Data Breach Disclosure: A Policy Analysis

Data Breach Disclosure: A Policy Analysis

Melissa Dark (Purdue University, USA)
Copyright: © 2012 |Pages: 27
DOI: 10.4018/978-1-61350-323-2.ch302


As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how patterns of interaction influenced the legislative outcomes we see today. Finally, this chapter considers: action that may result from these policies; the action type(s) being targeted; alternatives that are being considered, and; potential outcomes of the existing and proposed alternative policies.
Chapter Preview


Although advances in computing promise substantial benefits for individuals and society, trust in computing and communications is critical in order to realize such benefits. The hope for cybertrust is a society where trust enables technologies to support individual and societal needs without violating confidences and exacerbating public risks. Cybertrust, in part, depends upon software and hardware technologies upon which people can justifiably rely. However, the cybertrust vision requires looking beyond technical controls to consider how other forms of social control contribute to the state of cyber trust. This chapter focuses on public policy. While the chapter does not specifically use the word ethics, it should be noted that ethical issues and public policy are intimately intertwined. Policy is not formed in a moral vacuum; on the contrary, policy is inherently normative in that it prescribes, sometimes explicitly and often implicitly, what should be.

The increased reliance on and utilization of information technology in society has created the need for new regulation regarding the use and abuse of these systems. We see this clearly just by briefly inventorying some of the regulations that have been enacted to protect security and privacy.

  • Freedom of Information Act (1966)

  • Fair Credit Reporting Act (1970)

  • Bank Secrecy Act (1970)

  • Privacy Act (1974)

  • Family Educational Rights and Privacy Act (FERPA) (1974)

  • Right to Financial Privacy Act (1978)

  • Foreign Intelligence Surveillance Act (1978)

  • Electronic Communications Privacy Act (ECPA) (1986)

  • Telephone Consumer Protection Act (1991)

  • Communications Assistance for Law Enforcement Act (1994)

  • Driver's Privacy Protection Act (1994)

  • Health Insurance Portability and Accountability Act (HIPAA) (1996)

  • Computer Fraud & Abuse Act (1996)

  • Children's Online Privacy Protection Act (COPPA) (1998)

  • Digital Millennium Copyright Act (1998)

  • Gramm-Leach-Bliley Act (GLBA) (1999)

  • USA PATRIOT Act (2001)

  • Federal Information Security Management Act (2002)

  • Fair and Accurate Credit Transactions Act (2003)

  • CAN-SPAM Act (2003)

  • 45 State Data Breach Disclosure Laws1 law (2003-present)

Eight of these laws were enacted between 1966 and 1986, while the last thirteen items in the list have been enacted between 1991 and 2009. This is not an exhaustive list, but it is representative and shows the increasing growth in legislation. This chapter focuses on the 45 State Data Breach Disclosure laws enacted in United States between 2003-2009 – a mere six year time span. Data breach has become a policy concern due to the rise in identity theft crimes and the erosion of privacy.

Complete Chapter List

Search this Book: