Privacy Harms

Full Title or Meme

Privacy Harms takes the view of the Subject in a privacy Exploit.

Normally the Privacy Risk of any transaction is measured in terms of the risk to the Enterprise that holds the user data.
This page is about the risk to the Subject of the data that is disclosed.
The Exploit of using the Subject's private data can be any of a variety of entities, inlcuding the Entity that acquired the data from the Subject.
As in many web transactions, the benefit of the transaction typically accrues to the Enterprise and the cost to the Subject.

Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the potential for loss, damage, or destruction of an asset when a threat takes advantage of a vulnerability. or Risk = {Asset Value} x {expected chance of exploit}. That equation only works in the Enterprise.
Enterprise in this paper means either of (1) the data controller, (2) the data processor, (3) the data issuer, or (4) the attacker, which in this case covers all of the other entities that my benefit from having the Subject's data. (n.b. Some may quibble that the issuer is just another processor, but I believe it is instructive to treat them separately here.)
Subject is the natural person that the data is about. (All the harms described here are related to natural persons.)
Payor is the entity that bears any monitary cost of an exploit. This may be the Subject, the Enterprise, or some third party payor, like an insurance company.

There are multiple ways to talk about the harms of privacy invasions. On can start with the act of collecting user information as is done by the Me2B alliance. Me2B Privacy Harms
This page looks at the place where a privacy violation actually impacts the Subject as that is where the Subject may first realize the impact of their loss of private spaces.