Monday, November 5, 2018

Data Privacy Violation Settlement Money For The People!


Cy Pres settlements laughably but rightfully pronounced “Sigh” and “Pray”.

In a Cy Pres type of class action settlement, funds are distributed mainly to third parties and the plaintiff’s attorneys, as opposed to the class of plaintiffs themselves. 

In most cases, I feel people/consumers should receive the brunt of settlement money, not organizations (like mine).
The parties set to receive the brunt of the $8.5 million dollar Google settlement distribution are organizations that educate the public about internet privacy issues and the attorneys that represent the class of plaintiffs. KAI Partners trains and educates the public with a goal of strengthening the workforce and improving awareness of data privacy and cyber security issues (hyperlink to the next of my scheduled events); I am not a settlement recipient, but my opinion remains the same.

The way it works is, federal agencies such as the FTC have standing to file legal claims even before breach damages or a violation occurs. This is because of a 100-year-oldconsumer protection statuteon “unfair or deceptive acts or practices”. But Individuals and classes of plaintiffs generally have to allege damages as result of the violation. 
Damages must be particularized, injuries-in-fact to be legally recognized. To establish a prima faciecause of actionin tort law (elements of Negligence, Breach of Contract, or Unjust Enrichment claims differ), the plaintiffs must allege actual harm (generally, pure economic loss alone doesn’t cut it). That final element of damages in prima facie causes of action is problematic and controversial in data privacy violation cases.

The General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) do help us identify which entities are covered by the laws, and to whom the entities owe a duty. The laws set standards as to what would constitute a breach of that duty. One way the laws differ is in whether they grant a private right of action to classes of individuals to sue when the standard is breached, or whether standing to sue exists only with regulatory bodies. 

The controversy lies in that the laws do not create a bright line rule as to whether failure to meet their data protection standards, consequently resulting in privacy violations or data breach, can constitute a valid cause of action for individuals, without anything more (i.e. proof of identity theft). The Google case highlighted in this article suggest NO, not for the consumers that the law was aimed to protect, but yes for federal regulatory bodies. 

With the current data privacy laws, the people (consumers, data subjects) may not get to see their day in court, and if/when they do, they are not a part of the settlement money distribution. We “sigh” and “pray” about this.

The postings on this site are my own and do not necessarily reflect the views of KAI Partners, Inc.


Twitter: @CyberSecurityL2

No comments:

Post a Comment