205 research outputs found

    Getting into Court When the Data Has Gotten Out: A Two-Part Framework

    Get PDF
    Part I of this Note will examine the history of the Fair Credit Reporting Act, the basics of Article III standing, and its applications to intangible harms and data-privacy related injuries. Part II of this Note will then propose two potential solutions to the standing issues that arise when consumers are granted a right to sue credit reporting agencies for data breach harms. First, this Note will argue that, as the law currently stands, the Supreme Court should recognize that data breaches cause particularized and concrete harms sufficient to satisfy the injury-in-fact requirement of Article III. Finally, this Note will argue that because of judicial inconsistencies in applying the standing doctrine, state legislatures should adopt a uniform law, allowing Article III standing issues to be avoided altogether

    Embracing Insecurity: Harm Reduction Through a No-Fault Approach to Consumer Data Breach Litigation

    Get PDF
    The lack of a clear remedy for data subjects whose private information has been compromised in data breaches prompts expensive and exploratory litigation that encounters difficulties with the unique set of risks posed by the data economy. Examining the market forces and risk environments posed by the data economy yields the conclusion that vulnerability is a guaranteed feature and investments in cybersecurity go largely unrewarded. The importance of data to our economy requires that the benefit of potential solutions to data subjects be weighed against the potential costs of burdening innovation. This Note proposes that the ideal solution should prioritize harm reduction by implementing a no-fault resolution system to provide an efficient remedy for compromised data subjects and a safe harbor-based compliance program to improve cybersecurity without hampering the direction of innovation

    Psychological Data Breach Harms

    Get PDF

    CONSUMER PROTECTION—EXPLORING PRIVATE CAUSES OF ACTION FOR VICTIMS OF DATA BREACHES

    Get PDF
    Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal punishments

    Consumer Protection—Exploring Private Causes of Action for Victims of Data Breaches

    Get PDF
    Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal punishments

    The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

    Get PDF
    Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

    Risk and Anxiety: A Theory of Data Breach Harms

    Get PDF
    In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable. Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus among courts and an incoherent jurisprudence. In the past five years, the U.S. Supreme Court has contributed to this confounding state of affairs. In 2013, the Court in Clapper v. Amnesty International concluded that fear and anxiety about surveillance – and the cost of taking measures to protect against it – were too speculative to constitute “injury in fact” for standing. The Court emphasized that injury must be “certainly impending” to warrant recognition. This past term, the U.S. Supreme Court in Spokeo v. Robins issued an opinion aimed at clarifying the harm required for standing in a case involving personal data. But far from providing guidance, the opinion fostered greater confusion. What the Court made clear, however, was that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. In cases involving informational injuries, when is intangible injury like increased risk and anxiety “certainly impending” or “substantially likely to occur” to warrant standing? The answer is unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this essay, we examine why courts have struggled when dealing with harms caused by data breaches. The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has, been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data breach harm. In many instances, courts should find that data breaches cause cognizable harm. We explore how existing legal foundations support the recognition of such harm. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way

    Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem

    Get PDF
    For over two decades, the FTC creatively employed its capacious statute to police against shoddy data practices. Although the FTC’s actions were arguably needed at the time to fill a gap in enforcement, there are reasons to believe that its current approach has outlived its usefulness and is in serious need of updating. In particular, our analysis shows that the FTC’s current approach to data security is unlikely to instill anything close to optimal incentives for data holders. These shortcomings cannot be fixed through changes to the FTC enforcement approach, as they are largely generated by a mismatch between the tools that Congress gave it over a century ago and what it needs to foster firms’ incentives to mimic socially optimal levels of care for the data they hold. Not only does the current framework likely suffer from informational deficiencies attendant to its focus on “reasonable” security that render liability standards uncertain, it also lacks the ability to obtain the type of relief that will force firms to internalize the costs of their data security decisions. We examine the problem of data security enforcement through the lens of the economics of optimal precautions and identify several reasons why a strict liability regime administered by the FTC, under which firms pay for the expected harm from breaches they cause, is likely to be superior to the current framework that revolves around the concept of reasonableness. The benefits of strict liability flow from the likelihood that firms do not fully internalize the costs and benefits of their data security decisions and the relatively large informational burdens associated with measuring actual and optimal care under a negligence regime. We also show why in this informational environment, strict liability is better than negligence for developing a vibrant cyber insurance market, allowing for data security regulation to be de facto outsourced to insurers who will contract with firms for optimal levels of care. Because these private contracts will harness private information on costs and benefits from precautions, they are likely to incentivize more efficient behavior
    • …
    corecore