What is a privacy breach?
A privacy breach occurs when there is unauthorized access to, or collection, use, or disclosure of, personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation. Some of the most common privacy breaches happen when personal information of customers, patients, clients or employees is stolen, lost or mistakenly disclosed (e.g., a computer containing personal information is stolen or personal information is mistakenly emailed to the wrong people). A privacy breach may also be a consequence of faulty business procedure or operational break-down.
What can we do?
Unfortunately, privacy breaches are becoming more and more common. Over the last few years, hundreds of thousands of Americans have been affected by privacy breaches. And the consequences for affected individuals can be significant.
Difference between Confidentiality and Privacy
We often use the terms “confidentiality” and “privacy” interchangeably in our everyday lives. However, they mean distinctly different things from a legal standpoint. To begin with, confidentiality refers to personal information shared with an attorney, physician, therapist, or other individual that generally cannot be divulged to third parties without the express consent of the client. On the other hand, privacy refers to the freedom from intrusion into one’s personal matters, and personal information.
While confidentiality is an ethical duty, privacy is a right rooted in common law. Understanding the difference between these two terms can spare you a lot of confusion when signing contracts, establishing a client-attorney relationship, and generally knowing your rights in a given situation.
When we say information is held in confidence, and therefore confidential, we have an expectation that it will be shared only after authorization is provided, and then only with authorized individuals. Most confidentiality agreements, either written or implied (as with the attorney-client privilege, for example), remain in effect indefinitely. The doctor-patient relationship establishes an implied contract of confidentiality since the doctor is in a position to help you by collecting and analyzing otherwise private information. If the doctor asks a pharmacist to fill a prescription for a drug known to treat a serious form of cancer, for example, it would not be a breach of confidentiality. But if the doctor were to tell your boss that you are terminally ill, that most certainly would constitute a breach of their ethical duty to keep your information private. Confidential information is regularly handled by financial institutions; hospitals; doctors; therapists; law firms; businesses; religious authorities; and others.
Examples of activities considered private might include a medical examination; activities within your home; using a restaurant bathroom; entering the office of a reproductive health provider, and generally, any action for which you have the reasonable expectation of privacy. Most things are done in public places would not be considered private, although privacy laws leave a substantial amount of gray area as to what might be considered “public,” as seen below.
The Fourth Amendment of the U.S. Constitution protects against searches that violate your reasonable expectation of privacy, which is loosely defined as something for which society as a whole would consider legitimate. The 1967 Supreme Court case Katz v. the United States held that the government may not record a conversation made from a public phone booth (with the glass door shut), even if the recording device is on the outside since the individual making the call has a reasonable expectation of privacy.
You have a reasonable expectation of privacy within your home; your office (if closed to the public); and most mail sent or received through the U.S. Postal Service, to name a few examples. You have a much more limited expectation of privacy when out in public places and none with respect to items left in the garbage outside your home.
An invasion of one’s privacy could raise one of the following claims in tort law:
1. Intrusion of Solitude
2. Appropriation of Name or Likeness
3. Public Disclosure of Private Facts
4. False Light
Most U.S. jurisdictions allow civil lawsuits for the claim of invasion of privacy, the specifics of which are largely controlled by state laws.