Content area
Full Text
With over 350 million records containing sensitive personal information having been compromised since 2005, it is evident that data breaches are an epidemic problem. After demonstrating the security breach problem, the Note begins by discussing California's pioneering data breach notification law, which requires breached entities to notify those affected that their personal information has been compromised. Drawing on various provisions found in California's notification law, the Note evaluates current state and federal data breach laws. To further explore the relationship between federal and state enforcement, two recent data breaches, the ChoicePoint and TJX breaches, are discussed in-depth. The Note then examines proposed federal and state legislation to strengthen the argument that data breach laws, which currently focus on notification, must also advance to breach prevention. Finally, the Note proposes a solution for preventing data breaches by increasing liability for merchants who fail to meet heightened security standards based on those used in the credit card industry.
I. INTRODUCTION
In an age when internet transactions have become a part of everyday life, both individual users and corporations have become more sophisticated. Users who used to receive content only passively now actively engage in e-commerce. Companies that used to only keep paper files now maintain digital databases worldwide. Because private information is increasingly available over the internet, there is a rising demand for data breach laws that protect private information.
Approximately eighty to ninety percent of Fortune 500 companies and government agencies have experienced data breaches.1 Since January 2005, over 350 million records containing sensitive personal information have been compromised in data breaches.2 The leading cause of these security breaches is hacker intrusion, followed by stolen laptops and computers, and insider thefts of private information.3 Terrorists have also increasingly utilized the internet not only to communicate and recruit, but also to perpetrate online crimes to obtain financial support for their agendas.4 Furthermore, data breaches often result in fraud. The Internet Crime Complaint Center reported that fraud-related losses totaled $264.6 million in 2008, up from $239.1 million in 2007.5 These figures only address reported losses; computer crime experts agree that most computer-related crimes go either undetected or unreported.6 With personal information being compromised almost daily in data breaches,7 the main question is: what are state and...