do. That’s only part of it.
The other part is deciding who should have your data, for what purposes, for how long, and who controls these decisions. But in the area of data breach of privacy related information, we worry about the value of privacy. And in this country at least, we don’t really value privacy. That doesn’t mean we don’t think privacy is valuable. It’s that we don’t assign a dollar value to it.
When we speak of “harm” or “damages” resulting from a privacy breach, we typically look at financial harm. If someone “steals” your credit card information, and makes charges under your card, your “harm” is the cost of those charges. It also is the cost of your time and energy in getting a new card and reversing those charges (and the law typically doesn’t value those costs), and possibly the cost of credit monitoring or other prophylactic services necessary to prevent future misuse of personal data.
If someone commits identity fraud – that is, they make an effort to BE you online, taking over your credit, your identity, your social security number, etc., the costs of remediation, recovery and prevention can be significant.
But what if they just want to know stuff about you? If a company gets unauthorized access to your medical records and charges you more for products or services, the surcharge constitutes your damages. But what if they don’t USE the personal information? What are your damages if someone simply knows something they shouldn’t, but never does anything about it?
If your neighbor rummages through your medicine cabinet and sees that you are taking little blue pills for erectile dysfunction – what’s your harm from an economic sense? And what’s worse, what’s your harm if you never find out?
In fact, that is one of the issues that may come before the Supreme Court eventually in connection with the NSA wiretap program. In a recent case, a federal court found that individuals who were subject to unconstitutional and unlawful surveillance and interception could not sue because they were not “harmed” by the surveillance.
Indeed, the court found that they were only harmed when they found out about the program, which they should never have done. It was the release of the fact that they were surveilled that caused them emotional distress – not the fact that they were surveilled.
Similarly, last term the Supreme Court held in Amnesty International v. Clapper that lawyers could not sue the government for intercepting their attorney-client privileged communications without a warrant because they couldn’t PROVE that their communications were intercepted.
Why couldn’t’ the prove it? Because they couldn’t sue. Joseph Heller would be proud. (kids, look him up). The Court also noted:
Respondents assert that they can establish injury in fact because there is an objectively reasonable likelihood that their communications will be acquired under [an NSA wiretap provision] at some point in the future. But respondents’ theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be “certainly impending.”
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143, 185 L. Ed. 2d 264 (2013)
There are literally dozens of cases in which courts have held that individuals who have had their data exposed improperly could not obtain damages (and in many cases could not sue at all) because the exposure of their personal information itself – a breach of privacy – was not sufficient harm. So in the SONY class action litigation, the court noted:
Plaintiffs’ contentions that the interruption of PSN Services and the Data Breach caused damage to the value of their consoles are simply too speculative to constitute “lost money or property.” In order to have “lost money or property” a plaintiff must demonstrate some form of economic injury. .. Economic injury can occur in many ways, including, but not limited to, when a plaintiff “(1) surrender[s] in a transaction more, or acquire[s] in a transaction less, than he or she otherwise would have; (2) [has] a present or future property interest diminished; (3) [is] deprived of money or property to which he or she has a cognizable claim; or (4) [is] required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.” Id. Although this is by no means an exhaustive list to determine whether or not the required harm has been suffered, it is clear after Proposition 64 that “a private plaintiff filing suit now must establish that he or she has personally suffered such harm.” Id.
Here, Plaintiffs have not alleged their consoles are worth less or their personal property was damaged as a result of the Data Breach. Moreover, although Plaintiffs’ PSN Service may have been temporarily suspended, they have not alleged they surrendered more than they otherwise would have because the PSN Terms and Service Agreement disclaimed any rights to uninterrupted service.
In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 966 (S.D. Cal. 2012)
After the Hannaford data breach, the credit card processor was sued. The Court there stated:
[P]laintiffs allege that fraudulent items were posted to their accounts as a result of the Hannaford data breach, but they do not claim that they have had to pay these amounts or that they remain outstanding. (Presumably, therefore, the issuing banks have reversed the fraudulent postings.) Nor do any of these named plaintiffs claim specific expenses incurred to remove the fraudulent charges. These plaintiffs claim consequential losses, however, such as overdraft fees or a bank loan to cover them, a fee for insisting on changing an account when the issuing bank thought it was unnecessary, a fee for altering pre-authorized payment arrangements, loss of accumulated reward points, inability to earn reward points during the transition to a new card, time spent in persuading the issuing bank to reverse an item or in contacting multiple pre-authorized payees, temporary lack of access to funds and inability to use the card, a canceled hotel reservation when a card was canceled, the necessity for a family loan (no interest is alleged), and the cost of identity theft insurance. I conclude that none of these are recoverable damages under Maine law because they are too remote, not reasonably foreseeable, and/or speculative (and under the UTPA, not a “substantial injury”). Under the Maine cases, for both tort and contract recovery, “the fundamental test is one of reasonable foreseeability: if the loss or injury for which damages are claimed was not reasonably foreseeable under the circumstances, there is no liability.”144 And speculative damages are not recoverable
In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 133-34 (D. Me. 2009) aff’d in part, rev’d in part sub nom. Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011)
After the retailer The Gap suffered a data breach that exposed personal information, victims of the breach sued. The court dismissed their claims because:
[Plaintiff] alleges that as a result of Defendants’ failure to exercise due care, “Plaintiff and the Class have been injured and harmed since Defendants’ compromising of their [personal information] has placed them at an increased risk of identity theft. Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants’ conduct.” … While [Plaintiff] has standing to sue based on his increased risk of future identity theft, this risk does not rise to the level of appreciable harm necessary to assert a negligence claim under California law.
Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 913 (N.D. Cal. 2009) aff’d, 380 F. App’x 689 (9th Cir. 2010)
Note that these cases involved attempts to be reimbursed for costs like credit monitoring or credit protection as a result of a demonstrated failure to protect personal data. These were not even lawsuits attempting to compensate people for the more amorphous “loss of privacy” resulting from the failure to protect personal data. That is another part of the problem.
The data collected by your bank, your phone company, your doctor, hospital, etc. is not really YOUR data. It’s theirs. Unless the law provides you both a private right of action and some measure of damages from a breach, even if they fail to protect your privacy, there’s not a whole lot you can do about it. Especially if you don’t know about it. And federal statutes like HIPAA and GLBA don’t provide a private right of action for breach of privacy.
At best a “victim” of a privacy breach (note I say “privacy” breach not data breach) can go to HHS or a State Attorney General and hope to get them to investigate, or can sue under some state privacy law.
So the fact that the NSA might have been listening to your calls, or at least analyzing and inspecting your metadata does not cause you any recognizable HARM. Knowing something you shouldn’t know about someone is not “harm” unless they actually do something with that data and there is some palpable effect. Someone doesn’t hire you, raises your insurance rates, won’t sell you something, etc. Even “embarrassment” can be cognizable as a harm. But only if you know it.
Privacy violations themselves do not generally cause cognizable harm – especially if the victim never finds out. Don’t tell. Don’t ask.
That’s the problem. When General Motors decided whether or not to replace the ignition switch on the Chevy Cobalt, they did a cost/benefit analysis. It will cost us xx dollars to remediate, and the harm from not remediating will likely be xx. (See the excellent legal thriller Class Action with Gene Hackman to get an idea of this.) If the cost of avoiding the harm is greater than the harm avoided, the harm is avoided or insured against. If not, the risk of harm is accepted.
So there are multiple problems with respect to privacy.
First, we don’t know who “owns” the private data. Second, we don’t always know the data has been used or disclosed improperly (data breach laws only relate to specific types of data). Third, we may not have “standing” to sue. Fourth, courts are likely to find privacy related damages to be “speculative.” And finally, if we cannot “value” privacy related data, what’s the incentive on the part of companies to spend money to protect it.
What’s the cost and what’s the benefit? For privacy breaches (I don’t mean data breaches, I mean ordinary rummaging through the medicine cabinet breaches) where we have not quantified a harm, we cannot do such a cost benefit analysis.
In criminal cases, how do we measure the “damage” done by a peeping tom? How do we value the privacy of data that was never used? What’s the actual dollar value of harm? How is it calculated? Does it depend upon the sensitivities of the “victim?” We need to establish an economic matrix for evaluating privacy itself. Only then will we be able to protect it. Until then, keep your medicine cabinets shut, and your window shades closed. Unless you like that sort of thing.