DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Article: Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes

Posted on September 5, 2010 by Dissent

Dana Lesemann of the Howard University School of Law has an article of note in the Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Here’s the abstract:

Companies facing the loss of a laptop or a compromised server have long waged battles on several fronts: investigating the source of the breach, identifying potentially criminal behavior, retrieving or replicating lost or manipulated data, and putting better security in place. As recently as seven years ago, the broader consequences of a data breach were largely deflected from the party on whose resource the data resided and instead rested essentially on those whose data was compromised. Today, however, with the patchwork quilt of domestic data breach statutes and penalties, most companies forging “unto the breach” would consider paying a ransom worthy of King Henry to avoid the loss of its consumers’ identities through theft or manipulation. The cost to businesses of responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to the businesses it surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The per-record cost of the data breaches experienced by the companies it surveyed was $202 in 2009, only $2 per record more than the average in 2008 but a $66, or 38% overall increase since 2005. The most expensive data breach in the 2009 Ponemon survey was nearly $31 million; the last expensive was $750,000.

In confronting a data breach, a company has to contend with a multitude of issues: the costs of replacing lost equipment, repairing the breach, and thwarting a potentially criminal act. Some specific industries have their own privacy laws. For example, financial firms must contend with the reporting requirements associated with the federal Gramm-Leach-Bliley Act, and health care companies face broad reporting requirements under the new HITECH Act. Across the broader economy, however, attorneys and companies worry most about a thicket of data breach notification statutes enacted by 45 states and the District of Columbia. These statutes expose law firms and their clients to conflicting time limits, reporting requirements, fines, and potentially millions of dollars in penalties and civil liability – not to mention reputational risk. The 46 data breach notification statutes vary widely from state to state and, most critically, focus not on the location of the breach or where the company is incorporated, but on the residence of the victim. Therefore, a company facing a data breach must comply with the state laws of each of its affected consumers. A company’s multi-state or Internet presence only extends the potential web of specific time limits and other often conflicting requirements for notifying consumers.

This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes. Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes. Part II addresses the varying definitions of “personal information” in the state statutes – the data that is protected by the statute and whose breach must be revealed to consumers. Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach. Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes. Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.

You can download the full article at SSRN.

One of Lesemann’s recommendations is that states adopt a risk-based assessment model as opposed to a strict liability model. Similarly, Lesemann recommends a national law that would also incorporate a risk-based assessment. Lesemann’s explanation of a risk-based assessment would require a more extensive investigation and consultation with federal, state, and local agencies, but seems geared only towards financial harm, once again ignoring the issue that unless consumers say they do not want to be informed, it is self-serving to claim that too many notifications makes consumers numb. In my opinion, rather than rationalizing not providing notifications, we should ensure that the notifications provide sufficient, accurate information that enables consumers to evaluate the risk and to make an informed choice as to their next steps — which in addition to financial or credit protection strategies, may or may not include terminating their relationship with the entity. But I do recommend the article as it provides a good review of the various state laws, class action lawsuits, and issues.

Lesemann, Dana, Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes (September, 02 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://ssrn.com/abstract=1671082

Category: Commentaries and AnalysesOf Note

Post navigation

← Stolen and sold: Private details of thousands of World Cup fans
Article: Dying for Privacy: Pitting Public Access Against Familial Interests In the Era of the Internet →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.