Notification of Data Security Breaches
Full Title of Reference
Notification of Data Security Breaches
Paul Schwartz and Edward Janger, Notification of Data Security Breaches (2007), 105 Michigan Law Review, 913. Web
The New Risk Environment of Data Security Breaches and Identity Theft
This part examines the regulatory landscape for firms that process personal data. In a short period of approximately three years, the United States has created significant legal obligations to implement reasonable data security practices for an increasing number of companies. The law increasingly requires private companies to disclose information for the benefit of consumers. The latest examples of such regulation are state The puzzle that this Article seeks to solve is the likely impact of breach notification on the process of providing data security for personal data. and federal laws that require companies to notify individuals of data security incidents involving their personal information. These laws, proposed in the wake of highly publicized data spills, seek to punish the breached entity and to protect consumers by requiring the entity to notify its customers about the security breach. First, the authors consider the legal sources of the requirement of reasonable data security. One of the striking elements of this requirement is the extent to which it represents a delegation of regulation that mixes broad standards (“reasonable data security”) with sometimes quite precise rules (whether for certain kinds of outside audits, password policies, or staffing requirements). This approach both delegates discretion to the regulated entity and requires it to meet sometimes highly specific legal requirements. The article set out three models for consumer notification. These models differ in important ways. However, all three approaches aim to influence the same two entities: the consumer whose information is processed, and the business entity that processes information. Models Two and Three also consider a third set of entities—the other institutions that might be affected by a data leak.
Three Models of Informing About Data Security Leaks
In this Part, the authors discuss three approaches to informing about data security leaks. The first two are based on existing legal standards: our first model (“Model One”) is exemplified by the pathbreaking California disclosure statute, and our second model (“Model Two”) reflects the Interagency Guidance promulgated by the federal agencies responsible for oversight of financial institutions. The final model is suggested by certain comments of the Chicago Federal Reserve Bank (Chicago FRB) in response to the Interagency Guidance. This Article elaborates, modifies, and operationalizes these regulatory approaches. This Part examines each model along six dimensions. The authors look at the extent to which each respective regulation: (1) provides for sharing of reputational information about the breached entity; (2) delegates discretion to the regulated data processor, including how it should establish appropriate data security and notify consumers of breaches; (3) coordinates post-breach mitigation efforts; (4) permits delay to allow law enforcement investigation before consumer notification; (5) provides for damages and other enforcement rights; and, finally, (6) fosters an overall culture of compliance.
Defining Ideal Behavior for the Consumer and the Data Processor
The authors describe the nature of the sought-after behavior by positing an ideal consumer and ideal data processor. They also analyze the extent to which breach notification is likely to induce this behavior. Put simply, the ideal consumer is expected to shop for data security. Moreover, this behavior is expected to occur both before and after a breach. Here is the rosy scenario: if one firm has a bad reputation for data security, the ideal consumer will shun it and patronize another company. Moreover, should a data leak occur, the consumer will receive valuable reputational information through the notification letter. The authors outline assumptions about consumer behavior upon notification that they believe are inaccurate or, at least, excessively sanguine. Under current market conditions and notification practices, consumer shopping for data security will at best be erratic. In our judgment, there are, nonetheless, real merits to customer notification, but they are indirect and generally not linked to the affected consumer. Just as the ideal consumer is expected to engage in certain kinds of behavior regarding data security, the ideal data processing entity is expected to take certain actions. Emerging legal authority, including statutes and regulations, already points to a favored approach. Applicable laws and regulations require businesses to utilize reasonable data security procedures that are expressed in an enterprise-wide plan. We now summarize the most important legal requirements in this area and then discuss how particularized breach notices can have a positive impact on the data-handling practices of organizations.
Notification and Mitigation
This article finds that the current statutes’ focus on reputational sanction is incomplete. An important function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. This article advocates creation of a coordinated response architecture and develops the elements of such an approach. Central to this architecture is a coordinated response agent (CRA) that oversees steps for automatic consumer protection and heightens mitigation. This Article also proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals. Moreover, the CRA will set in motion automatic protective measures on behalf of the breached consumers. Finally, the CRA will regulate the content of notification messages to reflect the nature of the data breach.
Additional Notes and Highlights
Introduction I. How We Live Now: The New Risk Environment of Data Security Breaches and Identity Theft A. The Legal Environment for Data Security 1. B2C-Financial 2. B2C-Retail 3. Outsourcing Entities 4. Data Brokers 5. Tort Law, Sarbanes-Oxley, and State and City Breach Notification Laws B. Regulatory, Economic, and Reputational Pressures on the Firm 1. Regulatory Forces 2. Economic Forces 3. Reputational Forces II. Three Models of Informing About Data Security Leaks A. The Three Models in a Nutshell B. Comparing the Models 1. Reputational Information 2. Delegation of Discretion 3. Coordination of Post-Breach Mitigation Efforts 4. Delay to Allow Investigation 5. Damages and Other Enforcement Rights 6. The Culture of Compliance III. Defining Ideal Behavior for the Consumer and the Data Processor A. The Ideal Consumer and Reputational Information: Shopping for Data Security 1. Lack of B2C Relationship 2. Consumer-Side Shortcomings and Fuzzy Notification Letters B. The Ideal Consumer and Mitigation: From Self-Protection to Automatic Protection 1. The Shared Recommendations 2. Particularized Notice 3. Best Practices Independent of Notification 4. Fuzzy Notification Letters Redux C. The Ideal Data Processor: Private-to-Public Information and the Improvement of Organizational Practices 1. Notification and Reasonable Data Security 2. Private-to-Public Information 3. Inside the Black Box IV. Notification and Mitigation A. Model Four: The Coordinated Response Architecture 1. Supervised Delegation and Coordinated Response 2. Tailoring Notice to Consumers 3. Minimizing Additional Data Storage and Decentralization 4. Enforcement and the Disclosure Disincentive B. Unpacking Model Four 1. Reputational Information 2. Supervised Discretion 3. Coordination of Post-Breach Mitigation Efforts 4. Delay to Allow Investigation before Consumer Notification 5. Provision for Damages and Other Enforcement Rights 6. The Culture of Compliance Conclusion Appendix