This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes. Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes. Part II addresses the varying definitions of "personal information" in the state statutes-the data that is protected by the statute and whose breach must be revealed to consumers. Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach. Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes. Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.
Lesemann, Dana J.
"Once More Unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes,"
Akron Intellectual Property Journal: Vol. 4
, Article 2.
Available at: https://ideaexchange.uakron.edu/akronintellectualproperty/vol4/iss2/2