Massive data breaches have practically become a daily occurrence. These breaches reveal intrusive private information about individuals, as well as priceless corporate secrets. Ashley Madison’s breach ruined lives and resulted in suicides. The HSBC breach, accomplished by one of their own, revealed valuable commercial information about the bank and personal information about HSBC customers. The employee responsible for the breach has since been convicted of aggravated personal espionage, while third-party news outlets have been free to republish the hacked information.
Some information disclosed in data breaches can serve a public purpose. The Snowden disclosures, for example, revealed sensitive government information and were also crucial to public policy debate, a significant amount of disclosed information is destructive to individuals and companies alike, and often has little, if any, public value.
The conflict between publicly important disclosures and disturbing private intrusions creates a direct confrontation between freedom of expression and privacy. A full analysis of this confrontation requires assessment of the specific circumstances of breach—from the vulnerabilities present beforehand to the aftermath when the media, companies, and individuals all must cope with the information exposed.
This analysis begins by evaluating the importance of information in modern society. Big data is now an inescapable part of our culture. A data breach may contain intimate details about medical conditions or national security secrets. The disclosure of either has its own kind of devastating effect. Examples of the impact of a mass data breach include the hacking of Target Corporation, Yahoo! Inc., Home Depot, Inc., Sony Corporation, Anthem Inc., HSBC Private Bank (Suisse), SA, and AshleyMadison.com. A dissection of these breaches reveals a common theme—the ineffectual legal system, which provides little protection or remedy for any party involved. Several factors—including the anonymity of hackers, outdated legal remedies, and free speech protections for third-party publishers—together create an uncertain and uncharted legal landscape.
After evaluating the available statutory and common law remedies, this Article posits that reinvigorated private causes of action can be a starting point for developing stronger legal remedies for those damaged in a breach. The right facts and legal arguments can create new remedies out of existing legal doctrines. Further, public values on protecting privacy are in flux. More protective policies in the European Union demonstrate that privacy and free expression can coexist. Some EU policies may provide examples of legislative options. Corporate entities and individuals are at risk and are suffering real harm in a world with daily data breaches and ineffective laws. The need for new perspectives is urgent.