Comments on: Data Theft and Laboratories of Democracy

By: Legal Andrew » Blawg Review #92

Legal Andrew » Blawg Review #92 — Mon, 22 Jan 2007 04:41:47 +0000

[...] If you’re in Michigan, you now must report if your customers’ personal data is revealed due to a security breach: Data Theft and Laboratories of Democracy. [...]

By: William McGeveran

William McGeveran — Fri, 12 Jan 2007 04:40:37 +0000

I agree — requiring data handlers to internalize the cost of breaches, in the form of negative publicity and customer dissatisfaction, is likely to help a lot. Indeed, there is anecdotal evidence that large companies are adopting better security practices for just this reason.

Last time I counted there were 17 states with this type of law, but the number is growing fast. As it increases, hopefully it will be harder for Congress to pass a preemptive law with milder standards.

By the way, it is my understanding that the original data breach law, in California, was the brainchild of Deirdre Mulligan, who runs the law & tech clinic at Boalt Hall (Berkeley). If that’s accurate, it’s one more indicator of how much influence these clinics can have.

By: Jim Graves

Jim Graves — Tue, 09 Jan 2007 22:09:38 +0000

It seemed for a while as if last year’s Congress would pass a federal data breach law. It’s a good thing they didn’t, because the version that was bandied about at the time was definitely a ceiling (including CAN-SPAM’s unfortunate tendency to override stronger state laws).

Done well, I think this kind of legislation is useful. There’s no cost to somoene who handles my data if he loses it and can keep that loss a secret. There’s a risk disparity–if the data is lost, I suffer, but the data handler is the one who has to evaluate whether to spend money to keep my data safe. A good data breach law forces him to tell the world, and makes that breach cost him something. It puts a little bit of that risk onto the data handler, and that’s a good thing (if the law is written right).