The Failure of Data Security Law

Chapter 3 from Daniel J. Solove & Woodrow Hartzog, Breached! Why Data Security Law Fails and How to Improve It, ISBN‎ 978-0190940553, March 2022

34 Pages Posted: 21 Mar 2024

See all articles by Daniel J. Solove

Daniel J. Solove

George Washington University Law School

Woodrow Hartzog

Boston University School of Law; Stanford Law School Center for Internet and Society

Date Written: March 8, 2022

Abstract

In this book chapter, we survey the law and policy of data security and analyze its strengths and weaknesses. Broadly speaking, there are three types of data security laws: (1) breach notification laws; (2) security safeguards laws that require substantive measures to protect security; and (3) private litigation under various causes of action. We argue that despite some small successes, the law is generally failing to combat the data security threats we face.

Breach notification laws merely require organizations to provide transparency about data breaches, but the laws don’t provide prevention or a cure. Security safeguards laws are often enforced too late, if at all. Enforcement authorities wait until a data breach occurs, but penalizing organizations after a breach increases the pain of a breach marginally, but not enough to be a game changer. Private litigation has increased the costs of data breaches but has accomplished little else. Courts have often struggled to understand the harm from data breaches, so data breach cases have frequently been dismissed.

Overall, we contend that data security law is too reactionary. The law fails to do enough to prevent data breaches, focuses too much on organizations that suffer data breaches and ignores other contributing actors, and doesn’t take sufficient steps to mitigate the harm from data breaches.

Keywords: data security, cybersecurity, data breach, privacy, breach notification

JEL Classification: K13, K41

Suggested Citation

Solove, Daniel J. and Hartzog, Woodrow, The Failure of Data Security Law (March 8, 2022). Chapter 3 from Daniel J. Solove & Woodrow Hartzog, Breached! Why Data Security Law Fails and How to Improve It, ISBN‎ 978-0190940553, March 2022, Available at SSRN: https://ssrn.com/abstract=4752438 or http://dx.doi.org/10.2139/ssrn.4752438

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)

HOME PAGE: http://danielsolove.com

Woodrow Hartzog

Boston University School of Law ( email )

765 Commonwealth Avenue
Boston, MA 02215
United States

HOME PAGE: http://https://www.bu.edu/law/profile/woodrow-hartzog/

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
159
Abstract Views
367
Rank
338,555
PlumX Metrics