http://emergentchaos.com/archives/2008/04/privacy-act-and-actual-damages.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2008/04/privacy-act-and-actual-damages.html/comment-page-1#comment-4545 Adam Sat, 12 Apr 2008 23:59:45 +0000 http://emergentchaos.com/?p=2718#comment-4545 I'd like to remind commenters that not all privacy issues are those of impersonation fraud, and not all privacy damages result from impersonation. I’d like to remind commenters that not all privacy issues are those of impersonation fraud, and not all privacy damages result from impersonation.

]]> http://emergentchaos.com/archives/2008/04/privacy-act-and-actual-damages.html/comment-page-1#comment-4544 Chris Sat, 12 Apr 2008 22:38:35 +0000 http://emergentchaos.com/?p=2718#comment-4544 "Gather and analyze such data" is precisely it. What matters is understanding (and that means quantifying) the linkage (if it exists to a non-trivial degree) between exposed PII and fraud or attempted fraud. I know there are some smart people trying to do this, and we've written about it here on a few occasions. “Gather and analyze such data” is precisely it.
What matters is understanding (and that means quantifying) the linkage (if it exists to a non-trivial degree) between exposed PII and fraud or attempted fraud.
I know there are some smart people trying to do this, and we’ve written about it here on a few occasions.

]]> http://emergentchaos.com/archives/2008/04/privacy-act-and-actual-damages.html/comment-page-1#comment-4543 nick Sat, 12 Apr 2008 17:02:40 +0000 http://emergentchaos.com/?p=2718#comment-4543 It's good to go beyond actual past financial damages, but "emotional distress" is far too subjective a standard, inviting judges, juries, and expert witnesses to play favorites. If your distress is not of the kind the judges, juries, or psychiatrists sympathize with, or if you can't act out your distress in the courtroom, you're out of luck. And on such subjective issues the expert witnesses usually cancel each other out, leaving one at the mercies of the subjective beliefs of judge and jury. In any case, this test is far to narrow: <i>[T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data.</i> But <i>risk</i> is not the same thing as speculation. If data is lost in a way that creates quantifiable risk, for example based on past amounts of identification theft based on this kind of data, it is straightforward to price the risk and assess this price as damages. Assessing the contributions of different bits of data out of the assemblages an identity thief needs, e.g. loss of social security number but not birthday, is a little more speculative, but I suspect in the future we will have enough data to quantify even these partial and conditional risks with reasonable confidence. One should also be able to collect damages for costs incurred in signing up for preventative or insurance services such as the much hyped LifeLock: some fraction of these charges is a reasonable proxy measure for the enhanced risk of identity theft from the data loss. I expect that as society (and especially insurance companies) gather and analyze more such data, we will switch to risk-based damages in this area, rather than mere past actual damages at the one extreme or emotional damages at the other. But it may take some activism to move us towards this middle ground, as judges love the discretion tests like "emotional distress" give them. It’s good to go beyond actual past financial damages, but “emotional distress” is far too subjective a standard, inviting judges, juries, and expert witnesses to play favorites. If your distress is not of the kind the judges, juries, or psychiatrists sympathize with, or if you can’t act out your distress in the courtroom, you’re out of luck. And on such subjective issues the expert witnesses usually cancel each other out, leaving one at the mercies of the subjective beliefs of judge and jury.
In any case, this test is far to narrow:
[T]he plaintiffs’ alleged injury is not speculative nor dependent on any future event, such as a third party’s misuse of the data.
But risk is not the same thing as speculation. If data is lost in a way that creates quantifiable risk, for example based on past amounts of identification theft based on this kind of data, it is straightforward to price the risk and assess this price as damages. Assessing the contributions of different bits of data out of the assemblages an identity thief needs, e.g. loss of social security number but not birthday, is a little more speculative, but I suspect in the future we will have enough data to quantify even these partial and conditional risks with reasonable confidence.
One should also be able to collect damages for costs incurred in signing up for preventative or insurance services such as the much hyped LifeLock: some fraction of these charges is a reasonable proxy measure for the enhanced risk of identity theft from the data loss.
I expect that as society (and especially insurance companies) gather and analyze more such data, we will switch to risk-based damages in this area, rather than mere past actual damages at the one extreme or emotional damages at the other. But it may take some activism to move us towards this middle ground, as judges love the discretion tests like “emotional distress” give them.

]]> http://emergentchaos.com/archives/2008/04/privacy-act-and-actual-damages.html/comment-page-1#comment-4542 Chris Sat, 12 Apr 2008 16:56:25 +0000 http://emergentchaos.com/?p=2718#comment-4542 Interesting, indeed. The TSA could still easily win the case, of course. This was a (partial) denial of a motion to dismiss. Interesting, indeed. The TSA could still easily win the case, of course. This was a (partial) denial of a motion to dismiss.

]]>