Modeled after laws providing communities with the right to know about toxic or hazardous substances in their area, security breach notification laws have been quickly adopted by most states.
Professor Winn questions the effectiveness of these laws. Affected consumers have no right to compensation and the laws "impose high compliance costs on relatively few businesses while providing only weak incentives to most businesses to make major changes in the security of their information systems."
Viewed through a lens of "smart" or "better" regulation--embodied by President Clinton's National Performance Review--these laws fail on several key points. Winn suggests two features of a more successful regime:
- Congressional recognition of consumers' expectation that sensitive information will be handled responsibly and impose legal duties on database owners
- Federal Trade Commission issuance of regulations establishing essential elements of the duty
A "better" approach to security breach regulation would begin with a better understanding of the challenges facing database owners, look for opportunities to promote voluntary collaboration and self-regulation, and minimize confrontation and the taking of defensive measures in order to minimize litigation risks.