Friday, April 15, 2005

Business Week advocates suing companies for data leaks

Business Week is usually pro-business, but it has an unusual take on the issue of companies leaking personal information. Give people the ability to sue, individually and in class actions. It may be a blunt instrument, but it speaks the language that business understands.

Personal Data Theft: It's Outrageous:

"... At a time when the Bush Administration and the Republican majority in Congress have put tort reform high on their agenda, talking about new tort rights is distinctly unfashionable in Washington. But creating liability for companies that fail to take proper care of the data entrusted to them is probably the most efficient way to get businesses to do the right thing.

SEE YOU IN COURT? Companies possessing personal data should be required to take all reasonable steps to protect it along the lines already in place for financial data under the Sarbanes-Oxley Act and for medical records under the Health Insurance Portability & Accountability Act. Individuals whose information is lost because a custodian has failed to protect the data adequately should have the right to bring individual suits or class actions for damages.

Tort suits, especially class actions, are a blunt instrument for enforcing good behavior, and they can be abused. But liability is a language that business understands, and monetary disincentives are something corporations respond to. And cumbersome as the court system is, it can be faster and more effective than government civil penalties (criminal sanctions should be reserved for the most egregious cases). This is by no means a magic bullet, but would at least create a monetary incentive, where none now exists, for data companies to be careful.

The incidents of wrongfully obtained data from ChoicePoint and LexisNexis are only the most prominent in what's increasingly a mass assault on the privacy and security of our information. Clearly some government action is needed, mainly to give law enforcement better tools to prosecute obvious cybercrimes such as phishing...."

Thanks to Rob Hyndman for the link.

No comments: