I disagree that there is not a possibility for victims, but the question is what they are victims of, and who is making them victims of that thing.
One of the side-effects of that which happened in Sweden were that many people with protected identities - people whom the government had promised to protect in order to ensure that they did not suffer negative consequences from externalities in their lives - were revealed. They could certainly come to suffer problems from the fact that public authorities are unable to perform the tasks that they have obliged themselves to perform.
But the victim aspect is problematic: normally, leakage of personal information (whether it's a protected identity or Disqus user account information) causes only "secondary" effects which are uncomfortable and undesirable for private persons. Normally, a private person would not associate neither the discomfort nor their fear with the party that leaks the data. If a person had a protected identity because you have previously suffered domestic abuse, that person is more likely to be scared of their abusive partner than the tax authority if their identity is revealed. What that person will, most likely, not be concerned with is whether the tax authority had procured networking services from a company which configures its databases correctly and performs timely patching.
I have actually heard people arguing about this particular case as if the people affected by public authority data breaches would somehow be particularly concerned with the latter: of course they are not. Only security engineers become angry when stuff is ill configured and badly patched.
This is another reason for why I believe that individuals, companies and public authorities alike are much better served by proper market oversight with regulations such as transparency and disclosure requirements and liability rules than by the criminal law framework that we currently have.
I disagree that there is not a possibility for victims, but the question is what they are victims of, and who is making them victims of that thing.
One of the side-effects of that which happened in Sweden were that many people with protected identities - people whom the government had promised to protect in order to ensure that they did not suffer negative consequences from externalities in their lives - were revealed. They could certainly come to suffer problems from the fact that public authorities are unable to perform the tasks that they have obliged themselves to perform.
But the victim aspect is problematic: normally, leakage of personal information (whether it's a protected identity or Disqus user account information) causes only "secondary" effects which are uncomfortable and undesirable for private persons. Normally, a private person would not associate neither the discomfort nor their fear with the party that leaks the data. If a person had a protected identity because you have previously suffered domestic abuse, that person is more likely to be scared of their abusive partner than the tax authority if their identity is revealed. What that person will, most likely, not be concerned with is whether the tax authority had procured networking services from a company which configures its databases correctly and performs timely patching.
I have actually heard people arguing about this particular case as if the people affected by public authority data breaches would somehow be particularly concerned with the latter: of course they are not. Only security engineers become angry when stuff is ill configured and badly patched.
This is another reason for why I believe that individuals, companies and public authorities alike are much better served by proper market oversight with regulations such as transparency and disclosure requirements and liability rules than by the criminal law framework that we currently have.