Court Says Posting PII Online is Cool -- First Amendment Cool

I am slowly coming to terms that breach notifications are not relevant anymore. Businesses can claim no harm and it is impossible to link a breach to harm (has not been established in court yet) and governments operate using the 1st amendment.

This is sad but reality. Instead of laws forcing companies to strengthen their security to prevent these things from occurring, the courts are giving them a loophole that one could drive a truck through.

Wow, just when you think you've seen it all.

Other states that exempt themselves -- Let's see a list of 'em. They want to pretend that it is OK when they give out info useful mainly to criminals, but put you behind bars if you do the same thing?!?!?

Virginia's exemption clause would appear to apply to Ms Ostragen's activity here, so she should be suing Virginia for malicious prosecution or something. Given the particulars of this case, I concur with the judge that this is political speech that should be protected by the first admendment. Virginia should not be posting these SSNs online either, and as long as the law says an SSN is not PII if you lawfully got it from a government website, citizens like Ms Ostragen are entirely within their rights. What Virginia should do is correct its stupid laws and force the county clerks to secure/redact the sensitive info from the on-line copy of the records. The classic counter-argument has been that the law doesn't permit alteration of the records; in that case, the record should not be available online. If you want a document with PII in it, you should have to go to the courthouse and SIGN FOR IT so that your hapless victim will have some hope of finding out who obtained her SSN and when.

To the first Anonymous above:
I share your frustration, but I disagree with your opinion on the relevance of breach notifications.

Data theft was not even a blip on the radar because people were not aware about the severity of the problem. Only by revealing the extent of the problem will people be prompted to act upon it: legislators, consumer protection agencies, grassroots organizations, and just your average joe.

Remember: out of sight, out of mind (and the field of psychology confirms it again and again). Yes, it's taking a long time, but since when has any nation-wide process/movement been speedy? Especially for something that is (somewhat) subtle in nature?

I, too, would like nothing better than to see companies with egregious breaches penalized; at the same time, I also have to admit that companies would probably be less than forthright about a breach if such laws were present.

While not the ideal solution, I'm beginning to understand why breach notification legislation tends to include safe harbor for encrypted information: it's an indirect way of encouraging the adoption of better data security.

Come out too strong, too fast, and you'll see a backlash (Massachusetts's revised information security laws, anyone?)

In a public records request even paper shouldn't the PII be redacted and the requester given/shown that copy?

Seems like a no brainer and I know there are states/institutions doing that.

Perhaps the judge in this case would have a change of heart if HIS information "mysteriously" appeared online and in plain view!

We are all objective until we become subjective (or something like that ...).