Can a Duty of Information Security Become Special Protection for Sensitive Data Under US Law?

Abstract

The US has taken a sectoral approach to information privacy law, resulting in a patchwork of different information privacy rights that vary widely in their scope and strength, and lacks either a general right of data protection or special protections for a defined category of sensitive data. A sectoral approach to information security law is now emerging in the US, and it is producing a patchwork of different duties to protect the security of certain types of personal information. When US information privacy law and information security law are considered together, what appears to be emerging is a de facto category of sensitive data, namely personal information that is subject to stringent information security requirements. Unlike the de jure concept of sensitive data defined by EU law which is intended to block the collection, processing or transfer of certain categories of personal information in order to guarantee fundamental dignitary interests, the new US duty to secure sensitive information represents a minor modification of the current practice of treating personal financial information as a commodity.