DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Article: Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes

Posted on September 5, 2010 by Dissent

Dana Lesemann of the Howard University School of Law has an article of note in the Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Here’s the abstract:

Companies facing the loss of a laptop or a compromised server have long waged battles on several fronts: investigating the source of the breach, identifying potentially criminal behavior, retrieving or replicating lost or manipulated data, and putting better security in place. As recently as seven years ago, the broader consequences of a data breach were largely deflected from the party on whose resource the data resided and instead rested essentially on those whose data was compromised. Today, however, with the patchwork quilt of domestic data breach statutes and penalties, most companies forging “unto the breach” would consider paying a ransom worthy of King Henry to avoid the loss of its consumers’ identities through theft or manipulation. The cost to businesses of responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to the businesses it surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The per-record cost of the data breaches experienced by the companies it surveyed was $202 in 2009, only $2 per record more than the average in 2008 but a $66, or 38% overall increase since 2005. The most expensive data breach in the 2009 Ponemon survey was nearly $31 million; the last expensive was $750,000.

In confronting a data breach, a company has to contend with a multitude of issues: the costs of replacing lost equipment, repairing the breach, and thwarting a potentially criminal act. Some specific industries have their own privacy laws. For example, financial firms must contend with the reporting requirements associated with the federal Gramm-Leach-Bliley Act, and health care companies face broad reporting requirements under the new HITECH Act. Across the broader economy, however, attorneys and companies worry most about a thicket of data breach notification statutes enacted by 45 states and the District of Columbia. These statutes expose law firms and their clients to conflicting time limits, reporting requirements, fines, and potentially millions of dollars in penalties and civil liability – not to mention reputational risk. The 46 data breach notification statutes vary widely from state to state and, most critically, focus not on the location of the breach or where the company is incorporated, but on the residence of the victim. Therefore, a company facing a data breach must comply with the state laws of each of its affected consumers. A company’s multi-state or Internet presence only extends the potential web of specific time limits and other often conflicting requirements for notifying consumers.

This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes. Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes. Part II addresses the varying definitions of “personal information” in the state statutes – the data that is protected by the statute and whose breach must be revealed to consumers. Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach. Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes. Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.

You can download the full article at SSRN.

One of Lesemann’s recommendations is that states adopt a risk-based assessment model as opposed to a strict liability model. Similarly, Lesemann recommends a national law that would also incorporate a risk-based assessment. Lesemann’s explanation of a risk-based assessment would require a more extensive investigation and consultation with federal, state, and local agencies, but seems geared only towards financial harm, once again ignoring the issue that unless consumers say they do not want to be informed, it is self-serving to claim that too many notifications makes consumers numb. In my opinion, rather than rationalizing not providing notifications, we should ensure that the notifications provide sufficient, accurate information that enables consumers to evaluate the risk and to make an informed choice as to their next steps — which in addition to financial or credit protection strategies, may or may not include terminating their relationship with the entity. But I do recommend the article as it provides a good review of the various state laws, class action lawsuits, and issues.

Lesemann, Dana, Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes (September, 02 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://ssrn.com/abstract=1671082


Related:

  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
Category: Commentaries and AnalysesOf Note

Post navigation

← Stolen and sold: Private details of thousands of World Cup fans
Article: Dying for Privacy: Pitting Public Access Against Familial Interests In the Era of the Internet →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.