By broad consensus, data security laws have failed to stem a rising tide of data breaches. Lawmakers and commentators blame these failures on some combination of underenforcement and the laws failure to recognize the full range of data breach harms. Proposed solutions would augment or expand existing data security laws.
These proposed solutions share a fatal flaw: they are rooted in traditional theories of deterrence by punishment. Data security laws come in three forms: duties to protect data, duties to notify consumers after a breach, and post-breach remedies. Almost every data security law is enforced through sanctions, most of which are applied after a company discovers a data breach. In theory, companies increase their data security efforts to avoid sanctions. While appropriate for companies that purchase software, this approach is ineffective when applied to companies that build and provide software as an online service. In the cloud context, improving cybersecurity practices increases expected sanctions. And the cloud context matters. Online data security implicates almost all personal data; online services hold the lion’s share of personal data and offline firms rely heavily on cloud software to operate their businesses.
This Article calls for a new approach to data security regulation, founded on a systemic view of data security practice. By focusing on system-level incentives instead of individual outcomes, lawmakers can bring data security law back into harmony with policy goals.
DATA INSECURITY LAW,
39 Santa Clara High Tech. L.J. 445
Available at: https://digitalcommons.law.scu.edu/chtlj/vol39/iss4/1