Data with an open lock

Illinois Court Ruling Could Be a Game Changer

ByMike McBride Reading Time: 4 minutes

David Horrigan writes about the case over on the Relativity blog, where collecting the thumbprint of a 14 year old without notifying the parent violated the states biometric information law (BIPA), and the Court has ruled they could sue without needing to prove he was “harmed” by the data collection.

That’s interesting, for sure, but where it gets really interesting is if this ruling gets applied when it comes to data breaches.

Should one be able to prevail in data protection litigation just because they can show, as in In re Zappos, that their information’s out there as the result of a data breach—without having to show they were actually harmed by its exposure?

Is it harm enough to have to worry about what hackers are doing with your data after a breach?

Now, I’m not a lawyer and don’t know what the courts will ultimately decide in that regard. But, I am someone’s who’s data has been breached, and am also fairly opinionated when it comes to the subject, so here it goes.

First, I think despite the huge data breaches that have made headlines around the world, we have not seen real punishment for companies that did not protect data appropriately. I think the reasons for that are many, but fall into two main areas.

  1. It’s somewhat difficult to prove a company that was breached was negligent in their data protection work. How much security is enough, and how much is too little?
  2. The victims haven’t been harmed enough to really make it a big deal.

Let me explain the second point better with a true story.

Once upon a time, my credit card information was stolen through a POS hack at a restaurant. It was one that was in the news, and it was fairly obvious that was where my card info was stolen because a week later, someone tried to buy a couple of iPads in NYC using my card. It got flagged by the credit card company, I was able to dispute the charge, get a new card, and go on like it never happened.

Was I “harmed” by it? In the traditional sense, no. I didn’t have to pay out anything for those bogus charges. The bank or store where the purchases were made were the ones who lost money due to the data breach, not me.

On the other hand, did I have to spend time disputing the charges, making phone calls, getting a new card, etc.? Yes, I did. Did I now need to worry about my credit report and what other information would be floating around the DarkWeb about my purchase at that restaurant? Yes, I do.

The question is, can that be considered “harm” enough to let me sue the restaurant for not protecting my data?

It is my opinion that because we are only put out, but not made to pay a financial cost when these things occur, we don’t scream, and demand better data protection, and because the companies who were breached aren’t being screamed at and made to answer by their customers when this happens, it’s easy to see it as a risk, but not a RISK.

The new GDPR rules around data privacy have started to increase the risk though.. Suddenly, at least for EU users, hanging on to the data without permission, or not protecting it, has become a pretty big risk.

Frankly, it should be a RISK to hold onto anyone’s data and not adequately protect it everywhere though. A ruling that says every single customer who’s data was lost could sue you for some level of damages, would make that a gigantic risk. It would get companies thinking twice about collecting the data in the first place, and it would fundamentally change the advertising model that is currently driving much of the Internet. Because having to pay out even small amounts to all of the million users who’s data you lost, would bankrupt many companies. (Let alone something like Facebook.) They would need to rethink their very business models around data collection and advertising.

That’s not necessarily a bad thing, by the way., but it would be messy.

Alas, the court rulings thus far, as David points out, are all over the place. It’ll be interesting to see if the courts are willing to cause this much upheaval.

But it’s an interesting thought experiment to consider all of the knock-on affects it would have, because the collection and storage of personal and confidential data is a risk. One that companies, law firms, government agencies, etc. should be taking very seriously, even if each individual person can’t sue you for it.

 

Similar Posts

  • |

    RIP Flash

    ByMike McBride Reading Time: 2 minutes

    The other day, my wife was driving us down the road and we happened to be behind a guy driving a truck with a website URL on the back of it. It was an interesting business name, and we were guessing what it was when I decided to pull out my iPhone and find out….

  • Morning news items

    ByMike McBride Reading Time: 3 minutes

    Google Restores Web Page Critical of Scientology -this one is going to bear watching for a little while. It seems to kind of go back and forth on a daily basis. Did the sites commit copyright infringement, or are they using it for public education and therefore, fair use? I don’t know, but until someone…

  • Linked: Covid-19 pandemic could change the face of data privacy

    ByMike McBride Reading Time: 2 minutes

    There are no easy answers here. If I had the virus and Apple could dip into the location history of my phone and see who I may have come into contact with, and get to those people for early diagnosis, I might want them to do that, right? “According to published reports, the US government…

  • Cyber-slacking

    ByMike McBride Reading Time: 1 minute

    Someone I work with sent me this article. I’m not sure what that says about them or what they think of me, but it raises some interesting points, especially in regards to finding that line between keeping your employees from being too unproductive with their use of the internet connection and being so strict that…

  • |

    Linked – For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching

    ByMike McBride Reading Time: 2 minutes

    The story is disturbing on many levels, but for me this is the part that is both obvious, and a reason why IoT devices deserve a lot more careful consideration than we have been giving them. “At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of…

  • | |

    Linked: Ongoing M365 Tenant Upgrades/Migrations

    ByMike McBride Reading Time: 2 minutes

    It’s not normal for us to be using a platform that works one way, then changes and works another way two weeks later, but that is absolutely the way the Agile development is going to happen. The decision to change will be pushed by the business case for making the change, eDiscovery will be a second thought, if a thought at all.

    That means two things in my mind in addition to the things Greg lays out in his post below.

    1. You have to test, test, test. Constantly. You have to stay on top of new features, old feature changes, undocumented changes, etc.

    2. The legal industry as a whole is going to have to get a lot more comfortable with “good faith efforts” being a little more of a gray area as these changes get made. What we could collect easily before, may require a lot more time and effort today, or it may not be possible today because of a bug in a recent update.

    It’s going to happen. Whether you want to talk about M365, Google, cloud document management, cloud review platforms, or even cloud backups. Things will happen beyond our ability to control them, and those things will impact eDiscovery. Are we going to be OK accepting that?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)