Abstract

http://ssrn.com/abstract=1671082
 
 

Citations (1)



 
 

Footnotes (193)



 


 



Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes


Dana Lesemann


Howard University School of Law

September 2, 2010

Akron Intellectual Property Journal, Vol. 4, p. 203, 2010

Abstract:     
Companies facing the loss of a laptop or a compromised server have long waged battles on several fronts: investigating the source of the breach, identifying potentially criminal behavior, retrieving or replicating lost or manipulated data, and putting better security in place. As recently as seven years ago, the broader consequences of a data breach were largely deflected from the party on whose resource the data resided and instead rested essentially on those whose data was compromised. Today, however, with the patchwork quilt of domestic data breach statutes and penalties, most companies forging “unto the breach” would consider paying a ransom worthy of King Henry to avoid the loss of its consumers’ identities through theft or manipulation. The cost to businesses of responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to the businesses it surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The per-record cost of the data breaches experienced by the companies it surveyed was $202 in 2009, only $2 per record more than the average in 2008 but a $66, or 38% overall increase since 2005. The most expensive data breach in the 2009 Ponemon survey was nearly $31 million; the last expensive was $750,000.

In confronting a data breach, a company has to contend with a multitude of issues: the costs of replacing lost equipment, repairing the breach, and thwarting a potentially criminal act. Some specific industries have their own privacy laws. For example, financial firms must contend with the reporting requirements associated with the federal Gramm-Leach-Bliley Act, and health care companies face broad reporting requirements under the new HITECH Act. Across the broader economy, however, attorneys and companies worry most about a thicket of data breach notification statutes enacted by 45 states and the District of Columbia. These statutes expose law firms and their clients to conflicting time limits, reporting requirements, fines, and potentially millions of dollars in penalties and civil liability - not to mention reputational risk. The 46 data breach notification statutes vary widely from state to state and, most critically, focus not on the location of the breach or where the company is incorporated, but on the residence of the victim. Therefore, a company facing a data breach must comply with the state laws of each of its affected consumers. A company’s multi-state or Internet presence only extends the potential web of specific time limits and other often conflicting requirements for notifying consumers.

This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes. Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes. Part II addresses the varying definitions of “personal information” in the state statutes – the data that is protected by the statute and whose breach must be revealed to consumers. Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach. Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes. Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.

Number of Pages in PDF File: 36

Accepted Paper Series





Download This Paper

Date posted: September 4, 2010  

Suggested Citation

Lesemann, Dana, Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes (September 2, 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://ssrn.com/abstract=1671082

Contact Information

Dana Lesemann (Contact Author)
Howard University School of Law ( email )
2900 Van Ness St., N.W.
Washington, DC 20008
United States
301-830-3236 (Phone)
HOME PAGE: http://ssrn.com/author=847771
Feedback to SSRN


Paper statistics
Abstract Views: 1,820
Downloads: 237
Download Rank: 74,920
Citations:  1
Footnotes:  193

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo1 in 0.313 seconds