Notification of Data Security Breaches

72 Pages Posted: 14 Jun 2006  

Paul M. Schwartz

University of California, Berkeley - School of Law

Edward J. Janger

Brooklyn Law School

Abstract

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

Suggested Citation

Schwartz, Paul M. and Janger, Edward J., Notification of Data Security Breaches. Michigan Law Review, Vol. 105, p. 913, 2007; Brooklyn Law School, Legal Studies Paper No. 58. Available at SSRN: https://ssrn.com/abstract=908709

Paul M. Schwartz (Contact Author)

University of California, Berkeley - School of Law ( email )

Boalt Hall #7200
Berkeley, CA 94720-7200
United States

Edward J. Janger

Brooklyn Law School ( email )

250 Joralemon Street
Brooklyn, NY 11201
United States
718-780-7995 (Phone)
718-780-0376 (Fax)

Paper statistics

Downloads
985
Rank
16,765
Abstract Views
4,275