Article
Defending Our Data: The Need for Information We Do Not Have
Information and Value: Intellectual Property, Privacy, and Big Data
(2016)
Abstract
Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.
Keywords
- information security,
- law,
- cybersecurity,
- data breach,
- breach reporting,
- data protection,
- data risk management
Disciplines
Publication Date
July 29, 2016
Citation Information
Defending Our Data, in Maciej Barczewski (ed.), Information and Value: Intellectual Property, Privacy, and Big Data, Wolters-Kluwer, forthcoming 2018.