Article: Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes
Dana Lesemann of the Howard University School of Law has an article of note in the Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Here’s the abstract:
Companies facing the loss of a laptop or a compromised server have long waged battles on several fronts: investigating the source of the breach, identifying potentially criminal behavior, retrieving or replicating lost or manipulated data, and putting better security in place. As recently as seven years ago, the broader consequences of a data breach were largely deflected from the party on whose resource the data resided and instead rested essentially on those whose data was compromised. Today, however, with the patchwork quilt of domestic data breach statutes and penalties, most companies forging “unto the breach” would consider paying a ransom worthy of King Henry to avoid the loss of its consumers’ identities through theft or manipulation. The cost to businesses of responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to the businesses it surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The per-record cost of the data breaches experienced by the companies it surveyed was $202 in 2009, only $2 per record more than the average in 2008 but a $66, or 38% overall increase since 2005. The most expensive data breach in the 2009 Ponemon survey was nearly $31 million; the last expensive was $750,000.
In confronting a data breach, a company has to contend with a multitude of issues: the costs of replacing lost equipment, repairing the breach, and thwarting a potentially criminal act. Some specific industries have their own privacy laws. For example, financial firms must contend with the reporting requirements associated with the federal Gramm-Leach-Bliley Act, and health care companies face broad reporting requirements under the new HITECH Act. Across the broader economy, however, attorneys and companies worry most about a thicket of data breach notification statutes enacted by 45 states and the District of Columbia. These statutes expose law firms and their clients to conflicting time limits, reporting requirements, fines, and potentially millions of dollars in penalties and civil liability – not to mention reputational risk. The 46 data breach notification statutes vary widely from state to state and, most critically, focus not on the location of the breach or where the company is incorporated, but on the residence of the victim. Therefore, a company facing a data breach must comply with the state laws of each of its affected consumers. A company’s multi-state or Internet presence only extends the potential web of specific time limits and other often conflicting requirements for notifying consumers.
This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes. Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes. Part II addresses the varying definitions of “personal information” in the state statutes – the data that is protected by the statute and whose breach must be revealed to consumers. Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach. Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes. Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.
You can download the full article at SSRN.
One of Lesemann’s recommendations is that states adopt a risk-based assessment model as opposed to a strict liability model. Similarly, Lesemann recommends a national law that would also incorporate a risk-based assessment. Lesemann’s explanation of a risk-based assessment would require a more extensive investigation and consultation with federal, state, and local agencies, but seems geared only towards financial harm, once again ignoring the issue that unless consumers say they do not want to be informed, it is self-serving to claim that too many notifications makes consumers numb. In my opinion, rather than rationalizing not providing notifications, we should ensure that the notifications provide sufficient, accurate information that enables consumers to evaluate the risk and to make an informed choice as to their next steps — which in addition to financial or credit protection strategies, may or may not include terminating their relationship with the entity. But I do recommend the article as it provides a good review of the various state laws, class action lawsuits, and issues.
Lesemann, Dana, Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes (September, 02 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://ssrn.com/abstract=1671082