Jaikumar Vijayam has posted an article at ComputerWorld regarding the Express Scripts Data Breach class action suit. This is the case where, in 2008, Express Scripts received a letter demanding money from the company under the threat of exposing records of millions of patients. The letter included personal information on people covered by Express Scripts, including birth dates, Social Security numbers and prescription information. Many of the insured were seeking damages, and the judge has thrown the case out citing lack of evidence.

Without any actual harm being done, there can be no damages sought.

To me, this means that privacy is worthless.

“Abstract injury is not enough to demonstrate injury-infact,” Judge Buckles wrote. “The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical.”

and …

“Plaintiff alleges that he would be injured “if” his personal information was compromised, and “if” such information was obtained by an unauthorized third party, and “if” his identity was stolen as a result, and “if” the use of his stolen identity caused him harm.” These multiple “if’s” put his claims in the realm of the hypothetical, Judge Buckles noted.

I get the argument. And I get that laws don’t protect our feelings. But Express Scripts has been entrusted with the data, and they earn revenue from having this data, which means they inherit the custodial responsibility for the security and privacy of that information. Not being able to quantify damages should not be considered the same as not being damaged. Should the burden of proof on this point fall on the person who had their information stolen?

Considered in light of credit card processors, health insurers, 3rd party service providers, and law enforcement not sharing information about breach specifics, it will be neigh on impossible for average citizens to gather information necessary to demonstrate the chain of events that led to damages. Damages and costs come in many forms, most of which are not fully quantifiable, so it becomes a quagmire. This sets a bad precedent, IMO, and does not promote or incentivize companies to secure data. When it gets bad enough, consumers will push for legislation to curb the behavior, and we have seen how that works out.