Why Data Security Law Fails and How to Improve it
by Daniel J. Solove & Woodrow Hartzog
(Oxford University Press 2022)
A novel account of how the law contributes to the insecurity of our data and a bold way to rethink it.
Digital connections permeate our lives—and so do data breaches. It is alarming how difficult it is to create rules for securing our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In Breached!, Daniel Solove and Woodrow Hartzog, two of the world’s leading experts on privacy and data security, argue that the law fails because, ironically, it focuses too much on the breach itself.
Drawing insights from many fascinating stories about data breaches, Solove and Hartzog show how major breaches could have been prevented or mitigated through a different approach to data security rules. Current law is counterproductive. It pummels organizations that have suffered a breach but doesn’t address the many other actors that contribute to the problem: software companies that create vulnerable software, device companies that make insecure devices, government policymakers who write regulations that increase security risks, organizations that train people to engage in risky behaviors, and more.
Although humans are the weakest link for data security, policies and technologies are often designed with a poor understanding of human behavior. Breached! corrects this course by focusing on the human side of security. Drawing from public health theory and a nuanced understanding of risk, Solove and Hartzog set out a holistic vision for data security law-one that holds all actors accountable, understands security broadly and in relationship to privacy, looks to prevention and mitigation rather than reaction, and works by accepting human limitations rather than being in denial of them. The book closes with a roadmap for how we can reboot law and policy surrounding data security.
“An exceptionally insightful and accessible overview of key data security challenges and the law’s dysfunctional attempts to deal with them.”
– Edward McNicholas, Global Cybersecurity Practice Co-Leader, Ropes & Gray
“A readable and smart account of how policymakers keep focusing on the wrong details at the expense of the bigger picture. Breached! is a book for anyone who is interested in why data breaches keep happening and what the law should do about it.”
– Bruce Schneier, author of Click Here to Kill Everybody
“Breached! shows how the future of data security requires us to look at the problem holistically and understand that good privacy rules can also promote good security outcomes. A breath of fresh air on an important and often-ignored topic.”
– Neil Richards, Professor of Law, Washington University
“A fascinating exploration of the ways that our fixation on individual data breaches has limited the effectiveness of data security law.”
– Josephine Wolff, Associate Professor of Cybersecurity Policy, Tufts University
“A foundational contribution to data security law. With deep insight, compelling storytelling, and even humor (and some needed fright), the scholars show that lawmakers must better understand that beneath the high-tech wizardry and data security do’s and don’ts are normal, fallible people. This book is a must read for everyone concerned about the security of our personal data.”
— Danielle Keats Citron, Distinguished Professor, University of Virginia School of Law
“A compelling account of where data security law has gone wrong plus convincing advocacy of where it should go. This book should be read by anyone involved in privacy and cybersecurity.”
– Paul Schwartz, Jefferson E. Peyser Professor of Law, Berkeley Law School
“A clear, accessible, persuasive case that data security today needs a systematic approach, far beyond just mopping up breaches. I hope every regulator or legislator working on the subject reads this book and follows their advice.”
– William McGeveran, Associate Dean for Academic Affairs, U. Minnesota Law School