Secure My Data or Pay the Price: Consumer Remedy for the Negligent Enablement of Data Breach

Every time we swipe our debit cards, pay our bills online, or sign up for a service like Netflix, we are entrusting important identifying information to the companies with which we do business. Most of the time, those companies take seriously the obligation to protect our data and prevent it from falling into the hands of those who would use it to benefit themselves at our expense. Some companies, however, fail to do enough to meet that burden, making it easier for identity thieves to inflict personal and financial injury on consumers. To date, our legal system has essentially denied consumers a remedy against these negligent businesses. This Note seeks to explore the problem of data breach and offer solutions for both improving electronic data security and establishing a remedy for consumers. To elaborate on this problem, this Note examines two high-profile data breaches: the famous “TJX breach” and the more recent breaches suffered by the Sony Corporation. In both of these cases, millions of customers had their data exposed as a result of a failure to implement basic security protocols or update existing security models to incorporate advances in technology. This Note will (1) examine the problem of data breach; (2) articulate means of establishing security standards for businesses; (3) argue for federal codification and regulation of those standards; and (4) argue that consumers should be empowered with a negligence cause of action, grounded in the theory of negligence per se, to hold businesses to those standards

Private Disordering? Payment Card Fraud Liability Rules

This Article argues that private ordering of fraud loss liability in payment card systems is likely to be socially inefficient because it does not reflect Coasean bargaining among payment card network participants. Instead, loss allocation rules are the result of the most powerful party in the system exercising its market power. Often loss liability is placed not on the least cost avoider of fraud, but on the most price inelastic party, even if that party has little or no ability to prevent or mitigate losses. Moreover, for virtually identical payment systems, there is international variation in both loss liability rules and security standards, suggesting that at least some variations are suboptimal.True Coasean bargaining is not possible in payment systems; the transaction costs are too high because of the sheer number of participants. Targeted coordination and competition, however, can achieve outcomes that if not Coasean, are at least optimized relative to the current system. Thus, the Article suggests a pair of complimentary regulatory responses. First, regulators should develop a system for coordinating payment card security measures with governance that adequately represents all parties involved in payment card networks. And second, regulators should pursue more vigorous antitrust enforcement of card networks’ restrictions on merchant pricing in order to expose the costs of participating in a payment system – which include fraud costs – to market discipline. The Article also presents an extended defense of the major existing regulatory intervention in payment card fraud loss allocation, the federal caps on consumer liability for unauthorized payment card transactions

Reasonableness Meets Requirements: Regulating Security and Privacy in Software

Software security and privacy issues regularly grab headlines amid fears of identity theft, data breaches, and threats to security. Policymakers have responded with a variety of approaches to combat such risk. Suggested measures include promulgation of strict rules, enactment of open-ended standards, and, at times, abstention in favor of allowing market forces to intervene. This Note lays out the basis for understanding how both policymakers and engineers should proceed in an increasingly software-dependent society. After explaining what distinguishes software-based systems from other objects of regulation, this Note argues that policymakers should pursue standards-based approaches to regulating software security and privacy. Although engineers may be more comfortable dealing with strict rules, this Note explains why both policymakers and engineers benefit from pursuing standards over rules. The nature of software development prevents engineers from ever guaranteeing security and privacy, but with an effective regulatory standards framework complemented by engineers\u27 technical expertise, heightened security, and privacy protections can benefit society

A Repeated Call for Omnibus Federal Cybersecurity Law

In Part I, this Note discusses the concerning regularity of high-profile data breaches that have occurred within the United States’ weak and patchwork landscape of cybersecurity law. Part II discusses the challenges companies face when attempting to comply with the current cybersecurity law, and why companies who are deemed compliant are still falling victim to hackers and data breaches. Part III makes a call for federal legislation to replace the current, inadequate, fragmented, and uneven landscape of cybersecurity law. Part IV discusses numerous factors and incentives to consider in creating an omnibus federal cybersecurity law. Finally, Part V offers some critiques to creating an omnibus law