[fitblipper]

Has any leak ever resulted in someone saying they could clearly id damages from a specific leak and then get compensation from the company who leaked it?

We aren't even told when a government entity looks at and uses our private information. How in the world would we know when a criminal does, and how would we be able to say they looked at that specific leak instead of one of the other 10 possible sources of my leaked private information?

Maybe it is time to pool the damages of all identity thefts together, (about 56 billion in 2021) and split the bill (+ maintenance and administrative costs for managing the money) across all businesses that have leaked private data. That money could be used as a resource to all identity thefts victims to be made whole.

[JumpCrisscross]

> time to pool the damages of all identity thefts together

You can’t pool something you haven’t measured. This is a genuine question. I had thought we’d have demonstrated liability by now.

[jjeaff]

As far as I'm concerned, every single act of identity theft that occurred after the breach where at least one piece of data leaked in the breach was used, are damages. Sure, it might have happened anyway, but it doesn't really matter which illicit source they got it from it was available anyway.

Just like in an assault/homicide case, if a victim has a heart attack and dies soon after you assaulted them, you can't prove that the attack led to the heart attack. Could just be bad timing. But most courts and juries would likely find the assaulter guilty to some extent.

[JumpCrisscross]

> it might have happened anyway

This isn’t how civil damages work in any jurisdiction.

> like in an assault/homicide case

Apples and oranges. If the only way we can finger Equifax is by equating their actions to violent crimes, there is no case. That is increasingly my conclusion. These leaks have little to no actual cost.

[jjeaff]

In the case of the equifax leak, I don't think they have shown up in large tranches on the dark web like other leaks. Which I think suggests that it may have been a state actor. So Equifax's negligence has created a national security issue. Imagine how a state actor could cripple the financial system by using bots to open millions of accounts en-masse and start taking out loans or whatever. Banks would have to shut down until they could figure out which accounts are fraudulent.

[fitblipper]

There are groups out there measuring the cost related to identity theft. The $56 billion number wasn't pulled out of thin air: https://javelinstrategy.com/content/2021-identity-fraud-repo...

How do propose liability could be demonstrated with something like this? Do you expect hackers and fraudsters to cite their sources when they are defrauding someone?