Data Breaches and the Need for Stronger Privacy Legislation
1. Stephen J. Stose IST 618--Dr. Thomas Martin
Syracuse University School of Information Studies Summer 2008
Data Breaches
“Over 233 million data records of U.S. residents have been exposed due to security
breaches since Jan 05i.”
Background
The Ponemon Institute, a company dedicated to advancing responsible information
management policies, reports that companies in 2007 spent an average of 6.3 million
dollars in costs associated with lost or stolen data, a 30% increase over the preceding
yearii. This means an average cost of $197 per compromised record, up from $182. In
2008, the Identity Theft Resource Center reports a 69% increase in data breaches, 20% of
which constitute lost or stolen devices, and 15% constituting “inadvertent posting.iii”
The Ponemon Institute reports even higher figures for lost or stolen devices: 49% in
2006iv. Indeed, Attrition.org maintains an updated list of these breaches. Perusing the
list, these and other forms of negligence, such as improperly stored and/or transmitted
data, comprise the surprising majority of casesv. Indeed, current workplace habits such
as downloading or copying confidential records onto personal devices, turning off
security settings or firewalls, sharing passwords, or sending attachments to home
computers are commonvi.
These increases are startling, but may be attributed to a higher incidence of reporting
the occurrence of breaches. Since California’s security breach notification legislation
came into effect in 2003vii, many states now have similar notification laws, and
companies are now considering their effectsviii . The U.S. (contrary to the E.U.) has no
overarching law that governs how the private sector uses and protects personal
information. Instead, it promotes industry self-‐‑regulation through privacy and
technology statements, and opt-‐‑out standards that apply in a patchwork fashion
depending on the types and uses of information collected and storedix. Two possible
effects state notification laws have in common are: 1) loss of reputation and hence
market share, and 2) customer re-‐‑assessment of risk in doing business with the chosen
entity. We will argue in another section that notification laws are not sufficient to deter
substandard data security. Additionally, these measures, while seeking to indemnify
customers against actual breaches, may do nothing to prevent the breach in the first
place.
The Gramm-‐‑Leach-‐‑Bliley Actx is a federal regulation to prevent fraudulent access to
financial information through impersonation, phone, mail, email, or phishing (15 U.S.C.
2. 2
§ 6821-‐‑6827); it also requires that institutions have information security plans enacted
that specify how a company will protect and ensure the privacy of non-‐‑public personal
information (15 U.S.C. § 6801-‐‑6809). These regulations apply only to financial
institutions, however, and not to general small businesses, e-‐‑commerce or social-‐‑
networking transactions.
We believe other such over-‐‑arching regulation needs to be developed federally that
covers all information collection endeavors in the new age of electronic transmissions.
This should include data security and breach-‐‑notification laws, rules that specify
penalties for breaches, and strong privacy laws requiring companies to disclose their
privacy statements along with assumptions of transparency. The default, we believe
should be more akin to opt-‐‑in; that is to say, consumers should not be required to work
to keep their data secure and private.
Perspective
The paper is written from the perspective of an information professional, as well as a
daily participant in the new world of electronic communication and commerce. My
background as a social scientist enables me a high level of analysis into pertinent issues
of data and its importance to the livelihood of conducting business and commerce,
while still respecting fundamentally human aspects of rights to privacy, data protection,
and security. These beliefs are fundamental to this analysis, and it attempts to uphold
the 1974 Privacy Act as close to the letter as possible, despite trends that continue to the
contrary. Nevertheless, it attempts to adapt itself to current realities, while still making
recommendations believed to create a stronger, safer and more human system of
electronic communications and commerce.
Issue Questions
The issues I will address in this paper are:
1. Is there a need for legislation to ensure that confidential information is stored
securely so that the incidence of data breaches can be reduced?
2. When should those whose data has been compromised be notified of a data
breach?
3. Should those whose information has been compromised be given the right to
receive compensation for damages, and what actions should the company
losing the data be required to take to minimize damages?
3. 3
4. Is there a need to pass consumer privacy laws so that they impose fair
information practices upon creators of databases containing confidential
information?
Is there a need for legislation to ensure that confidential information is stored
securely so that the incidence of data breaches can be reduced?
One standard, developed by the various credit card companies, is called the Payment
Card Industry Data Security Standard (PCI DSS). This is now a mandatory twelve-‐‑step
global standard that ensures the protection of all cardholder data, and requires external
auditing if a company processes over 80,000 transactions annuallyxi. Smaller companies
are required to perform self-‐‑assessments. With the bad press, many companies are now
taking these assessments seriously, in order to avoid the new disclosure laws in several
states requiring both individual and at times mass media notification of breaches.
Many, however, argue that only six percent of all known cases of identity theft or fraud
are attributable to data breaches, and that consumers are being misled about ways to
prevent theftxii. We agree that the recent data breach hype, as well as the trend towards
notification laws, is desensitizing individuals to its inevitability and occurrence. The
same misunderstanding occurs when individuals believe hackers, malicious code and
malicious insiders are responsible for data breaches, when in reality they only account
for 10%, 6% and 6% of breaches respectivelyxiii.
Thus, we want to stress the creation of legislation that prevents not just malicious
attacks (which occur in any system, regardless of its security), but protects consumers
against the creeping desensitization of the inevitability of a data breaches, such that the
primary concern is not what to do when it occurs, but stresses the fact that the majority
of breaches occur almost accidentally, due to negligence and poor internal management
policies. Making the PCI standard part of federal legislation, perhaps as a part of the
current notification legislation we will discuss soon, will serve to prevent data mis-‐‑
management, such that fraud and theft are no longer an easy option. This legislation,
we believe, should include an allowance for businesses that manage data to be brought
into civil liability class action suits that up until now have been rejected due to no
“actual harm” claims. Thus, we argue that tort law needs to catch up with the today’s
increasing occurrence of internet-‐‑based harmsxiv, and impose weak liability sanctions on
businesses that themselves have no active sanctions in place for the negligent behavior
of its data managers and staff with access to database records.
4. 4
Additionally, since most data breaches are occurring at the mom-‐‑and-‐‑pop shop level, as
they make up over 85% of credit card transactions nationwide, local business bureaus
should have education plans mandated for existing companies. It was found that of 600
companies with 250 employees or fewer, 52% of them were unknowably storing
sensitive customer information on their systemsxv. Thus, it seems that the credit card
processing companies must be held liable for the education of their clients regarding
PCI standards; that is, small businesses must be indemnified if such standards were not
made apparent in their contracts, and/or if they are PCI compliant. However, if data is
lost, identifiable during transmission, or posted; or if a device with data is lost or mis-‐‑
managed, sanctions for negligence should be in place. In this respect, incentives at the
individual and small business level for preventing security breaches before they occur
would complement the punishments companies fear after they occur through the
notification laws in effect today. Such security regulations that trickle down to the local
level should reduce the incidence of data breaches, and not just compensate for a loss
that ought not to have occurred in the first place.
Thus, proper regulations will hopefully make companies rethink whether administering
database records of their clients outweigh the risks associated with the sanctions in
place of not having a proper security system installed that is PCI compliant, and
outweighs the risks of the sanctions we will discuss below when and if a security breach
does occur. The goal of this will be to force companies to take the storage and
processing of personal data seriously, and perhaps create innovation to begin using
internally developed identification numbers that replace other forms of identification
(e.g., social security number) when tracking customer data.
When should those whose data has been compromised be notified of a data breach?
The first assumption that data breach notification legislation makes is that companies—
to avoid being the bearer of bad news to customers, and hence reduce their confidence
in the services it offers—will take steps to deter security breaches from first occurring.
The second is that through notification, customers may re-‐‑assess the cost-‐‑benefit of
continuing a relationship with the company. Whether or not these assumptions, which
guide the recent efforts of state legislation, actually serve as a deterrent has been the
subject of much academic speculationxvi. We will side with the opinion that disclosure
laws, while absolutely necessary for upholding an individual’s rights to privacy, are not
sufficient deterrents in themselves. California began the trend, and enacted two pieces
of consumer rights legislation in 2003. The security breach statutexvii requires:
5. 5
"ʺany person or business that conducts business in California, and that owns or
licenses computerized data that includes personal information, [to] disclose any
breach of the security system…to any resident of California whose unencrypted
personal information was, or is reasonably believed to have been, acquired by
an unauthorized person."ʺ
As this legislation applies only to “unencrypted personal information,” in order to
avoid liability under the statute, a company need only encrypt computerized non-‐‑
public information. Additionally, “unauthorized” access becomes authorized once
companies require need-‐‑to-‐‑know permission standards through the establishment of
passwords and mandatory employee training on information security standardsxviii . We
applaud this groundbreaking first attempt at providing incentive to companies to
safeguard the data of their clients.
Javelin Strategy and Research published a study that found 30% of consumers (in their
5 year longitudinal sample) were victims of data breach, with only 6% of those suffering
identity fraudxix. Thus, notification laws, if they do function as deterrents, need go hand
in hand with public education. That is, incidences of fraud were much more likely
(30%) to occur due to lost or stolen personal items (e.g., wallets), suggesting that the
recent public hype fed by media attention may only get worse if every time a breach
occurs people must be notified by law. It is not clear whether companies are releasing
data breach information because they are starting to be more vigilant in seeking
breaches (presumable, because of the new laws in some states), or in order to control
their public imagexx. This makes it difficult to attribute the sudden increases to more
reporting, or whether it reveals actual new vulnerabilities in data processing and
storage.
Approximately 44 states now have notification laws, and while the rationale for these
are fundamentally the same, the details widely diverge. Some states require that a
credit card’s access code be divulged to justify the disclosure of breaches (e.g.,
California’s), while this is not so in the Kansas bill. Only some require the secure
destruction of sensitive data on paper. Pennsylvania considered legislation to close the
encryption exemption, requiring disclosure even if the data were originally encrypted.
Eighteen states deem the “belief” (by whom?) that stolen data will “not be misused” as
an exemption; and others exempt disclosure if card number have been redacted in
another formxxi. These discrepancies lead to public relations issues when disclosing to
customers in some states but not others, among other possible confusions nationwide.
We feel strongly about five exemptions to disclosure. Firstly, in order not to unduly
alert consumers, if card numbers cannot be linked to access codes, notification need not
6. 6
occur. Secondly, given that hackers can fool their way into encrypted data, and that
encryption is not the end-‐‑all to protection, encryption should not automatically justify
an exemption (especially if access cards are available). Thirdly, companies may not self-‐‑
exempt disclosure based on their own definition of what can and cannot be “misused,”
but may do so when independent auditors can make the case after an appropriate
assessment of risk is carried out. Fourthly, redacted data should be exempt, but only if
no link from the redacted data to the original was divulged. And fifthly, third-‐‑party
credit card processing companies cannot indemnify themselves against breaches when
their retail clients have not been educated regarding the storage and processing
characteristics of the card-‐‑reading software packages utilized. On a similar note, and in
place of all current state notification laws, is the opposite: if companies outsource
customer data processing, they are still liable for how that data is processed and stored.
Should those whose information has been compromised be given the right to receive
compensation for damages, and what actions should the company losing the data be
required to take to minimize damages?
Currently, there are two bills active in the Senate (Leahy-‐‑Specter’s S.495; and Feinstein’s
S.239) and two in the House (Rush and Stearn’s H.R.958; and Smith’s H.R. 836)xxii. The
main issue of contention in many of these bills is whether consumer notification should
occur given a “reasonable” risk of harm, or whether this risk need qualify as
“significant.” In either case, and we repeat, this risk assessment must be part of an
independent inquiry, and make up one of many other more objective benchmarks (e.g.,
as listed above), that—taken together—determine whether or not disclosure is the most
prudent path. With no other sanctions in place for a breach of data, it is imperative that
companies—when required by law to send out notification—are also implicated by law
in offering free credit monitoring services for a to-‐‑be-‐‑specified number of years,
depending on the breach severity. In other words, we are of the opinion that
notification laws are in-‐‑themselves an insufficient deterrent, albeit a necessary action
towards diminishing security fraud.
Notification laws are an insufficient deterrent on multiple grounds. Firstly, the breach
may occur at one of the “back office” processing companies (e.g., data couriers or data
brokers), leading to consumer confusion regarding whether shopping elsewhere
effectively punishes anybody. Also, with larger companies such as banks, consumers
not only fear the cost of changing companies, they also may begin to feel its
ineffectiveness, assuming all such companies are equally likely to incur a breach. As
with the media hype, consumers begin to consider breaches “normal.” Companies
7. 7
often would prefer it this way, as breach desensitization leads consumers to waive
market punishment; indeed, many feel such notices would lead only to “crying wolf,”
bringing customers to ignore such warnings wholesalexxiii. For instance, TJX Companies
Inc. incurred only a slight dip in share price when its security breach was announced in
January 2007, and customers expressed lax concern given its low prices while justifying
that it could have happened to any company. After a class action lawsuit was filed a
few weeks later, the share price fellxxiv. Consumers also feel protected by the cardholder
agreements that insulate their losses, probably forgetting that they pay for these
through increasing fees; nor do they consider the extremely arduous process of identity
theft recovery, which has been described as arduous and intimidatingxxv. Thus,
notification may not necessarily function as an indirect form of consumer sanction, as it
was originally conceived.
We believe the courts need to begin to consider the prospect of allowing civil liability
cases to be heard when and if it can be established that, had the breach not occurred, the
theft of data would not have occurred. This causality claim has not done well in court,
however, as the customer presumably submits the very data lost to many institutions
other than the one that incurred the breach; nor can it be established that identity theft
is an event that ordinarily does not take place when a company has not been
negligentxxvi. This is to say, data security negligence does not ordinarily lead to identity
theft. Given the statistics, that seems to be true, despite the hype. It also means that the
personal information may have been shared with different institutions and hence
misused elsewhere, invoking no liability to the company originally responsible. This is
a question of privacy law, which we will come to next. Torts have also been rejected as a
form of civil liability because “actual harm” is only the fear of the possibility of future
harm, and so this argument has not even been able to sustain rewards of credit
monitoring as personal compensation for a breachxxvii.
Therefore, we believe it should not be the sole job of courts to craft solutions for each
and every case of identity fraud. Instead, legislation must be drafted which allows the
pinpointing of responsibility through regulatory standards. More stringent rules are
needed to motivate businesses to comply with data security standards, as we discussed
above. Minnesota was the first state to—in addition to enticing companies to change
through the notification deterrent—also decided to punish companies by giving PCI
standards a legal standing. The Plastic Card Security Actxxviii makes companies that
process more than 20,000 transactions annually liable to banks and credit unions for the
costs of credit card blocking and re-‐‑issuance, if sensitive information is found to be
stored after certain limits, something that PCI explicitly prohibitsxxix. Massachusetts has
a similar law, which includes government bodies under its definition of “commercial
entityxxx.”
8. 8
Even still, this may not be enough to get smaller companies, the 52% cited above guilty
of storing sensitive nonpublic information, to comply. Often, these smaller companies
are storing data without even knowing it, as the packaged payment applications they
utilize store this information by default. For this reason, we are urging that the card
processing (“back-‐‑office”) companies that distribute these packaged programs be held
accountable for updating software packages in compliance with this regulation, as well
as educate their retail clients of these storage regulations in order to indemnify
themselves against future claims, thereby making the businesses themselves
accountable for non-‐‑compliance. In this way, we have argued, liability claims are
allowed to trickle down. As it is, many smaller businesses are being fined for security
breaches they believed to have made a sincere attempt to control through firewall
protection and passwords.
Individuals are also a main concern. Notifications need to come with clear and concise
information for how the breaching institution is going to compensate for its negligence,
not just a vague and empty informational letter. If individuals are powerless in court,
even as a class action, we need to see legislation at the federal level that not only
protects the financial institutions, but also a statutory right of action extended to
consumers. At the very least, laws are needed that require as part of notification a writ
of guaranteed credit monitoring services which—in the case of credit fraud—also incur
all personal costs and troubles associated with the clearing the debts and accounts
created by the thieves. As it is, the Federal Trade Commission advises much persistence
in getting local and state police sources to recognize fraud, a step necessary to get
collection agencies to rescind their legal duty to collectxxxi. In other words, businesses
should not just be held responsible for ensuring that financial institutions are covered in
their losses, but that individuals are likewise covered for the costs associated with both
future credit monitoring, and the larger personal costs associated with clearing the
debts and accounts created by the thieves. The costs of credit monitoring should be
borne by the company, such that incentive is created to re-‐‑analyze the benefit of
maintaining personal data weighted against the costs of possible breaches due to
disorganization, sloppy internal work ethic, file-‐‑sharing and data vending, and of
course any other risk associated with PCI non-‐‑compliance. If all companies are under
the same level of regulation at each level in the system (from credit card agencies, to
processing companies, to retail businesses) to ensure that they are PCI compliant at the
least, this is incentive enough for motivating businesses to work harder to guarantee a
secure marketplace in which to do business.
9. 9
Is there a need to pass consumer privacy laws so that they impose fair information
practices upon creators of databases containing confidential information?
Data managers know the value of reusing data. However, few individuals believe that
the personal information they provide is and can be bought and sold as a good. The
questions above deal with data security and its failure. This is distinct from what
companies can legally do with personal information once they have it, whether
individuals are aware that companies are even gathering information about them, and
hence what rights individuals have and what permissions need to be granted regarding
its ownership, preservation and sharing. Given that recent news regarding data
breaches are waking up individuals, privacy groups are rethinking the implications of
the 1974 Privacy Actxxxii and the meaning of its “fair information practices” given the
expanding intrusion of companies and government as a result of the free flow of
information on the Internet.
The USA Patriot Actxxxiii began an era of increased government surveillance once again,
as government again began collecting data about individuals with neither consent nor
recourse to oversight or legal challenge. In the European Union, on the other hand,
personal privacy laws are relatively advanced. The European Commission passed
Directive 95/46/EC on the “Protection of Individuals with Regard to the Processing of
Personal Data and on the Movement of Such Dataxxxiv. In contradistinction, the U.S. has
no overarching federal policy, preferring instead to adopt privacy legislation “as
needed, ” as sectors and events see fit. For this reason, we see a proliferation of acts,
such as the Video Protection Actxxxv, the Cable Television Consumer Protection and
Competition Actxxxvi, the Health Insurance Portability and Accountability Act
(HIPAA)xxxvii, the Children'ʹs Online Privacy Protection Act (COPPA)xxxviii , and the Fair
Credit Reporting Actxxxix, among others. Former President Bill Clinton and vice-‐‑
President Al Gore advised in their “Framework for Global Electronic Commerce” that
“the private sector should lead,” “governments should avoid undue restrictions on
electronic commerce,” and ironically even that “Electronic Commerce over the Internet
should be facilitated on a global basisxl.”
Advances in data mining allow searching for correlations and patterns amongst data.
This is not hypothetical deduction, as in science, but hypothetical induction. A graduate
student, for example, by tracking the IP fingerprints across millions of Wikipedia
entries, traced a systematic deletion of critical information regarding e-‐‑voting machines,
from the very company producing those machinesxli. A Carnegie Mellon professor,
Latanya Sweeny, for instance, found that by just knowing an individual’s postal code
and birth data, that individual’s personal information in a putatively anonymous public
10. 10
database could be identified with 69 percent accuracy, and even 87 percent if the gender
is also knownxlii.
Thus, while HIPAA allows a small portion of data to be utilized for marketing purposes
if and only if it is stripped of all personal identifiers, data miners may re-‐‑identify the
person by making correlations across other databases. We firstly believe that federal
laws regarding information as sensitive medical data should in no way ever be
marketed. Secondly, if the U.S. does wish to continue making piecemeal legislation on
an as needed basis, basic federal rules consistent with “fair information practices”
outlined in the Privacy Act must provide the unwavering fundamentals under which
these piecemeal laws must conform.
There are also recommendations to fight data mining indirectly xliii . For example, after
records have been de-‐‑identified, average values for fields (across five to ten records) or
known amounts of random noise could be used, or random amount of noise could be
introduced across all records. Both methods would allow for data-‐‑analytic breakdown
and accurate analyses by researchers or marketers wishing to use it in their studies.
This, however, while it is a form of data encryption, does not solve the more
fundamental problem of personal rights of privacy we endorse in this paper.
For one, we call for a strict opt-‐‑in policy for any data sharing and marketing. That is to
say, it is a dangerous default and precedent to begin requiring individuals to take active
measures themselves to investigate and inform themselves regarding what a company’s
plan is for the data they provide. If that plan is mere storage, users may be presented
with an opt-‐‑out option; but only in this case. And when the case, consumers should not
have to take active steps to opt-‐‑out. On the other hand, if the company’s plan is to share,
sell, or market the data at any time, consumers must be provided with an opt-‐‑in option
up front, with a summarized and understandable (i.e., not legalese) terms of the plans.
Additionally, these may not be guised through formats such as opting-‐‑in or -‐‑out of
newsletters or updates (a.k.a. spam). This form of opting-‐‑in or –out, whichever the case,
must also be made more robust and not depend on cookies, which upon deletion
(accidental or intentional) often render such agreements void.
Such legislation must be passed that resists attempts by private industry lobbyists to
influence these fundamental protections. Of course, given the proliferation of Acts, it is
difficult to make a wholesale rejection of the current U.S. implementation of data
privacy laws on a sector-‐‑by-‐‑sector basis. For this reason, we call for an overreaching
federal policy that at least sets guidelines and fundamentals, as is done in the European
Union, and insists that data protectors are employed to ensure compliance. Sector by
sector acts may vary, but may not violate these—what should be considered—inviolate
11. 11
privacy protections in today’s age of information. They provide the control users have a
right to feel against their fears—however irrational they may or may not be—of data
breaches, which notification laws are just now making more salient. They also reduce
the secondary and indirect need for database managers to add noise or aggregate data,
or the Safe Harbor agreements that provides Europeans protections that accord with
fair information policies, while denying U.S. citizens the same privacy assumptions.
While we are not opposed to recent efforts by industry-‐‑led efforts to secure a
standardized set of policy rules, as Trust-‐‑e and P3Pxliv have done (and indeed applaud
the effort), we still argue the most basic privacy disclosures should be a fundamental
right of individuals, such that these standards are required under law.
Conclusion
Due to recent notification laws, data breaches have penetrated the public conscious.
Notification laws are an effective step in providing incentive to companies to protect
their databases with rigor. These may be insufficient, nevertheless, and must
accompany campaigns to balance the hype such initiatives create with education
regarding the real causes of breaches. Companies at each level of credit card
transactions must also incur, through federal regulation, the costs associated with
breaches of non-‐‑public personal information. Incentive thus must be paired with
consequences, such that companies, even small companies, are educated regarding data
security standards, whereby not knowing is sufficient reason for assigning blame not
just in the legal system (if necessary), but at a federal regulatory level. In addition,
security must go hand in hand with privacy. Breaches of public information, while
often workplace negligence, are also a reality due to lax standards harnessed through
private sector lobbying that allow data sharing, selling and marketing without the
consumers informed consent. These are trends that must reverse if the United States is
to compete globally, and provide its own citizens with privacy protections both it and
the EU grants to citizens of Europe. Opting-‐‑out should not be entrenched in the public
mind as a default, whereby individuals must act to protect themselves. Privacy
protections at the individual level should be pre-‐‑supposed.
Footnotes
12. 12
i
Privacy Rights Clearinghouse (July 11, 2008). A chronology of data breaches.
http://www.privacyrights.org/ar/ChronDataBreaches.htm.
ii
Poneman Institute (Novermber 28, 2007). Ponemon study shows data breach costs continue to rise.
http://www.pgp.com/newsroom/mediareleases/ponemon-us.html.
iii
Krebs, Brian (July 1, 2008). Washington Post. Data breaches are up 68% this year, nonprofit says.
http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html.
iv
Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million.
http://www.networkworld.com/news/2006/110206-data-breach-cost.html.
v
Data Loss Archive and Database (DLDOS). http://attrition.org/dataloss/. See also ibid.
vi
Ponemon Institute and RedCannon Security (Dec, 2007). Survey of US IT practitioners reveals data security
policies not enforced. http://www.redcannon.com/news_and_events/press_release_ponemon.html.
vii
S.B. 1386, codified in Cal. Civ. Code § 1798.82. A description of this law can be found at
www.privacyrights.org/ar/SecurityBreach.htm.
viii
For a chart of state-by-state legislation, see http://www.digestiblelaw.com/files/upload/securitybreach.pdf.
ix
Katz, M. L. (2008). Data security: Into the breach. The Maryland Bar Journal, 41(1).
x
Safeguards Rule: Laws and Rules. Pub. L. No. 106-102, Title V Subtitle A. See
http://www.ftc.gov/privacy/privacyinitiatives/safeguards_lr.html.
xi
Allan, Danny (June, 2008). Payment card industry mandate stresses importance of web application security:
Recommended becomes required. http://www.net-security.org/article.php?id=1143&p=1. See also PCI Security
Standards Council https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.
xii
Finextra.com (September, 2006). Data breach hype is misleading consumers—study.
http://www.finextra.com/fullstory.asp?id=15860.
xiii
Ibid. Fontana, John (Nov 2, 2006). Average data breach costs companies $5 million.
http://www.networkworld.com/news/2006/110206-data-breach-cost.html.
xiv
see Rustad, M. L. & Koenig, T. H. (2005). Rebooting cybertort law. Washington Law Review Association, 80.
xv
Sidel, Robin (September 2007). In data leaks, culprits often are Mom, Pop.
http://online.wsj.com/article/SB119042666704635941.html?mod=sphere_ts.
xvi
Schwartz, P. & Janger, E. (2007). Notification of data security breaches. Michigan Law Review, 105. See also
Picanso, K. E. (2006). Protecting information security under a data breach notification law. Fordham Law Review,
75.
xvii
SB 1386, codified as Civil Code § 1798.82, et seq.
xviii
Brelsford, James F. (September 2003). California raises bar on data security and privacy. FindLaw.
http://library.findlaw.com/2003/Sep/30/133060.html.
xix
Javelin Strategy and Research (June 2008). New Javelin reearch pinpoints how institutions should respond to data
breaches. http://www.javelinstrategy.com/2008/06/23/debix_06_23_08/.
xx
Says Linda Foley of the Identity Theft Resource Center, http://www.idtheftcenter.org/. Reported in Krebs, Brian
(July 2008). Data breaches are up 69% this year, nonprofit says. Washington Post.
http://www.washingtonpost.com/wp-dyn/content/article/2008/06/30/AR2008063002123.html.
xxi
Alexander, Philip (April 2007). Data breach notification laws: A state by state perspective. Intelligent Enterprise.
http://www.intelligententerprise.com/channels/information_management/showArticle.jhtml?articleID=198800638.
xxii
For all the details regarding each of these bills, see the Privacy and Security Law Blog at
http://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-in-the-
110th-congress.html.
xxiii
Schwartz & Janger, ibid. For a set of economic arguments, see Romanosky S., Telang R. & Acquisti, A. (2008).
Do data breach disclosure laws reduce theft? Seventh Workshop on the Economics of Information Security.
xxiv
Wiltshire, Elaine (2007). Cyber-enemy at the gates. The bottom line, 24(8).
http://www.thebottomlinenews.ca/index.php?articleid=242§ion=article
xxv
Federal Trade Commission. Defend: Recover from identity fraud.
http://ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html#Whatisanidentitytheftreport.
xxvi
Chandler, J. (2008). Negligence liability for breaches of data security. Banking and Finance Law Review, 23(2).
xxvii
Chandler, J. (2008), ibid.
xxviii
Minnesota Statute 325E.64 Access devices; breach of security (2007).
https://www.revisor.leg.state.mn.us/statutes/?id=325E.64&year=2007&keyword_type=all&keyword=security+breac
h+liability.
13. 13
xxix
Vijayan, Jaikumar (May 2007). Minnesota gives PCI rules a legal standing. Computer World.
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=standards_and_legal_iss
ues&articleId=293804&taxonomyId=146.
xxx
Massachusetts House Bill No. 213 (2007). http://www.mass.gov/legis/bills/house/185/ht00pdf/ht00213.pdf
xxxi
Federal Trade Commission. Defend: Recover from identity theft.
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html.
xxxii
P.L. 93-579, 88 Stat. 1897, 5 U.S.C. § 552a (1974).
xxxiii
P.L. 107-56, 115 Stat. 272 (2001), then later P.L. 109-77 (2006).
xxxiv
Directive 95/46/EC was implemented in 1995 by the European Commission.
http://www.cdt.org/privacy/eudirective/EU_Directive_.html.
xxxv
18 U.S.C. § 2710 (2002). http://epic.org/privacy/vppa/.
xxxvi
P.L.102-385 (2002). http://projects.washingtonpost.com/congress/102/bills/s_12/.
xxxvii
P.L. 104-191 (1996). http://www.ihs.gov/AdminMngrResources/HIPAA/.
xxxviii
15 U.S.C. §§ 6501-6506, P.L. No. 105-277, 112 Stat. 2681-728 (2000). http://epic.org/privacy/kids/.
xxxix
15 U.S.C. § 1681 et seq (1996). http://www.consumersunion.org/pub/core_financial_services/000745.html.
xl
A Framework for Global Electronic Commerce, The White House (July 1997).
http://www.technology.gov/digeconomy/framewrk.htm.
xli
Borland, J. (August 2007). See who’s editing Wikipedia—Diebold, the CIA, a campaign. Wired.
http://www.wired.com/politics/onlinerights/news/2007/08/wiki_tracker.
xlii
Reported in Edelstein, H. & Millenstein, J. (Dec 2003). DM Review Magazine.
http://www.dmreview.com/issues/20031201/7768-1.html.
xliii
For example, see again Edelstein, H. & Millenstein, J. ibid.
xliv
See www.truste.org and www.w3.org/P3P respectively.