Thursday, April 29, 2010

New Faculty Publication: Winn on Better Security Breach Notification Laws

Jane K. Winn, Are "Better" Security Breach Notification Laws Possible?, 24 Berkeley Tech. L.J. 1133-65 (2009).

Modeled after laws providing communities with the right to know about toxic or hazardous substances in their area, security breach notification laws have been quickly adopted by most states.

Professor Winn questions the effectiveness of these laws. Affected consumers have no right to compensation and the laws "impose high compliance costs on relatively few businesses while providing only weak incentives to most businesses to make major changes in the security of their information systems."

Viewed through a lens of "smart" or "better" regulation--embodied by President Clinton's National Performance Review--these laws fail on several key points. Winn suggests two features of a more successful regime:
  • Congressional recognition of consumers' expectation that sensitive information will be handled responsibly and impose legal duties on database owners
  • Federal Trade Commission issuance of regulations establishing essential elements of the duty
She points to the Identity Theft Red Flag Guidelines as an example of "smart" regulation.
A "better" approach to security breach regulation would begin with a better understanding of the challenges facing database owners, look for opportunities to promote voluntary collaboration and self-regulation, and minimize confrontation and the taking of defensive measures in order to minimize litigation risks.

No comments: