Given the amount of personal data now being held not only by credit companies, but also big tech, it seems like the liability for data breaches needs adjusted.
If a companies main asset is their data, that means that you can ascribe a value to each person's data that they hold. If your data is stolen, they should be on the hook for value of that data to each of the people whose data was stolen.
They need to stop being able to value the data at the cost of credit protection service on the liability side while booking value significantly higher on their assets ledger. This would encourage them to be much more careful in both protecting the data and mitigating breaches versus the current blase approach.
If a companies main asset is their data, that means that you can ascribe a value to each person's data that they hold. If your data is stolen, they should be on the hook for value of that data to each of the people whose data was stolen.
I respectfully disagree. The value of the data to the company when used for its intended purpose is not necessarily the same as the amount of damage that can be caused to you if someone else gets hold of the data and uses it for other purposes.
It seems reasonable that a company that is negligent in its handling of personal data should be on the hook for, at a minimum, any actual damages caused by a resulting breach. I think the negligence condition is important, because a company that has taken reasonable and proportionate measures to safeguard personal data and has generally acted in good faith is also a victim if it is subsequently hacked through criminal action.
The problem with personal data in particular is that there may well be damage caused by a leak that is difficult to quantify or to attribute to any specific failure in managing the data. Suppose two businesses are both compromised, and someone whose personal data was in both databases is subsequently the victim of identity theft six months later. It is quite possible that the victim will then spend several months of their life trying to clean up a mess that was made through no fault of their own, possibly at considerable financial cost and certainly wasting a lot of their time and causing a lot of stress. However, the businesses will likely argue that there is nothing to link the identity thieves to the specific breach at that business so they should bear no responsibility for the consequences. And in a sense, they are right, because there probably is no way to know which of those two breaches was responsible for that particular identity thief obtaining the data, or indeed whether some other unidentified breach was the true origin of that leak.
For this reason, I think some form of presumed damages should probably also be allowed in law, at least for types of personal data that are particularly vulnerable to exploitation by bad actors if they can get hold of it -- financial details, health records, correspondence or photos/videos of a personal nature, etc. Different legal systems handle this kind of issue very differently, and in some cases I'm not sure they're really up to the task at the moment, but I suspect that will need to change before certain businesses see data protection as important and the penalties as more than just a "cost of doing business".
This definitely makes a lot of sense. What you are saying is that if Company A borrows your TV for a trade show and subsequently someone steals the TV, then your damages are basically the replacement cost of the TV.
Even if Company A used your TV to generate 4 million in new sales, that is not your value and/or damage. In this scenario though, Company A would likely have replacement cost of the TV on their assets for example, and the same replacement cost on the liabilities side since they owe you that much or the TV back at some point. So it would be very clear to everyone involved that if a thief steals the TV, then their insurance would owe them the TV's value, and they in turn would then need to pay you that same amount. Easy breezy.
Where this falls down though is that in most of these companies, you are exchanging your personal data for the value of the service or product that they provide for free. Doesn't apply to Equifax, but just bear with me on this one. So the value of my personal data is not actually in some sort of damage, the value of my personal data is equal to the value of the services I received in exchange from you. You give me permission and access to your services in exchange for me giving you access and use of my data for a set of purposes. Great, that seems fair.
But if the data is now stolen and used in ways that are impossible to capture and value, now what? I mean who can determine the value that those who stole the data derived from it. It has to be somewhere between $0 and infinity, but we don't know at all where it falls. At minimum it should be worth the value that the company who I made the original agreement with was ascribing to it on their books, right? Of course their algorithms and software have a value as well, and in combination with many other assets which determine the company's value. It would at least seem reasonable like in the TV example that the value they assign to the data is the minimum they should pay in damages upon a breach of that data.
> What you are saying is that if Company A borrows your TV for a trade show and subsequently someone steals the TV, then your damages are basically the replacement cost of the TV.
It's more like you lend someone your smartphone, they leave it in their car overnight and it gets stolen. The thieves then use your smartphone to gain access to your email, social media and bank accounts.
Is the person who borrowed your phone liable only for the cost of the device, or are they liable for the damages you suffered as a consequence of the device being stolen and misused?
Yes, this is more like the argument I was trying to make.
I don't think the value of personal data to anyone -- either the authorised user or the unauthorised party or parties who got hold of it -- is particularly relevant here. Making good the damage caused by any leak of the data is the priority, IMHO. That damage could be less than the value to the authorised user, or it could be many times greater, depending on the nature of the data that was compromised and what is, or could in future be, done with it.
Of course some damage can't be reversed by any amount of monetary compensation. Then maybe you get into questions about how much is an appropriate financial penalty to make up for doing damage to someone's quality of life in some way. But even to the extent that it's "only money", there is still a difficulty here in that you have to somehow quantify the potential harm of any given incident.
For one thing, there might have been multiple relevant incidents. Some of them might not be known. It won't necessarily be realistic to determine which incident(s) actually led to the harm. However, the harm was caused all the same, and at least one relevant incident contributed to that.
For another thing, harm could be caused in the future, possibly far into the future. The subject of the compromised data may have to live with that prospect, perhaps forever, and do what they can to protect themselves against the possibility.
So the difficult situation is that we have an uncertain amount of harm being caused if data is compromised, attributable to uncertain specific incident(s). However, we do know that in some cases the damage could be great, and we do know of at least one incident and one responsible data controller (assuming it's reasonable to hold the controller responsible under the circumstances, which was my point about negligence being an important condition). So you have to try to build a fair and reasonable system for penalising the responsible party or parties and compensating the victim, with much uncertainty about the actual situation.
By that reasoning, if a file containing bank passwords leaks, its value is "zero" despite the fact that somebody can now go in and steal from all those accounts with ease.
Experian has created a massive liability for all the individuals in the leaked data pool. The amount of damage this leak does to innocent people is staggering.
There is a lot of case law regarding digital media, such as movies, tv, books, etc, stating that the digital version doesn't lose value despite the ease of copying it.
It's an interesting conundrum that "big business" claims that personal data being copied doesn't necessarily have value, but entertaining data does.
It all makes sense if you accept that the purpose of modern intellectual property law is to protect the wealth of the rich from the people they exploited to get rich in the first place.
I never consented to a credit scoring company to ever have my data. The first time I found out this was a thing as a teenager really made me think about the world and how it works. I couldn't believe something like this existed.
It is not possible to function fully in most western societies without access to banking services and payment cards. "Consent" to share financial data with credit rating services is consent extracted under duress. Most people have no other choice but to apply for bank accounts and credit accounts unless they are able to live off-grid.
If a robber points a gun at someone and tells them to hand over their wallet, the fact that they had a choice between cooperating and being shot does not mean that cooperation is a consensual act. The existence of an even worse alternative to an unwanted compelled act does not make the compelled act consensual.
It also should not be overlooked that the US financial credit reporting system functions as a Chinese-style Sesame Credit social credit reporting system in practice. Credit reporting agencies harvest non-financial data to evaluate individual behaviors and credit scores are widely used to control access to employment and housing. This amounts to a human rights violation to which no one can meaningfully consent regardless of its formal legality.
It's not coercion or duress simply because the alternative is less desirable. That's hyperbole. And, actually, plenty of people make do without banking services; it's why Payday lenders do so well.
The system might suck and be inequitable--more so than many other systems (no system can be perfectly equitable). And by all means promote legislation to change things. But tossing around words like coercion and duress contributes to the radicalization of politics in a very unhelpful manner. And those words aren't typically the words those stuck with payday lending services would choose, FWIW, even though they're often in objectively much dire financial straits and often couldn't opt-in (literally or at least without worse expense) to the system even if they wanted to.
I beg to differ. I know for a fact that this is an unspoken truth of that industry. As a contractor I've been unfortunate enough to be in the room when words that only get spoken behind closed doors were uttered. The people involved are parasites with a lack of empathy.
Banks do not report checking account history to the credit bureaus. You can function fully with a checking account and debit card. You can get by using money orders and cash, millions of people in the US do.
If you borrow money, you agree to certain terms, one of which is reporting to the credit bureaus. Nobody is forced at gunpoint to borrow money. There is no coercion and no duress.
It's essentially impossible to rent a car, book a hotel room, or do most online shopping, without a credit card. Debit and pre-paid visa/mc cards don't work for this.
If you want to live a normal life, you have to be able to borrow money in the form of having a credit card.
It was in the UK so maybe it's different in the US. There is no consent when the other option is homelessness. This is such an absurd conversation. Full on Stockholm syndrome. None of this is ok even though it is the de facto standard.
I think it could be more precisely defined as: the value of any copiable and spreadable asset is inverse proportional to the amount of available copies
Isn't that even worse? Now they would be complicit as they freely gave the data away vs having something stolen. You used the word hilariously. Were you be sarcastic, or did this person mean the statement as a joke?
TBH his statement doesn't seem that unreasonable -- he's basically stating that the attacker already had all the knowledge necessary to be "credible" and no different than a normal client.
Eg if the attacker already has your phone, email and password, its not really the bank's fault for giving away your financial details -- the game was lost before it even reached the bank.
"Breached data still breached" - The only new thing in this article is that someone was stupid enough to believe Experian when they said the data had been "recovered".
‘The personal data of millions of South Africans, "stolen" in one of SA's biggest data breaches earlier this year, has been discovered on the internet, despite assurances that the information had been recovered.’
Technically speaking, how do you go about recovering data stored on any amount of copies?
Will this change in California now that there's stricter privacy laws? Looks like the fines are much higher:
> - Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General's Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
> - A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).
The convention on HN is to link to previous threads only when there are interesting comments there. If readers click on a link like this and don't see that, they'll be disappointed and sometimes come back and downvote the link.
If a companies main asset is their data, that means that you can ascribe a value to each person's data that they hold. If your data is stolen, they should be on the hook for value of that data to each of the people whose data was stolen.
They need to stop being able to value the data at the cost of credit protection service on the liability side while booking value significantly higher on their assets ledger. This would encourage them to be much more careful in both protecting the data and mitigating breaches versus the current blase approach.