The Data Breach Notification That Cried Wolf: How Connecticut’s Overbroad Data Breach Notification Statute Undermines the Effectiveness of Consumer Protection
Jackson Raymond Schipke, Connecticut, 3L Roger Williams University Law School writes:
Connecticut’s data breach statute is a wolf in sheep’s clothing. That statute’s definition of “breach of security” is overbroad, encourages over-notification, and undermines the goal of protecting consumers from identity theft. In Connecticut, notification is triggered by mere access of personal information, a statutory feature that encourages over-notification. Over-notification refers to a Boy-Who-Cried-Wolf-like phenomenon. Specifically, when consumers receive many notices of breaches that do not result in identity theft, notices of high-risk breaches will be ignored because the “average” data breach poses no risk of harm – a result that clearly undermines the statute’s consumer protection goals.
Importantly, Connecticut’s data breach law only applies to Connecticut businesses. Therefore to the extent that data breach notices damage a business’s reputation (which they surely do) Connecticut businesses are placed at a disadvantage to similarly situated businesses in other states due to the greater frequency of required disclosure of breaches.
Read more on Robinson & Cole Data Privacy and Security Insider.
Did no one at the law firm review his submission and think to point out the problems with it?
Methinks Mr. Schipke needs to read up more on the reasons for using access as a notification trigger instead of using other approaches. Then, too, it is not just financial security that is of concern, and it is not just “Connecticut businesses” who are required to notify.
Connecticut’s statute calls for “anyone who conducts business in Connecticut” and who owns, licenses or maintains computerized data that includes personal information on residents of Connecticut. Connecticut is one of three entities that use an access trigger, the other two being New Jersey and Puerto Rico. So yes, Connecticut requires more notifications, all else being equal, but it applies to non-Connecticut businesses, too. Of course, this particular concern could be addressed by a national data breach notification law that exposed all entities to the same standards, but hey, that’s another story, right?