Are Better Security Breach Notification Laws Possible

Abstract

Security breach notification laws (SBNLs) may have succeeded in bringing the issue of inadequate information security to the attention of American consumers, but do not appear to be having much impact on the way that American businesses store and use sensitive personal information. This failure is not surprising in light of the extremely limited scope of American SBNLs, which generally do not reinforce an underlying right to privacy but instead only mandate disclosure of information that is confusing and difficult for consumers to make use of. While receiving repeated notices of security breaches might someday galvanize American public opinion to support stronger information privacy laws, that would be a remote and uncertain benefit from legislation that appears in the short term to penalize responsible businesses while being disregarded by unsophisticated and irresponsible ones. Although businesses in possession of sensitive personal information are exposed to something like strict liability for security breaches, the vendors of the information technology systems that are vulnerable to breaches remain exempt from liability. SBNLs generally commit no public resources to ensuring compliance, reducing the risk that non-compliance will be detected to near zero for many businesses. Under such circumstances, most businesses have no economic incentive to comply with a law when compliance would be very costly. Even though litigation claiming damages following a security breach notification has not been successful to date, the risk of being exposed to such litigation as a result of compliance further increases incentives for non-compliance. This paper reviews the development of new governance approaches to regulation, including “responsive regulation,” “smart regulation” and “better regulation” and then applies new governance criteria to SBNLs to show why they are unlikely to have much impact on the information security policies of many American businesses. This paper reviews the practical problems that any business faces when trying to secure large quantities of sensitive personal information, and outlines what a “better regulation” approach to information security regulation targeting sensitive personal information might include.