Jay Cline of Minnesota Privacy Consultants compiled some interesting data on privacy breach violations. He writes:
The European Union is threatening to suspend the U.S.-EU Safe Harbor agreement that U.S. companies depend on to do business with Europe, claiming that America doesn’t enforce its side of the bargain. Any way you cut the data, however, the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.
[…]
I assigned several researchers to mine our databases, publications and regulator websites for any instance of a fine imposed by a government agency for a violation of data privacy. We set the threshold of materiality at a minimum of $100,000. In practice, I’ve noticed that this is the amount where larger corporations even start to take notice. Anything less is a rounding error.
What did we discover?
* Increasing over time. We found 358 enforcement actions since January 1999, the first year big privacy fines came online. Only 130 of these carried fines that met or exceeded our $100,000 threshold. Of these, 60% were levied in the last three years. All fines totaled $225 million, with 52% of that sum imposed since 2011.
Read more on Computerworld, where you’ll find more statistics and charts on privacy fines and lawsuits.
But what can we make of the data? Cline writes (emphasis added by me):
What does this all mean? If you’re a consumer, violations of your privacy are more likely to be punished in an effective manner in the U.S.
He seems to assume or equate handing out more and bigger fines as addressing privacy violations “in an effective manner,” but on what basis does he claim such fines are effective? Have big fines reduced the risk or rate of privacy violations? If so, where are the data to support that claim?
With every big breach or fine, we see “lessons to be learned” articles, but as I’ve noted repeatedly on databreaches.net, those lessons don’t seem to be learned. Congress has yet to do anything serious about data brokers, HHS has only taken a relative handful of enforcement actions since HIPAA went into effect, and the FTC, too, needs to enforce more. And then, of course, there’s our NSA gobbling up tons of revealing metadata and other types of information.
Have we handed out more big fines or judgements than non-U.S. countries? Yes, but so what if we do? Where is there any evidence that the U.S. is better at protecting consumer and patient privacy than non-U.S. countries?
Should EU citizens be concerned about American businesses holding their data or processing it? Absolutely. And until Congress enacts strong privacy-protective legislation, including revoking the NSA’s ability to bulk collect our communications data, they should continue to be very, very concerned.
No kidding—-high US fines do not mean we have stronger privacy rights than EU residents!
The fines are WAY TOO LOW for multi-billion dollar US corporations which can afford multi-billion dollar annual lobbying costs to block badly-needed new data privacy and security laws.
Major gaps in HIPAA and US law enabled the massive growth of hidden US data brokers. The scale of the secret data collection and sale now threatens our Democracy. When government and corporations know everything about all of 300 million of us, can the US remain a Democracy?
We need tough new federal data protection laws.
For example: US banks won’t implement/pay for tougher credit/debit cards (like EU chip and pin) without a federal law.
And US citizens and residents can’t get tough individually controlled cyber-credentials for use online (to allow us to identify ourselves via certificates or tokens) without a federal law. We can’t protect or control our own online identities, stop ID fraud, end the massive hidden collection of personal data, or control sensitive pii without tough new federal laws.
But the Congress won’t pass tough comprehensive data privacy and security protections even for citizens’ most sensitive pii, personal health data, because the data broker lobby is so powerful. The ONLY way is if US citizens (all of us) FIGHT back and tell Congress to end all secret data theft and collection of pii.
See my blog with details about IMS and the US data broker industry. There are at least “100K data suppliers” according to the IMS SEC filing to sell stock: http://patientprivacyrights.org/2014/01/ims-health-files-ipo-legal/
Thanks for jumping in, Deb. I don’t think either of us thinks there shouldn’t be fines, but we agree that fines or settlement amounts – as they’ve been used – do not translate into greater privacy protections and we need Congressional action.