The legalities surrounding a person’s right to privacy developed far later than laws relating to property ownership or representation in courts, but they continue to evolve in an age of new technology and new ways to blur the lines between public and private information. Most observers pin the rise in privacy concerns to the invention of mass-market photographic technology and the late 19th expansion of print media. Legal scholars regard an 1890 article in the Harvard Law Review by lawyers Samuel Warren and Louis Brandeis as the first to outline the details of privacy in response to the gossipy newspapers trends of the time, most notably, the “right to be let alone.”
Over the intervening decades, privacy rights have come to mean many things and many laws have been passed to guard against intrusion on a person’s physical or electronic peace. Nowadays, though, while an individual is in their own home, their data can be all over the digital landscape with or without their knowledge and the laws must continue to evaluate the manner in which data is collected, held, and disseminated. Organizations must be aware of the ways in which privacy violations can arise and the penalties for creating such violations.
As we look over the last 15 years of Advisen Loss Insights data, the number of cyber-related privacy cases soared between 2000 and 2013, but dropped slightly in 2014. The rise over time may relate to more awareness of privacy violations and more states implementing laws governing data breaches. However, the federal Health Insurance Portability and Accountability Act (HIPAA) has been in place since 1996, so there is precedent for privacy laws well before data breach-specific statutes.
The causes of privacy violations fall more evenly in the various categories than other cyber-related case consequences, such as cyber extortion, according to Advisen data. As in most cases, hacked servers tend to be the most frequent source of the loss and this has become more probable in recent years. The relatively even split among most other causes of loss indicate the fact that confidential data can exist anywhere and once it ends up in the wrong hands, it’s relatively easy to prove that a person’s privacy has been violated.
Advisen data show more privacy events affecting smaller companies — in the time period tracked, there were 3,566 cases involving smaller businesses, 1,835 with medium-sized businesses, and 2,020 affecting larger companies. However, a greater percentage overall of larger companies will be hit by privacy violations. This trend could suggest that agencies upholding privacy laws are more likely to pursue regulatory action against larger organizations, or it could reflect the fact that smaller businesses outnumber companies with revenue of more than $1 billion.
The loss probability associated with privacy cases offers a clear message — violate an individual’s privacy in any way, at any time, and it’s likely going to cost the organization at least $10,000 and can, one percent of the time, cost up to $50 million. About 25 percent of cases can cost the offending organization over $1 million. With penalties for privacy violation like these, it isn’t surprising that cases began to drop in 2014 — potentially marking greater awareness of the laws and the need to protect sensitive information belonging to someone else.