Can a Duty of Information Security Become Special Protection for Sensitive Data Under US Law?

11 Pages Posted: 11 Sep 2008 Last revised: 27 Feb 2014

See all articles by Jane K. Winn

Jane K. Winn

University of Washington - School of Law

Date Written: September 9, 2008


The US has taken a sectoral approach to information privacy law, resulting in a patchwork of different information privacy rights that vary widely in their scope and strength, and lacks either a general right of data protection or special protections for a defined category of sensitive data. A sectoral approach to information security law is now emerging in the US, and it is producing a patchwork of different duties to protect the security of certain types of personal information. When US information privacy law and information security law are considered together, what appears to be emerging is a de facto category of sensitive data, namely personal information that is subject to stringent information security requirements. Unlike the de jure concept of sensitive data defined by EU law which is intended to block the collection, processing or transfer of certain categories of personal information in order to guarantee fundamental dignitary interests, the new US duty to secure sensitive information represents a minor modification of the current practice of treating personal financial information as a commodity.

Keywords: privacy, data protection, information security, sensitive data, information privacy

Suggested Citation

Winn, Jane, Can a Duty of Information Security Become Special Protection for Sensitive Data Under US Law? (September 9, 2008). Available at SSRN: or

Jane Winn (Contact Author)

University of Washington - School of Law ( email )

William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics