Defending Our Data: The Need for Information We Do Not Have

21 Pages Posted: 1 Aug 2016 Last revised: 11 Aug 2016

Richard Warner

Chicago-Kent College of Law

Robert H. Sloan

University of Illinois at Chicago

Date Written: July 29, 2016

Abstract

Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.

Keywords: information security, cybersecurity, data breach, breach reporting, data protection, data risk management

JEL Classification: K19, L21, L86, M21, Z18

Suggested Citation

Warner, Richard and Sloan, Robert H., Defending Our Data: The Need for Information We Do Not Have (July 29, 2016). Available at SSRN: https://ssrn.com/abstract=2816010

Richard Warner (Contact Author)

Chicago-Kent College of Law ( email )

565 West Adams St.
Chicago, IL 60661
United States

Robert H. Sloan

University of Illinois at Chicago ( email )

1200 W Harrison St
Chicago, IL 60607
United States

Paper statistics

Downloads
108
Rank
206,956
Abstract Views
470