Notification of Data Security Breaches: Difference between revisions

From Cybersecurity Wiki
Jump to navigation Jump to search
(New page: http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&action=viewsource&startkey=Schwartz_Janger:2007&keyword=schwartz&f=wikibiblio.bib)
 
No edit summary
Line 1: Line 1:
http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&action=viewsource&startkey=Schwartz_Janger:2007&keyword=schwartz&f=wikibiblio.bib
==Notification of Data Security Breaches==
 
Paul Schwartz and Edward Janger ''Notification of Data Security Breaches'' (2007).  [http://www.michiganlawreview.org/assets/pdfs/105/5/schwartz.pdf ''Web''] [http://cyber.law.harvard.edu/cybersecurity/?title=Special:Bibliography&action=viewsource&startkey=Schwartz_Janger:2007&keyword=schwartz&f=wikibiblio.bib''BibTeX'']
 
==Categorization==
 
Issues: [[Disclosure]]; [[Data Security]]
 
==Key Words==
 
[[information security]], [[disclosure policy]]
 
==Synopsis==
 
The law increasingly requires private companies to disclose information for the benefit of consumers. The latest examples of such regulation are state and federal laws that require companies to notify individuals of data security incidents involving their personal information. These laws, proposed in the wake of highly publicized data spills, seek to punish the breached entity and to protect consumers by requiring the entity to notify its customers about the security breach. There are competing approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that the current statutes’ focus on reputational sanction is incomplete. An important function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. This Article advocates creation of a coordinated response architecture and develops the elements of such an approach. Central to this architecture is a coordinated response agent (CRA) that oversees steps for automatic consumer protection and heightens mitigation. This Article also proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals. Moreover, the CRA will set in motion automatic protective measures on behalf of the breached consumers. Finally, the CRA will regulate the content of notification messages to reflect the nature of the data breach.
 
==Additional Notes and Highlights==

Revision as of 10:10, 3 June 2010

Notification of Data Security Breaches

Paul Schwartz and Edward Janger Notification of Data Security Breaches (2007). Web BibTeX

Categorization

Issues: Disclosure; Data Security

Key Words

information security, disclosure policy

Synopsis

The law increasingly requires private companies to disclose information for the benefit of consumers. The latest examples of such regulation are state and federal laws that require companies to notify individuals of data security incidents involving their personal information. These laws, proposed in the wake of highly publicized data spills, seek to punish the breached entity and to protect consumers by requiring the entity to notify its customers about the security breach. There are competing approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that the current statutes’ focus on reputational sanction is incomplete. An important function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. This Article advocates creation of a coordinated response architecture and develops the elements of such an approach. Central to this architecture is a coordinated response agent (CRA) that oversees steps for automatic consumer protection and heightens mitigation. This Article also proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals. Moreover, the CRA will set in motion automatic protective measures on behalf of the breached consumers. Finally, the CRA will regulate the content of notification messages to reflect the nature of the data breach.

Additional Notes and Highlights