Professor Woodrow Hartzog and I selected some key quotes from our new book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022).
The Law’s Obsessive and Unproductive Focus on Data Breaches
“Too much of the current law of data security places the breach at the center of everything. Turning data security law into the “law of breaches” has the effect of over-emphasizing the conduct of the breached entities while ignoring the other actors and factors that contributed to the breach.” (p. 11)
“Data security law has an unhealthy obsession with data breaches. This obsession has, ironically, been the primary reason why the law has failed to stop the deluge of data breaches. The more obsessed with breaches the law has become, the more the law has failed to deal with them.” (p. 39)
“Breaches are already very costly and painful, so when regulators come along and add a little more to the pain, it often is not a game changer. This is especially true because the penalties are often far smaller than the overall costs of the breach.” (p. 55)
Data Security Is a Delicate Balance
“Current data security rules fail to address risk effectively. In many circumstances, the law penalizes breaches with little regard to considerations of risk and balance. Other times, the law levies no penalty against organizations even though their actions created enormous unwarranted risks.” (p. 12)
“Although at first blush the goal of perfect security seems desirable, it is actually the wrong goal, and it is based on a fundamental misunderstanding of what data security is about. When security is properly understood, we will see that it is more of an art than a science, more about how to deftly balance tradeoffs and opposing goals. These tradeoffs can’t be denied if we want good data security policy. We can’t have perfect security, and we wouldn’t want it either.” (pp. 70-71)
Why Current Data Security Law Fails
“Data security law currently consists of three broad types of law— breach notification laws, safeguards laws, and private litigation— all of which focus far too heavily on data breaches. This reactionary body of law rummages through the ashes of breaches, but it doesn’t do enough to actually prevent breaches or reduce the harm from them. Meanwhile, the fire still rages.” (p. 196)
“The market often fails to create the incentive for good security, and in many cases, the incentives encourage poor security. The reason why is because all the parties in the data ecosystem have a very strong incentive to shift the blame (and resulting liability) of a breach onto others, because they don’t want to end up holding the bill. Data security law right now is like a game of hot potato where no one wants to be stuck holding the potato when the timer runs out.” (p. 81)
Identity Theft, Data Breach Harms, and Inadequate “Cures”
“The Social Security Number (SSN) is the worst password ever created, and it is a creation of the law.” (p. 123)
“Given how often credit monitoring is offered after data breaches, one would think that it is a great cure for any harms or a vaccine against future harms. But credit monitoring isn’t a cure or vaccine— it’s just a limited diagnostic tool. Credit monitoring just tells you if something odd is going on in your credit reports.” (p. 125)
“Identity theft is a product of deliberate carelessness. The reason so much identity theft occurs is because it is cheaper to expose people to the risk of identity theft than to exercise more care in vetting credit applications. Courts and legislatures are also to blame because they fail to adequately recognize the harm of identity theft (or data breaches) and will not make companies internalize the full costs. The companies do their cost–benefit analysis and conclude that they can expose people to the risk of identity theft because many costs are external.” (p. 128)
“Data breaches cause far too much needless harm. The law can lessen or stop much of this harm. . . . We can take much of the sting out of data breaches. They need not be so harmful to individuals or so costly to organizations. If SSNs weren’t used as passwords, for example, then the SSN would just be a number and nothing more. A data breach of SSNs wouldn’t cause harm.” (p. 129)
The Law Should Focus on the Whole Data Ecosystem
“In what we call “holistic data security,” we contend that data breaches aren’t a series of isolated incidents as they often are assumed to be. Data breaches are the product of the data ecosystem, which is perversely structured in ways that not only to fail to prevent data breaches but make it easier for them to occur and heighten the damage they cause. We contend that the law must dramatically widen its scope. It must move away from its narrow focus on data breaches. It must become more involved earlier on. It must apply to the full range of actors that contribute to the problem. In short, the law must address the structural points where the system is failing.” (p. 70)
“Almost every hack seems like the result of a technical failure or individual blunder. But usually those failures or blunders were orchestrated by criminals taking advantage of a system where nobody wants to accept blame for a security lapse. The lack of accountability within these systems causes, or contributes to, a lot of breaches (or makes them more harmful).” (p. 80)
Why Privacy Is Essential for Good Data Security
“Good data security is almost impossible without a robust commitment to privacy values. Privacy is a key and underappreciated aspect of data security. Lawmakers and industry should break down the regulatory and organizational silos that keep them apart and strengthen our privacy rules as one way to enhance data security and mitigate breaches.” (p. 135)
“Beyond a lack of privacy protection, the schism between privacy and data security has resulted in organizations viewing data security mainly as an IT issue. Certainly, many components of good data security involve IT, such as encryption, firewalls, access controls, and more. But many more security issues involve a human dimension. Many security decisions involve human behavior, such as how to deal with cognitive limitations, carelessness, cheating, denial, ignorance, gullibility, and misconduct— security’s seven deadly sins. Security decisions also involve policy, such as managing the tradeoff between security on the one side, and ease, convenience, and ready accessibility on the other.” (pp. 138-139)
“The idea that companies should only be able to collect and retain data that is adequate, relevant, and necessary is a bulwark against data abuse and the essence of privacy because it either prevents data from being created in the first place or compels its destruction. It also demonstrates how privacy and security must work together to achieve their separate goals.” (p. 160)
“Lawmakers should embrace data minimization with the same zeal they embrace data security rules and for the same reasons. Although privacy and data security have slightly different functions, they work in tandem and roughly overlap to achieve the same goals.” (p. 161)
Dealing with the Human Factor in Data Security
“With passwords, we demand the impossible of people, and then we blame them when they fail.” (pp. 174-175)
“Ultimately, for effective data security, we must avoid asking people to do things they can’t do. We also shouldn’t expect success if we merely ask people to do things that they are highly unmotivated to do. . . . Effective security thus involves a realistic appreciation of human capabilities and a deep understanding of how to influence human behavior.” (p. 178)
“Paradoxically, attempts to achieve perfect data security can actually weaken security because people will find end-runs around clunky security procedures. When policymakers create rules that don’t factor in people’s inevitable foibles and incentives to create workarounds, they get unintended consequences. We need to think of ways to better account for human behavior in designing security policy.” (pp. 181-182)
