In the wake of the Target data breach in December 2013, I’ve continued to think about the impact of data loss to consumers. Historically courts have not shown to find “harm” being done to consumers where their data was lost or misused for marketing. Typically there must be some financial harm shown. This makes sense as financial harm is the easiest to codify.
ComputerWorld reports this week on this apparently landmark case – where a US Federal court in Florida has approved a $3 million settlement for victims of a data breach. The element in this case appears to be the level of information involved – it was personal health information (PHI) that was exposed. Apparently multiple laptops were stolen which held unencrypted PHI for the users.
So, while the consumers suffered no direct financial losses or theft of identity from the data loss – they were rightfully concerned about this sensitive level of data.
Financial harms to consumers remain clear – but another type of harm this exposes at is the harm of exposing secrets. “Secrets” is maybenot the best word – but the idea is – in particular with health circumstances – as individuals we hold our health as private and sanctified between ourselves, our family, close friends, and our doctors. The “choice” to disclose issues is very explicit. This is why covered health entities must take such extensive care with PHI data.
The other component here is an expectation based on a paid service. These consumers paid the company premiums – and part of the privacy promise made by the company was to protect sensitive information. Under the settlement, each victim gets up to $10 for every year they paid an insurance payment, up to $30.
It remains to be seen if and when the leap is ever made beyond clear financial harms, or data breaches involving highly sensitive information such as PHI. For marketing scenarios – including tactics such as location based advertising or behavioral profiling for targeting ads – it remains to be seen whether consumers can every clearly prove actual harm, and if courts will see fit to agree.
Read the ComputerWorld story by Jaikumar Vijayan: Court approves first-of-its-kind data breach settlement