Data Breach Disclosure: A Policy Analysis

Data Breach Disclosure: A Policy Analysis

Melissa Dark (Purdue University, USA)
DOI: 10.4018/978-1-61692-245-0.ch011
OnDemand PDF Download:
No Current Special Offers


As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how patterns of interaction influenced the legislative outcomes we see today. Finally, this chapter considers: action that may result from these policies; the action type(s) being targeted; alternatives that are being considered, and; potential outcomes of the existing and proposed alternative policies.
Chapter Preview


Although advances in computing promise substantial benefits for individuals and society, trust in computing and communications is critical in order to realize such benefits. The hope for cybertrust is a society where trust enables technologies to support individual and societal needs without violating confidences and exacerbating public risks. Cybertrust, in part, depends upon software and hardware technologies upon which people can justifiably rely. However, the cybertrust vision requires looking beyond technical controls to consider how other forms of social control contribute to the state of cyber trust. This chapter focuses on public policy. While the chapter does not specifically use the word ethics, it should be noted that ethical issues and public policy are intimately intertwined. Policy is not formed in a moral vacuum; on the contrary, policy is inherently normative in that it prescribes, sometimes explicitly and often implicitly, what should be.

The increased reliance on and utilization of information technology in society has created the need for new regulation regarding the use and abuse of these systems. We see this clearly just by briefly inventorying some of the regulations that have been enacted to protect security and privacy.

  • Freedom of Information Act (1966)

  • Fair Credit Reporting Act (1970)

  • Bank Secrecy Act (1970)

  • Privacy Act (1974)

  • Family Educational Rights and Privacy Act (FERPA) (1974)

  • Right to Financial Privacy Act (1978)

  • Foreign Intelligence Surveillance Act (1978)

  • Electronic Communications Privacy Act (ECPA) (1986)

  • Telephone Consumer Protection Act (1991)

  • Communications Assistance for Law Enforcement Act (1994)

  • Driver's Privacy Protection Act (1994)

  • Health Insurance Portability and Accountability Act (HIPAA) (1996)

  • Computer Fraud & Abuse Act (1996)

  • Children's Online Privacy Protection Act (COPPA) (1998)

  • Digital Millennium Copyright Act (1998)

  • Gramm-Leach-Bliley Act (GLBA) (1999)

  • USA PATRIOT Act (2001)

  • Federal Information Security Management Act (2002)

  • Fair and Accurate Credit Transactions Act (2003)

  • CAN-SPAM Act (2003)

  • 45 State Data Breach Disclosure Laws1 law (2003-present)

Complete Chapter List

Search this Book: