About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline

105 Mich. L. Rev. 913 (2006-2007)
Notification of Data Security Breaches

handle is hein.journals/mlr105 and id is 931 raw text is: NOTIFICATION OF DATA SECURITY BREACHES
Paul M. Schwartz*
Edward J. Janger**
The law increasingly requires private companies to disclose information
for the benefit of consumers. The latest examples of such regulation are
state and federal laws that require companies to notify individuals of data
security incidents involving their personal information. These laws, pro-
posed in the wake of highly publicized data spills, seek to punish the
breached entity and to protect consumers by requiring the entity to notify
its customers about the security breach. There are competing approaches,
however; to how the law is to mandate release of information about data
leaks. This Article finds that the current statutes' focus on reputational
sanction is incomplete. An important function of breach notification is
mitigation of harm after a data leak. This function requires a multi-
institutional coordinated response of the kind that is absent from current
policy proposals. This Article advocates creation of a coordinated re-
sponse architecture and develops the elements of such an approach.
Central to this architecture is a coordinated response agent (CRA) that
oversees steps for automatic consumer protection and heightens mitiga-
tion. This Article also proposes a bifurcated notice scheme that lets firms
know that the CRA is watching and is scrutinizing their decision whether
or not to disclose information about a breach to the affected individuals.
Moreover, the CRA will set in motion automatic protective measures on
behalf of the breached consumers. Finally, the CRA will regulate the con-
tent of notification messages to reflect the nature of the data breach.
TABLE OF CONTENTS
IN TRODUCTION   ............................................................ .......................9 15
I. HOw WE LIVE NOw: THE NEW RISK ENVIRONMENT
OF DATA SECURITY BREACHES AND IDENTITY THEFT ............ 918
A. The Legal Environment for Data Security......................... 919
1. B2C-Financial.............................................................920
2.  B 2C -R etail ..................................................................921
*   Professor of Law, Boalt Hall, University of California-Berkeley; Director, Boalt Center
for Law and Technology. For their helpful comments and suggestions, we would like to thank Kathy
Abrams, David Caron, Anupam Chander, Martin Flaherty, Lauren Gelman, Chris Hoofnagle, Molly
Van Houweling, Lance Liebman, Ronald D. Lee, Ronald Mann, Deirdre Mulligan, Gideon Parcho-
movsky, Anna Paulson, Chris Sanchirico, Stacey Schesser, Daniel Solove, Stephen Sugarman,
William Treanor, Teresa Wang and David Yang. This Article also benefited from suggestions at
faculty workshops at the University of California-Berkeley (Boalt Hall), Fordham Law School, and
the University of Pennsylvania School of Law. We thank Dean Joan Wexler and Dean Christopher
Edley for support of this project.
**  Professor of Law, Brooklyn Law School.

913

What Is HeinOnline?

HeinOnline is a subscription-based resource containing nearly 3,000 academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline with pricing starting as low as $29.95

Contact us for annual subscription options:

Already a HeinOnline Subscriber?

profiles profiles most