Abstract

http://ssrn.com/abstract=1416222
 
 

Citations (1)



 
 

Footnotes (140)



 


 



Are 'Better' Security Breach Notification Laws Possible?


Jane K. Winn


University of Washington - School of Law

June 8, 2009

Berkeley Technology Law Journal, Vol. 24, 2009

Abstract:     
Security breach notification laws (SBNLs) may have succeeded in bringing the issue of inadequate information security to the attention of American consumers, but do not appear to be having much impact on the way that American businesses store and use sensitive personal information. This failure is not surprising in light of the extremely limited scope of American SBNLs, which generally do not reinforce an underlying right to privacy but instead only mandate disclosure of information that is confusing and difficult for consumers to make use of. While receiving repeated notices of security breaches might someday galvanize American public opinion to support stronger information privacy laws, that would be a remote and uncertain benefit from legislation that appears in the short term to penalize responsible businesses while being disregarded by unsophisticated and irresponsible ones. Although businesses in possession of sensitive personal information are exposed to something like strict liability for security breaches, the vendors of the information technology systems that are vulnerable to breaches remain exempt from liability. SBNLs generally commit no public resources to ensuring compliance, reducing the risk that non-compliance will be detected to near zero for many businesses. Under such circumstances, most businesses have no economic incentive to comply with a law when compliance would be very costly. Even though litigation claiming damages following a security breach notification has not been successful to date, the risk of being exposed to such litigation as a result of compliance further increases incentives for non-compliance. This paper reviews the development of new governance approaches to regulation, including “responsive regulation,” “smart regulation” and “better regulation” and then applies new governance criteria to SBNLs to show why they are unlikely to have much impact on the information security policies of many American businesses. This paper reviews the practical problems that any business faces when trying to secure large quantities of sensitive personal information, and outlines what a “better regulation” approach to information security regulation targeting sensitive personal information might include.

Number of Pages in PDF File: 33

Keywords: security breach, better regulation, information security, new governance, data protection, information privacy

Accepted Paper Series


Download This Paper

Date posted: June 11, 2009 ; Last revised: February 28, 2014

Suggested Citation

Winn, Jane K., Are 'Better' Security Breach Notification Laws Possible? (June 8, 2009). Berkeley Technology Law Journal, Vol. 24, 2009. Available at SSRN: http://ssrn.com/abstract=1416222

Contact Information

Jane Winn (Contact Author)
University of Washington - School of Law ( email )
William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States

Feedback to SSRN


Paper statistics
Abstract Views: 1,037
Downloads: 201
Download Rank: 83,701
Citations:  1
Footnotes:  140

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo8 in 0.297 seconds