Wednesday, September 22, 2010

Risk a Harm?

Interesting post and comments on privacy risk from Solove at Concurring Opinions.  Despite being raised by a pack of feral solicitors, I can't claim to understand all the legal theories involved.  I'm attracted to the liquidated damages idea for a number of reasons, including the ability to build a reserve or get underwriting to mitigate potential incidents.  

Harms at Risk

On the other hand, this is where the disclosure rules suck.   For example, an organization loses track of a hunk of physical media that contains a couple hundred thousand records that contain personally identifiable information (but not financial information - no bank or credit card account number).   In this example, there is a very high probability that the media was subsequently destroyed.  Are the individuals identified on the media well served by being notified?  

Imagine there was a method to calculate the likelihood of financial damage to the individual due to the loss of the media.  Lets imagine that there is less than 1% chance that the information will be used in a crime in the next 2 years, and it decreases by half every year that follows.  However, if it is used in a crime, it is likely that the crime will be of a significant impact - a genuine fraud involving a false credentials that would take more than $100,000 for the victim to unravel.   Is notifying the victim of the risk, and making him feel uneasy (since humans perceive risk differently than equations) responsible?  

Or is this just an excuse for me to illustrate a post with a picture of Harms at risk?