Just when you thought Heartland Payment Systems was the largest data breach of “all-time,” this month’s breach has the potential to beat that record. On April 1, 2011, Epsilon Data Management, a marketing services provider based in Texas, announced that its clients’ customer data had been “exposed by an unauthorized entry into Epsilon’s email system” on March 30, 2011.
Many major American companies do business with Epsilon, like TiVo, JP Morgan Chase, Walgreens, Capital One, Citibank, and LL Bean (I also got an email from Blockbuster about a breach, but was unsure if it was related to Epsilon). According to Epsilon’s official press release (and the various notices from the companies listed above) the breach was limited to email addresses and customer names. No other personal information (such as bank account information, credit card numbers or Social Security numbers) was compromised.
My argument today is not about the law. As we will discuss in class, the average American Internet users may be numb to this news. There is a feeling of a collective *yawn* about data breaches. We get these notices annually, quarterly, or monthly. It seems as if nothing is “safe,” especially involving massive data-driven companies. Scholars (and myself) have argued that our notions of privacy are slowly being limited by society’s new outlook on privacy. The Katz test we study in class plays a role here. It’s not on point, but the “society” based argument is relevant. The right to privacy is measured by a two-part test: 1) the person must have a subjective expectation of privacy; and 2) that expectation must be one that society recognizes as reasonable. Katz v. United States, 389 U.S. 347, 360 (1967). Arguably, I doubt we can honestly say that anything we put into the internet (name, email, zip code, address, phone, etc.) has a shot of remaining private. And, arguably, the generational shift has shown (through social media) that society may no longer recognize a reasonable right to privacy in anything we do post on the net, or add to a company’s database, no matter what the law says. These companies, password protected websites, dual authentication schemes, etc. still get breached. What’s left to do?