About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

105 Mich. L. Rev. 913 (2006-2007)
Notification of Data Security Breaches

handle is hein.journals/mlr105 and id is 931 raw text is: NOTIFICATION OF DATA SECURITY BREACHES Paul M. Schwartz* Edward J. Janger** The law increasingly requires private companies to disclose information for the benefit of consumers. The latest examples of such regulation are state and federal laws that require companies to notify individuals of data security incidents involving their personal information. These laws, pro- posed in the wake of highly publicized data spills, seek to punish the breached entity and to protect consumers by requiring the entity to notify its customers about the security breach. There are competing approaches, however; to how the law is to mandate release of information about data leaks. This Article finds that the current statutes' focus on reputational sanction is incomplete. An important function of breach notification is mitigation of harm after a data leak. This function requires a multi- institutional coordinated response of the kind that is absent from current policy proposals. This Article advocates creation of a coordinated re- sponse architecture and develops the elements of such an approach. Central to this architecture is a coordinated response agent (CRA) that oversees steps for automatic consumer protection and heightens mitiga- tion. This Article also proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals. Moreover, the CRA will set in motion automatic protective measures on behalf of the breached consumers. Finally, the CRA will regulate the con- tent of notification messages to reflect the nature of the data breach. TABLE OF CONTENTS IN TRODUCTION ............................................................ .......................9 15 I. HOw WE LIVE NOw: THE NEW RISK ENVIRONMENT OF DATA SECURITY BREACHES AND IDENTITY THEFT ............ 918 A. The Legal Environment for Data Security......................... 919 1. B2C-Financial.............................................................920 2. B 2C -R etail ..................................................................921 * Professor of Law, Boalt Hall, University of California-Berkeley; Director, Boalt Center for Law and Technology. For their helpful comments and suggestions, we would like to thank Kathy Abrams, David Caron, Anupam Chander, Martin Flaherty, Lauren Gelman, Chris Hoofnagle, Molly Van Houweling, Lance Liebman, Ronald D. Lee, Ronald Mann, Deirdre Mulligan, Gideon Parcho- movsky, Anna Paulson, Chris Sanchirico, Stacey Schesser, Daniel Solove, Stephen Sugarman, William Treanor, Teresa Wang and David Yang. This Article also benefited from suggestions at faculty workshops at the University of California-Berkeley (Boalt Hall), Fordham Law School, and the University of Pennsylvania School of Law. We thank Dean Joan Wexler and Dean Christopher Edley for support of this project. ** Professor of Law, Brooklyn Law School. 913

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most