Sometimes Privacy Seems Like the Titanic
I recall a law professor telling me that when the Titanic sank it was lawful to not have enough lifeboats to hold the ships' occupants. I quickly checked on Wikipedia and it states,
The Titanic carried 20 lifeboats with a total capacity of 1,178 people. While not enough to hold all of the passengers and crew, the Titanic carried more boats than was required by the British Board of Trade Regulations. At the time, the number of lifeboats required was determined by a ship's gross register tonnage, rather than her human capacity.
Additional research indicates the Titanic had the potential to carry 48 lifeboats (as suggested by Alexander Carlisle) but cost-cutting resulted in only 20 being carried (albeit still more than the 16 required.) The NY Times headline on April 17, 1912 read, "LIFEBOATS FOR ALL NOT ORDERED BY LAW; Apparent Security of Modern Liners Kept Out-of-Date, Requirements in Force. The first paragraph states,
The disaster to the Titanic may bring about a change in the British Laws establishing the requirements in regard to appliances for the saving of life on modern liners, a development of marine architecture which was apparently not contemplated by those who framed the laws and amended them.
Sometimes privacy law seems like the Titanic to me. A U.S. District Court in the Northern District of California recently held the alleged risk of identity theft is enough to grant standing to an identity theft victim, but that the risk alone is not enough to survive summary judgment.
Joel Ruiz, the plaintiff, filed a complaint for negligence and other theories under California law because Ruiz was one of approximately 750,000 Gap job applicants whose personal information was stored on laptops owned by Vangent (a Gap vendor) which were stolen. In this lost-data case, the court found Ruiz had standing because of his increased risk of identity theft (due to the stolen personal data.) Winning the standing argument, however, proved to be an empty victory as the court found the threat of speculative harm was not enough to proceed under a cause of action for negligence.
While Ruiz has standing to sue based on his increased risk of future identity theft, this risk does not rise to the level of appreciable harm necessary to assert a negligence claim under California law.
While not binding on the court, the court surveyed several similar rulings that it found both persuasive and consistent with its decision:
- [O]nline applicant whose personal information was compromised had standing to sue ... [but] this compromise of the applicant's personal information did not rise to the level of a compensable injury and damages required ... under Indiana law.
- Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.
- [N]o evidence that this plaintiff's data has been accessed or used by anyone as a result of the theft.
- [M]ere possibility that personal information may be at increased risk does not constitute actual injury sufficient to maintain a claim for negligence.
- [W]ithout direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining . . . credit monitoring to amount to damages in a negligence claim.
- [E]xpenditure of time and money monitoring their credit did not establish the essential element of damages.
- [P]laintiff could not sustain a claim for negligence because he had experienced no instance of identity theft.
Is stolen property not valuable until it's shown someone else is using it to the owner's detriment? Or is it a real loss simply when it's taken, regardless of what the thief does with it? I don't agree that your privacy rights only matter when someone uses it to your proven detriment, to me, one's privacy rights are harmed when someone invades it and takes it, regardless of what they do with it. As long as convenience and commerce trump privacy, however, then privacy is unlikely to be taken seriously by the companies it's entrusted to.
While today much discussion and focus is being placed on notification and encryption legislation (and even these seem to be in retreat), at the end of the day, unless people have rights and laws with some real teeth, privacy will become a topic that gets into papers and perhaps gets you into court, but it's not likely to become a seriously protected or respected right. That is, unless real recovery and damages are allowed under privacy torts. While the government may find ways to collect fees or revenue for large-scale privacy transgressions, the public remains at a collective loss. As our modern travels have taken us from ships at sea and into the "cloud" of computing and data, must the Titanic of privacy rights sink before we protect against foreseeable harm? The NY Times article of 1912 referenced above stated the following which has an element of timelessness to it,
...there was no pretense of carrying enough lifeboats to save the lives of all if a vessel should go down. The only reason given for this lack of facilities is that the law does not demand it,...
