Anne M. Payton
ABSTRACT
Data security breaches are increasing in frequency and scope. Current law provides for remedy to the few victims who suffer immediate identity theft and catch the perpetrators. Little help is now available to those not yet tangibly victimized, whose exposed data has left them highly vulnerable to identity theft for years to come, long after the statute of limitations runs out for the initial breach. This paper examines legal issues involved in data breaches, including the damage done to breach victims and the liability of data custodians. Applicable state and federal laws are reviewed, along with representative court decisions in data breach cases. Finally, possible legal remedies for data breach victims are discussed.
- Askey v. Occidental Chem. Corp., 477 N.Y.S.2d 242, 247 (N.Y. App. Div. 1984).Google Scholar
- Consumers Union. (n.d.). State security freeze laws. Retrieved June 16, 2006 from http://www.consumersunion.org/campaigns//learn_more/003484indiv.htmlGoogle Scholar
- Cornell Law School. (n.d.). Legal Information Institute: Title 15:>Chapter 41>Subchapter iii>§1681n: Civil liability for willful noncompliance. Retrieved June 17, 2006 from http://www4.law.cornell.edu/uscode/html/uscode15/usc_sec_15_00001681---n000-.htmlGoogle Scholar
- Cornell Law School. (n.d.). Legal Information Institute: Title 15:>Chapter 41>Subchapter iii>§1681o: Civil liability for negligent noncompliance. Retrieved June 17, 2006 from http://www4.law.cornell.edu/uscode/html/uscode15/usc_sec_15_00001681---o000-.htmlGoogle Scholar
- Cornell Law School. (n.d.). Legal Information Institute: Title 15:>Chapter 41>Subchapter iii>§1681q: Obtaining information under false pretenses. Retrieved June 17, 2006 from http://www4.law.cornell.edu/uscode/html/uscode15/usc_sec_15_00001681---q000-.htmlGoogle Scholar
- CSO Magazine. (2005 May). The Plot Thickens. Retrieved June 24, 2006 from http://www.csoonline.com/read/050105/choicepoint_plot_35 87.htmlGoogle Scholar
- Electronic Privacy Information Center. (n.d.). The fair credit reporting act (FCRA) and the privacy of your credit report. Retrieved June 18, 2006 from http://www.epic.org/privacy/fcra/Google Scholar
- Federal Trade Commission. (2006, January 26). ChoicePoint settles data security breach charges; to pay $10 million in civil penalties, $5 million for consumer redress. Retrieved June 12, 2006 from http://www.ftc.gov/opa/2006/01/choicepoint.htmGoogle Scholar
- Federal Trade Commission. (n.d.) Gramm-Leach-Bliley Act, 15 USC, Subchapter I, Sec. 6801--6809, Disclosure of nonpublic personal information. Retrieved June 17, 2006 from http://www.ftc.gov/privacy/glbact/glbsub1.htmGoogle Scholar
- Federal Trade Commission. (n.d.) Gramm-Leach-Bliley Act, 15 USC, Subchapter I, Sec. 6805 enforcement. Retrieved June 17, 2006 from http://www.ftc.gov/privacy/glbact/glbsub1.htm#6805Google Scholar
- Goldfarb, Z. (2006, June 22). VA to offer credit monitoring, 1 year of service free to data-theft victims. Retrieved June 24, 2006 from http://www.washingtonpost.com/wp-dyn/content/article/2006/06/21/AR2006062101788.htmlGoogle Scholar
- GovTrack. (n.d.). 109th U.S. congress (2005--2006): H.R. 5464: Veterans identity protection act. Retrieved June 20, 2006 from http://www.govtrack.us/congress/bill.xpd?bill=h109-5464Google Scholar
- Guin v. Brazos Higher Education Service Corporation, Inc. (D. Minn. 2006) WL 288483.Google Scholar
- Helms, M., Lundberg, F., & Mathews, C. (1996). Encyclopedia of georgia law. Norcross, GA: The Harrison Company. p. 26.Google Scholar
- Huggins v. Citibank, N.A., 355 S.C. 329, 585 S.E.2d 275 (2003).Google Scholar
- Library of Congress. (n.d.). Financial data protection act of 2005, S 2169. Retrieved June 26, 2006 from http://thomas.loc.gov/cgi-bin/bdquery/z?d109:SN02169:@@@L&summ2=m&Google Scholar
- Library of Congress. (n.d.). The data accountability and trust act, H.R. 4127. Retrieved June 26, 2006 from http://thomas.loc.gov/cgi-bin/bdquery/D?d109:2:./temp/~bdDzQS:@@@L&summ2=m&|/bss/d109query.html|Google Scholar
- Library of Congress. (n.d.). The notification of risk to personal data act, S 115. Retrieved June 26, 2006 from http://thomas.loc.gov/cgi-bin/bdquery/D?d109:8:./temp/~bdXK5m:@@@L&summ2=m&|/bss/109search.html|Google Scholar
- Miller, R. & Cross, F. (2005). The legal and e-commerce environment today: business in its ethical, regulatory and international setting (4th ed.). Mason, OH: Thomson/South-Western,. p. 249.Google Scholar
- People v. Ware, No. H025167, 2003 WL 22120898, (Cal. Ct. App. Sept. 11, 2003).Google Scholar
- Perkins, Coie, LLC. (2006, June 5) Security breach notification chart. Retrieved June 18, 2006 from http://www.perkinscoie.com/statebreachchart/chart.pdfGoogle Scholar
- Potter v. Firestone Tire & Rubber Co., 863 P.2d 795, 821 (Cal. 1993).Google Scholar
- Privacy Rights Clearinghouse. (2006, June 23). A chronology of data breaches reported since the choicepoint incident. Retrieved June 23, 2006 from http://www.privacyrights.org/ar/ChronDataBreaches.htmGoogle Scholar
- Public Interest Research Group In Michigan. (n.d.). Policing privacy: Michigan law enforcement officers on the challenges of tackling identity theft. Retrieved June 22, 2006 from http://pirgim.org/reports/policingprivacy04.pdfGoogle Scholar
- Redland Soccer Club, Inc. v. Dept. of the Army, 696 A.2d 137, 145 (Pa. 1997).Google Scholar
- Spangler, T. (2006, June 26). Data security: ChoicePoint's lessons learned. Retrieved June 26, 2006 from http://www.baselinemag.com/article2/0,1540,1981646,00.aspGoogle Scholar
- Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185PHXSRB, 2005 WL 2465906, (D. Ariz. Sept. 6, 2005).Google Scholar
- United States Department of Health and Human Services. (n.d.). P.L. 104-191, Health insurance portability and accountability act of 1996. Retrieved June 11, 2006 from http://aspe.hhs.gov/admnsimp/pl104191.htmGoogle Scholar
- United States Senate Committee on the Judiciary. (2005, May 13). Testimony of The Honorable William H. Sorrell, Attorney General, State of Vermont. Securing electronic personal data: striking a balance between privacy and commercial and governmental use. Retrieved June 18, 2006 from http://judiciary.senate.gov/testimony.cfm?id=1437&wit_id=729Google Scholar
Index Terms
- Data security breach: seeking a prescription for adequate remedy
Recommendations
Data Breach and Multiple Points to Stop It
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesPreventing unauthorized access to sensitive data is an exceedingly complex access control problem. In this keynote, I will break down the data breach problem and give insights into how organizations could and should do to reduce their risks. The talk ...
Anatomy of a Data Breach
In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming more important to protecting critical assets. Despite the increase in the number of data breaches via illicit means,...
Evaluating the Quality and Usefulness of Data Breach Information Systems
As the nation confronts a growing tide of security breaches, the importance of having quality data breach information systems becomes paramount. Yet too little attention is paid to evaluating these systems. This article draws on data quality scholarship ...
Comments