The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

Getting into Court When the Data Has Gotten Out: A Two-Part Framework

Part I of this Note will examine the history of the Fair Credit Reporting Act, the basics of Article III standing, and its applications to intangible harms and data-privacy related injuries. Part II of this Note will then propose two potential solutions to the standing issues that arise when consumers are granted a right to sue credit reporting agencies for data breach harms. First, this Note will argue that, as the law currently stands, the Supreme Court should recognize that data breaches cause particularized and concrete harms sufficient to satisfy the injury-in-fact requirement of Article III. Finally, this Note will argue that because of judicial inconsistencies in applying the standing doctrine, state legislatures should adopt a uniform law, allowing Article III standing issues to be avoided altogether

Going Rogue: Mobile Research Applications and the Right to Privacy

This Article investigates whether nonsectoral state laws may serve as a viable source of privacy and security standards for mobile health research participants and other health data subjects until new federal laws are created or enforced. In particular, this Article (1) catalogues and analyzes the nonsectoral data privacy, security, and breach notification statutes of all fifty states and the District of Columbia; (2) applies these statutes to mobile-app-mediated health research conducted by independent scientists, citizen scientists, and patient researchers; and (3) proposes substantive amendments to state law that could help protect the privacy and security of all health data subjects, including mobile-app-mediated health research participants

Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries

In scope, ambition, and animating philosophy, U.S. privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s ambitious individual rights, significant prohibitions, substantive enforcement regime, and broad applicability contrast vividly with a scattershot U.S. regime that generally prioritizes facilitating commerce over protecting individuals, and which has created perverse incentives for industry through anemic enforcement of the few meaningful limitations that do exist. A privacy law that characterizes data collectors as information fiduciaries could coalesce with the commercial focus of U.S. law, while emulating the GDPR’s laudable normative objectives and fortifying U.S. consumer privacy law with a moral valence it often lacks. Similar to classic fiduciaries like doctors or lawyers, information fiduciaries would owe duties of loyalty, care, and confidentiality to their clients—affirmative commitments to individuals that the laissez-faire approach of U.S. privacy law generally does not require. Fiduciary duties are also derived from the context of commercial relationships, where the law balances the professional prerogatives of the fiduciary with the rights (and vulnerabilities) of the client. Crucially, an information fiduciary model can strengthen protections for privacy, equality, and autonomy in the digital age, echoing the GDPR’s normative objectives, while balancing those principles with the competing aims (and constraints) of the U.S. legal ecosystem

Can the CCPA Access Right Be Saved? Realigning Incentives in Access Request Verification

The California Consumer Privacy Act access right has the potential to give Californians a level of control over their personal information that is unprecedented in the United States. However, consumer privacy interests will be in peril unless the access right is accompanied by an effective access request verification requirement. Requiring companies to respond to access requests when they cannot verify that the requestor is the subject of the requested data puts sensitive personal information at risk. Inversely, allowing companies to shirk their access request responsibilities by claiming that data is unverifiable diminishes consumers’ data control rights. Thus, in the context of access request verification policy, there is an inherent tension between privacy as confidentiality and privacy as control. The success of the access right, and thus all CCPA data control rights, hinges on an access request verification policy that successfully balances these competing privacy interests. The endemic identity theft caused by credit application verification systems demonstrates why such balancing cannot be wholly left to private companies. In the credit context, balancing has been driven by the profit maximization interests of businesses, which currently do not align with consumer privacy interests. Fortunately, several scholars have proposed methods for aligning these divergent interests. The strengths and weaknesses from these proposed solutions to identity theft provide a useful framework for building a system that incentivizes companies to prioritize consumer privacy when developing access request verification systems