Data Theft and Laboratories of Democracy

My new home, Michigan, just enacted legislation requiring individuals or government agencies to notify me if my personal identifying information is revealed due to a security breach. (Given the ubiquity of data breaches these days, perhaps I should write “when,” not “if,” particularly with a spouse who works for the Veterans Administration.) This raises three interesting points. First, data security loss is sufficiently important as an issue to have made it onto the legislative radar screen in Lansing (and the executive scope as well – Governor Jennifer Granholm called for such legislation in her State of the State address last year).

Second, from a regulatory perspective, data security is headed in the opposite direction from spam – moving towards a diversity of approaches allowing the states to become Justice Louis Brandeis’s “laboratories of democracy” in this policy area. The question of uniformity via federal control versus variable means tailored to a state’s needs is a hardy perennial, and data security may offer another data point in the debate.

Finally, one wonders about effectiveness: will these laws mitigate the problem? Notification helps consumers take remedial steps, but it doesn’t work on preventing breaches in the first place. (Query whether greater liability for entities maintaining data would help. Also, query whether it’s obnoxious when lawyers use the term “query.”) The VA has finally taken the (obvious) intelligent step of using automatic data encryption on laptops – while this technique isn’t without challenges or potential weaknesses, it does help prevent automatic exposure when someone leaves a laptop at Starbucks.

Stay tuned. If data security remains a consumer protection issue, I believe we’ll see federal legislation. Whether it acts as a floor or a ceiling remains to be seen.

3 Responses to “Data Theft and Laboratories of Democracy”

  1. It seemed for a while as if last year’s Congress would pass a federal data breach law. It’s a good thing they didn’t, because the version that was bandied about at the time was definitely a ceiling (including CAN-SPAM’s unfortunate tendency to override stronger state laws).

    Done well, I think this kind of legislation is useful. There’s no cost to somoene who handles my data if he loses it and can keep that loss a secret. There’s a risk disparity–if the data is lost, I suffer, but the data handler is the one who has to evaluate whether to spend money to keep my data safe. A good data breach law forces him to tell the world, and makes that breach cost him something. It puts a little bit of that risk onto the data handler, and that’s a good thing (if the law is written right).

  2. I agree — requiring data handlers to internalize the cost of breaches, in the form of negative publicity and customer dissatisfaction, is likely to help a lot. Indeed, there is anecdotal evidence that large companies are adopting better security practices for just this reason.

    Last time I counted there were 17 states with this type of law, but the number is growing fast. As it increases, hopefully it will be harder for Congress to pass a preemptive law with milder standards.

    By the way, it is my understanding that the original data breach law, in California, was the brainchild of Deirdre Mulligan, who runs the law & tech clinic at Boalt Hall (Berkeley). If that’s accurate, it’s one more indicator of how much influence these clinics can have.

  3. [...] If you’re in Michigan, you now must report if your customers’ personal data is revealed due to a security breach: Data Theft and Laboratories of Democracy. [...]