American businesses spend an average of $6.5 million on a single data breach, including the price of notifying potentially affected individuals and ensuing legal costs. As the amount of data collected from and about people explodes, the number of breaches has also grown. Companies affected by data breaches subsequently face significant enforcement by federal and state regulators, as well as litigation by opportunistic plaintiffs. Data privacy, as a result, is predicted to become “the new asbestos.” Reforms can help curb unreasonable costs to businesses while still providing relief to those who have truly been harmed. read more...
Information holders no longer just have to worry about whether employees are disposing of data correctly—from domestic hackers to hostile foreign governments, cyberattacks have grown in number and in sophistication. As businesses work to navigate the evolving landscape, they find themselves bombarded by federal and state regulators using outdated laws, to plaintiffs seeking large settlements despite showing no actual injury from a data breach.
It is unclear for businesses what the scope of their liability is and to whom. The U.S. has a patchwork of federal laws intended to protect personal information. At the same time, states have passed their own laws, which impose different (and sometimes contradictory) requirements for data privacy, including when and how victims of data breaches must notify their customers. Regulators have struggled to keep pace with the rising number of incidents and individuals’ concerns, with the result being a piecemeal, hastily-assembled legal regime.
A standard federal law governing breach notification requirements, preempting state laws, would provide much-needed predictability for businesses and protect them from abusive and overlapping enforcement. Moreover, vague laws prohibiting unfair and deceptive practices, from Section V of the Federal Trade Commission (FTC) Act to state laws, are ripe for abuse; the FTC and some state attorneys general have wielded them devastatingly to go after businesses’ privacy and security practices. To make matters worse, individual and class action plaintiffs, led by the plaintiff’s bar, have jumped on the bandwagon as well.
It is important that privacy laws address real harms and place reasonable limits on liability while discouraging meritless suits that simply take advantage of businesses. Only those who are actually at risk or who have been harmed by a data breach should get notice or be able to sue. Holding businesses to impossible standards and allowing excessive and duplicative litigation hurts Americans and the economy.