Optimizing Breach Notification

Our lives depend on digital infrastructure and maintaining data security is now a crucial social objective. An emerging central strategy to promote data security is through breach notification laws, which require firms to give notice upon discovering a security breach. These laws are pervasive and prominent. All fifty states, several federal laws, and the E.U.’s General Data Protection Regulation (“GDPR”) and Organisation for Economic Co-operation and Development (“OECD”) have incorporated notification schemes into an array of privacy and data security efforts. However, these laws are in flux, with different jurisdictions constantly offering new requirements and exceptions. In view of looming and important regulatory changes, this Article interrogates the structure and efficacy of the diverse set of data breach notification statutes and proposes an optimal regulatory path forward. In doing so, it provides crucial theoretical insights about both data breach notification laws and theories about legal remedies more generally.

The Article begins by introducing the “nuts and bolts” of data breach notification statutes and their normative justifications. It breaks new ground by offering a novel taxonomy of normative justifications. In particular, a data breach notification statute can be justified as set to promote four objectives: deterring firms from applying lax security ex ante, mitigating the harms caused to individuals from the breach ex post, generating information flows regarding security breaches to regulators and experts, and enhancing the autonomy of impacted individuals harmed by the breach. Importantly, different regulatory design strategies promote some of these justifications at the expense of others. Further, this Article assesses the conventional wisdom about breach notification statutes that frames these unique laws within more traditional legal remedies (such as negligence, reputational sanctions, and strict liability). The Article demonstrates that these traditional legal paradigms fail to capture the unique features of breach notification requirements. As a result, breach notification cannot be subsumed into these well-worn models.

Finally, the Article examines overlooked consequences of breach notification schemes by explaining that the normative and practical foundations of data breach notification statutes are complicated by central yet under-theorized features of both cybersecurity and tort law—unfairness and moral luck and activity levels. The Article then returns to the noted basic justifications and demonstrates how they are impacted by these overlooked theoretical insights. The Article concludes by applying these insights to provide a roadmap for regulators to build a data breach notification statute that aligns with their objectives and allows them to optimize their preferences while assuring fairness and efficiency.

a. Postdoctoral Research Fellow, UCLA Institute for Technology, Law, and Policy.

b. Visiting Scholar, University of Pennsylvania Carey Law School (2019-2020); Vice Dean and Profes-sor of Law, University of Haifa–Israel. We thank Yifat Aran Anita Allen, Tom Baker, Shyam Bal-ganesh, Steven Bellovin, Brett Frischmann, Jonathan Mayer, Sasha Romanosky, Paul Schwartz, Kathe-rine Strandburg, Salome Viljoen, Gabe Nicholas, Aaron Shapiro, Sebastian Benthall, Ira Rubinstein, Jonathan Weinberg, Yafit Lev-Aretz, Asaf Lubin, Jake Goldenfein, Evan Selinger, Kevin Werbach, Christopher Yoo, Eyal Zamir and the participants of the Northeastern Privacy Law Scholars Confer-ence (Princeton), the Privacy Law Seminar at Berkeley Law School, the Privacy Research Group, NYU Law School, the CTIC Law and Technology Scholarship Colloquium (at PennLaw), the Law, Economics, Technology: Privacy seminar at Villanova Law School and the University of Haifa––Faculty of Law Seminar for their insightful comments. Thank you to the editors at the University of Illinois Law Review for their hard work and helpful editing.

The full text of this Article is available to download as a PDF.