So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws

Data breaches, now a common occurrence throughout the world, are an ever-present threat to both consumers and companies, exposing on average the personal information of 1.1 million people and racking up costs of about $5.4 million with each occurrence. This problem is further exacerbated by the current data-breach notification regime, which consists of 47 various, sometimes conflicting, state laws. Thus, when a data breach does occur, companies must consult the state law of each affected consumer to determine whether that consumer must be notified, and when notification must occur. This may be extremely burdensome for large, nationwide companies with thousands or even millions of consumers in multiple states. Most importantly, even when these various state data-breach laws are effective and consumers are notified of a breach, they have almost no legal recourse against the entity whose security breach led to the unlawful or unauthorized procurement of their personal information. There is no clear-cut state or federal civil cause of action for consumers to bring, and existing causes of action have had limited success when applied to data breaches due to issues with standing and injury. Therefore, a stronger data-breach notification regime that provides consumers with a remedy when a data breach does occur and that is more effective in preventing data breaches from happening should be considered. In this way, consumers will be better protected and the damage caused by data breaches in the future will be minimized.