Jane K. Winn, Are "Better" Security Breach Notification Laws Possible?, 24 Berkeley Tech. L.J. 1133 (2009), https://digitalcommons.law.uw.edu/faculty-articles/142
Berkeley Technology Law Review
This Article will evaluate the provisions of California's pioneering security breach notification law (SBNL) in light of "better regulation" or "smart regulation" criteria in order to highlight the costs of taking a narrowly focused, piecemeal approach and the benefits of taking a more comprehensive perspective to the problems of identity theft and information security. Just as the basic structure of SBNLs was borrowed from environmental law, this Article will borrow from decades of analysis of the impact of environmental regulation to evaluate the likely impact of SBNLs.
Just as environmental laws can be used to reduce externalities created through the mismanagement of common pool resources found in the natural environment, information security laws can be used to reduce externalities created through the mismanagement of common pool resources found in the virtual environment. If the analogy to environmental law is well drawn and the problem of identity theft is recognized as only a symptom of larger underlying systemic problems—including inadequate information system security— then a narrow, piecemeal regulatory strategy will be no substitute for an integrated, multi-faceted regulatory strategy.
To provide a framework within which the provisions of SBNLs can be analyzed, Part II of this Article provides a general overview of academic and political "better regulation" initiatives undertaken in recent decades. While the Clinton Administration's emphasis on "reinventing government" was displaced by the Bush Administration's emphasis on "deregulation" in the United States, outside the United States interest in "smart regulation" strategies continued to grow during the 2000s and are likely to enjoy a new vogue under the Obama Administration.
In Part III, California's pioneering SBNL is analyzed in light of better regulation principles, which spotlights some obvious shortcomings of the legislation. The business, technological, and regulatory challenges posed by any effort to reduce the volume of security breaches are analyzed in Part IV. Given the enormity of those challenges, it should come as no surprise that a regulatory scheme as limited in scope as SBNLs is having only a modest impact on the information security policies of database owners.
Because information security problems are complex and multi-faceted, they may defy any attempt to resolve them with simple solutions. If achieving a significant reduction in the volume of data breaches is taken seriously as a policy goal, then there may be no alternative but to face the challenges of developing and enacting not just "better" SBNLs, but a better general "information security" regime.