21 Pages Posted: 1 Aug 2016 Last revised: 11 Aug 2016
Date Written: July 29, 2016
Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.
Keywords: information security, cybersecurity, data breach, breach reporting, data protection, data risk management
JEL Classification: K19, L21, L86, M21, Z18
Suggested Citation: Suggested Citation
Warner, Richard and Sloan, Robert H., Defending Our Data: The Need for Information We Do Not Have (July 29, 2016). Available at SSRN: https://ssrn.com/abstract=2816010