This is not directly a security issue. Or a privacy issue. Because the County did not get hacked.
BUT it still is important to businesses. And governments.
Juries are no longer sitting back and allowing organizations to ignore basic privacy law without consequences.
In this case it is Bucks County, Pennsylvania (population about 650,000), and this is going to cost them some bucks.
The federal jury awarded $1,000 for each of the 67,000 people who were booked into jail in the county since 1938.
The Bucks County budget is about $400 million, so this verdict, if it stands, represents about 16% of the total county budget for a year.
These people, whether they were convicted of a crime or not, were added to a publicly available web site called the Inmate Lookup Tool.
The suit started in 2013 – six years ago – when Daryoush Taha was arrested and charged with harassment, disorderly conduct and resisting arrest. He was released the next day. He completed a one year probationary program for first time offenders and the judge ordered that his arrest record be expunged.
For whatever reason, the folks that ran the Inmate Lookup Tool didn’t get the message and his name, photo, personal details and charges were available online. Apparently, posting that information online is against the law in Pennsylvania.
The federal judge granted class action status and the plaintiff’s attorney said, in closing arguments, that residents have the right to expect that local governments follow the law.
The county said that they did not know that posting all of this personal information on people who were arrested was illegal.
Basically, their defense was “we’re dumb. We didn’t know the law.”
I wonder how that defense would work for someone they arrested?
Likely the County does not have insurance for this and, for the most part, you cannot get insurance to cover the penalty for being convicted of a crime.
This is only one of a number of cases we have seen lately where juries have said (to steal a line from a movie) “I’m as mad as hell and I am not going to put up with it any more“.
For businesses, this means that a defense of ignorance or gee, I’m sorry, is not a sure fire defense anymore. We just saw Equifax’s Moody’s rating downgraded to NEGATIVE as a result of their breach as an example.
Information for this post came from the Philly Inquirer.
I don’t have a crystal ball, but I don’t see this getting better for companies that violate privacy or security laws in the future.