Notification of data security breaches.

• Author: Schwartz, Paul M.

The law increasingly requires private companies to disclose information for the benefit of consumers. The latest examples of such regulation are state and federal laws that require companies to notify individuals of data security incidents involving their personal information. These laws, proposed in the wake of highly publicized data spills, seek to punish the breached entity and to protect consumers by requiring the entity to notify its customers about the security breach. There are competing approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that the current statutes' focus on reputational sanction is incomplete. An important function of breach notification is mitigation of harm after a data leak. This function requires a multiinstitutional coordinated response of the kind that is absent from current policy proposals. This Article advocates creation of a coordinated response architecture and develops the elements of such an approach. Central to this architecture is a coordinated response agent (CRA) that oversees steps for automatic consumer protection and heightens mitigation. This Article also proposes a bifurcated notice scheme that lets firms know that the CRA is watching and is scrutinizing their decision whether or not to disclose information about a breach to the affected individuals. Moreover, the CRA will set in motion automatic protective measures on behalf of the breached consumers. Finally, the CRA will regulate the content of notification messages to reflect the nature of the data breach.

TABLE OF CONTENTS INTRODUCTION I. HOW WE LIVE NOW: THE NEW RISK ENVIRONMENT OF DATA SECURITY BREACHES AND IDENTITY THEFT A. The Legal Environment for Data Security 1. B2C-Financial 2. B2C-Retail 3. Outsourcing Entities 4. Data Brokers 5. Tort Law, Sarbanes-Oxley, and State and City Breach Notification Laws B. Regulatory, Economic, and Reputational Pressures on the Firm 1. Regulatory Forces 2. Economic Forces 3. Reputational Forces II. THREE MODELS OF INFORMING ABOUT DATA SECURITY LEAKS A. The Three Models in a Nutshell B. Comparing the Models 1. Reputational Information 2. Delegation of Discretion 3. Coordination of Post-Breach Mitigation Efforts 4. Delay to Allow Investigation 5. Damages and Other Enforcement Rights 6. The Culture of Compliance III. DEFINING IDEAL BEHAVIOR FOR THE CONSUMER AND THE DATA PROCESSOR A. The Ideal Consumer and Reputational Information: Shopping for Data Security 1. Lack of B2C Relationship 2. Consumer-Side Shortcomings and Fuzzy Notification Letters B. The Ideal Consumer and Mitigation: From Self-Protection to Automatic Protection 1. The Shared Recommendations 2. Particularized Notice 3. Best Practices Independent of Notification 4. Fuzzy Notification Letters Redux C. The Ideal Data Processor: Private-to-Public Information and the Improvement of Organizational Practices 1. Notification and Reasonable Data Security 2. Private-to-Public Information 3. Inside the Black Box IV. NOTIFICATION AND MITIGATION A. Model Four: The Coordinated Response Architecture 1. Supervised Delegation and Coordinated Response 2. Tailoring Notice to Consumers 3. Minimizing Additional Data Storage and Decentralization 4. Enforcement and the Disclosure Disincentive B. Unpacking Model Four. 1. Reputational Information 2. Supervised Discretion 3. Coordination of Post-Breach Mitigation Efforts 4. Delay to Allow Investigation before Consumer Notification 5. Provision for Damages and Other Enforcement Rights 6. The Culture of Compliance CONCLUSION APPENDIX INTRODUCTION

The law increasingly requires private companies to disclose certain information for the benefit of consumers. Hospitals must publicize performance results for certain medical procedures. (1) Manufacturers of household appliances must label their products with energy-efficiency ratings. (2) Factories must disclose information about toxic releases and workplace injuries. (3) Writing in 1999, Cass Sunstein termed this trend "regulation through disclosure" and characterized it as "one of the most striking developments in the last generation of American law." (4)

The latest example of regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. Leading the nation, California enacted the first breach disclosure statute, S.B. 1386, which took effect in 2003. (5) The California statute requires a breached entity to perform certain actions after a security breach involving personally identifiable consumer information. Most importantly, the breached organization must notify affected individuals and self-identify as the party responsible for the data leak. (6) Following a series of highly publicized data spills, thirty-three other states and one major metropolitan area, New York City, have enacted similar legislation, (7) and Senator Dianne Feinstein has proposed federal legislation based on the California law. (8) These statutes seek to punish the breached entity and protect consumers by mandating corporate information disclosure.

There are also critics of this approach. A major objection is that the current requirement for customer notice generates too many breach disclosure letters. (9) Critics focus on the disclosure trigger in the California statute and related legislation which requires the sending of notification letters whenever there is a reasonable likelihood that an unauthorized party has "acquired" personal information. These critics point to Aesop's fable, "The Boy who Cried Wolf." As Fred Cate writes, "if the California law were adopted nationally, like the boy who cried wolf, the flood of notices would soon teach consumers to ignore them. When real danger threatened, who would listen?" (10) The Washington Post has joined this chorus in editorializing against these laws as creating "tedious warnings" that will cause people to "ignore the whole lot." (11)

A federal guideline for breach notification by financial institutions proposes an alternative paradigm. This document, the Interagency Guidance, takes a two-track approach. Its first track uses a higher disclosure trigger for customer notice: the test is whether there is a reasonable likelihood of "misuse" of the leaked personal information. (12) Its second track uses a lower trigger for notice to the financial institution's supervisory regulatory agency: the test here is whether there is a reasonable likelihood of "unauthorized access" to the breached data. (13) The idea is that a breach letter should not be sent to the affected public unless there is a more significant likelihood of harm. Some observers reject this approach, however, as creating an opportunity for obstruction and delay; they defend the California statute's lower threshold for consumer notification. (14)

Thus, the policy debate about notification considers, among other concerns, the best way to mandate the release of information about data leaks in the private sector. (15) The stakes for consumers are high--a single data spill may compromise the personal data of millions of individuals. (16) The stakes are also high for companies: the Federal Trade Commission (FTC) has engaged in high-profile enforcement actions involving a multimillion dollar settlement in one case, (17) and data leaks, once exposed, will negatively affect customer trust in the breached entity. (18) Yet the jurisprudential issues involved in breach notification have been left largely unexplored. This lack of attention is unsurprising given that little was known about such failures until recently. In the past, companies were able to keep tight control of information about their data security failures. (19) Put differently, there was no perceived need for scholars to think about the jurisprudence of breach notification until California and other states mandated such disclosure and heightened the public's awareness of data security.

A significant focus of the emerging legal regime has been to impose a reputational sanction on breached entities* By forcing a breached firm to notify the consumers whose data have been lost, the law imposes a reputational cost on this entity. (20) However, breach notification serves another, often overlooked function: it can help both customers and business entities mitigate the harm caused by a leak. We seek to distinguish the different aspects of breach notification and to identify trade-offs that arise when a notification approach emphasizes one or another.

This Article argues that the reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, mitigation of harms after a breach, another important function of breach notification, requires a multi-institutional, coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture as well as a critical organization, the Coordinated Response Agent (CRA). (21) In brief, this Article argues for greater automatic protection for consumers, clearer consumer notification, coordinated sharing of information about data incidents among affected entities, and heightened oversight of the decision by breached entities whether to inform consumers or other entities.

1. HOW WE LIVE NOW: THE NEW RISK ENVIRONMENT OF DATA SECURITY BREACHES AND IDENTITY THEFT

   Newsweek has identified a new category of "Letters You Never Want to See." (22) The old kind of letter informed one of a tax audit, rejection from a college, or bad news about a cholesterol reading. (23) The new kind of letter reveals a security breach involving one's personal information. Newsweek calls such a missive the "pain letter." (24) No one is immune from being a recipient of such a missive; even the chairman of the FTC, an agency that has an important oversight role over identity fraud, has received such a notification...