Comments on: Acxiom Not Liable for Security Breach–Bell v. Acxiom

By: Chris Hoofnagle

Chris Hoofnagle — Thu, 19 Oct 2006 17:16:50 +0000

The criminal actor was one of Acxiom’s clients…

And with all due respect, the law recognizes and protects consumer *dignity*, not just injury. After all, how are you injured by your video, cable, or doctor selling your records? Driving the debate towards having to show an injury is almost irrelevant–privacy law provides default damages because these injuries are frequently impossible to show.

Acxiom scoops up personal information on others without notice or consent, uses that information for unknown purposes, and in this case, didn’t secure the informtion.

I don’t think the plaintiffs should have hit the jackpot in this case, but absent lawsuits, there are no market forces to curb Acxiom’s behavior, and many people find the company’s actions objectionable.

For instance, just try to opt out from Acxiom’s information disclosure–they put unreasonable burdens in the way (requiring you to call to request an information packet, etc). Beth Givens and 10 other people attempted to use Acxiom’s self-regulatory access to records system several years ago, and many in their small sample never got a reply!

By: Chris Hoofnagle

Chris Hoofnagle — Thu, 19 Oct 2006 16:55:18 +0000

FWIW, this case could have been more effectively designed. They didn’t even bring an unfair/deceptive trade practices claim. (Acxiom mischaracterized their security practices, characterizing them as “exceptional,” but they were not. This behavior could support a unfair/deceptive practices claim under the FTC’s decision in Microsoft Passport.)

But is it good to keep privacy lawsuits in check? WHat other remedy does one have against Acxiom for its practices?

By: Eric Goldman

Eric Goldman — Thu, 19 Oct 2006 10:02:43 +0000

Thanks, Chris. Your questions make an assumption that deserves examination. Why should plaintiffs need a remedy against Acxiom if they didn’t suffer any injury? I recognize that the definition of “injury” is a little tautological; for example, one might take the position that the mere disclosure, without any further consequence, is injurious, but I don’t agree. See http://papers.ssrn.com/sol3/papers.cfm?abstract_id=685241 . Otherwise, I don’t think plaintiffs should have a cause of action for disclosures they don’t like (especially in situations like this, where the disclosure was caused by a criminal actor). Eric.