Stein, David


By broad consensus, data security laws have failed to stem a rising tide of data breaches. Lawmakers and commentators blame these failures on some combination of underenforcement and the laws failure to recognize the full range of data breach harms. Proposed solutions would augment or expand existing data security laws.

These proposed solutions share a fatal flaw: they are rooted in traditional theories of deterrence by punishment. Data security laws come in three forms: duties to protect data, duties to notify consumers after a breach, and post-breach remedies. Almost every data security law is enforced through sanctions, most of which are applied after a company discovers a data breach. In theory, companies increase their data security efforts to avoid sanctions. While appropriate for companies that purchase software, this approach is ineffective when applied to companies that build and provide software as an online service. In the cloud context, improving cybersecurity practices increases expected sanctions. And the cloud context matters. Online data security implicates almost all personal data; online services hold the lion’s share of personal data and offline firms rely heavily on cloud software to operate their businesses.

This Article calls for a new approach to data security regulation, founded on a systemic view of data security practice. By focusing on system-level incentives instead of individual outcomes, lawmakers can bring data security law back into harmony with policy goals.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.