I will respond to the tweak in your last sentence: If someone really wanted to help companies, they would promote administrative regulation. Enforcement in that arena results in costs to wrongdoers as low as one one-thousandth of the ill-gotten gain. [Follow link to notable blog.]

Now that’s a clever strategy!

Based on things you’ve said here and elsewhere, here’s how I understand your basic view as to how to address privacy and security issues:

1. You’d eliminate regulation and move to a common law tort model to address data security and privacy harms.

2. You’d only recognize liability when there’s a “harm,” which consists of an actual identity theft or fraud, not being exposed to a greater risk.

Here are the problems I see with your view:

1. Your common law tort model would be hard to work because harm often doesn’t materialize immediately after an information leak. Information gets out there and it could be years before an identity theft occurs.

2. People are certainly worse off after their information is leaked. They may also feel anxiety about the increased risk of identity theft and fraud. Is there anything in your solution to make them whole again or to address their being worse off? If the system doesn’t deter behavior that causes leaks (but ones that don’t clearly result in “harm” as you define it), then how will it deter companies from making people worse off in this way?

3. Even in the event of an identity theft, it is very hard to prove causation. There are many sources of personal data — how do we know an identity theft was caused by info leaked by a particular company? Does the identity thief’s actions break the chain of causation? With such difficulty in establishing causation, can a tort regime be effective?

4. The damages from each identity theft victim are not likely to be gigantic. They will often be relatively insignificant for companies like ChoicePoint. The difficulty in proving causation might make tort cases relatively rare, and with small damages for each one. Thus, there’s little of an incentive for companies to exercise better care. How do you address this issue?

5. What is the duty owed to particular people when companies maintain their data? There must be a duty before there’s tort liability.

6. Quite frankly, I fear that your tort solution, definition of harm, and call for curtailing regulation is really a big boon for the companies that faciliate identity theft. My guess is that companies would just love your position — it seems like it is tailor made for companies that want to avoid liability. You’re basically attacking regulation and move toward a tort solution — and it remains very dubious whether your tort solution will be more effective if not much much worse in protecting the consumer. I’m not adverse to using torts, but I’d very much like to see you develop your tort solution into something more meaningful — to demonstrate how it might work, how it will have teeth, how it will more effectively address the problems. It’s easy to say “less regulation; let’s stick with common law torts,” but I’m unconvinced unless you develop this more. I know that you’re advancing your tort solution in good faith, but without elaboration on these issues, it appears as little more than a clever strategy to help out the companies.

The question I’m trying to get at (and I’ve assumed we’re working on because this is a law blog, not a philosophy blog) is when liability should accrue.

I would be very careful about equating (I would argue conflating) risk and harm (in the injury/damages sense). Try applying elsewhere the general principle that creation of ‘non-trivial’ risk is a legally cognizable harm: I would have a cause of action against hundreds of drivers every week, and they against me.

I reacted to your characterization of the people about whom data has been lost or leaked as “victims.” I think the barriers around the meaning of the word have fallen away if each person exposed to a risk is a victim.

[I spell-checked this before posting in hopes of avoiding the humiliation of finding errors after posting again. ;-]

Isn’t there a harm in being exposed to a greater risk of future harm? So if a person is exposed to radiation, increasing his risk of cancer by a non-trivial amount, do we say that he is not harmed at all? The people whose information was leaked are indeed worse off. There is a harm here even though the people are not victimized by identity theft.

result

Honest, I know how to spell . . . .

Shortly after the orignial ChoicePoint revelation, I heard that something like 700 or 1,000 people were victimized by identity fraud as a reault. That makes 144,000 people – now 161,000 – who were not, or about whom we don’t know.

I would resist calling people to whom nothing has happened “victims“.