[zdragnar]

Nothing happened because it's very difficult to assess damages of personal information.

For example, if a health insurer the size of Equifax lost the equivalent amount of HIPAA related information due to negligence, you can sure bet there would be penalties. That's because HIPAA related info has legally defined protections.

As it is, calculating the damages of releasing your equifax info is a speculative guess at best, which is why at most you got to lock access or ID fraud protection.

[int_19h]

> Nothing happened because it's very difficult to assess damages of personal information.

It's also very difficult to assess damages of copyright violations... and so the companies that had it in their interest to get this working pushed for statutory damages.

Maybe we need something like that for privacy.

[jessaustin]

Which is why damages for this negligence should have statutory minimums. $10,000 mentioned elsewhere in this thread is a nice round number. If given a sufficient period to fix their shit (a year?), no one can complain that they've been harmed by such a requirement. I've seen this in contracts, which said basically, "since it will take years for a court to assess damages if you do this awful thing you agree not to do, we stipulate here that the damages will be $X instead."

[rhizome]

Nothing happened because it's very difficult to assess damages of personal information.

It's interesting that you bring up health insurance, because that's an industry that definitely knows how to calculate the value of various pieces of personal information.