Solove & Hartzog on Data Vu: Why Breaches Involve the Same Stories Again and Again

Daniel J. Solove (George Washington University Law School) and Woodrow Hartzog (Boston University School of Law; Stanford Law School Center for Internet and Society) have posted “Data Vu: Why Breaches Involve the Same Stories Again and Again” (Scientific American (July 2022)) on SSRN. Here is the abstract:

This short essay discusses why data security law fails to effectively combat data breaches, which continue to increase. With a few exceptions, current laws about data security do not look too far beyond the blast radius of the most data breaches. Only so much marginal benefit can be had by increasing fines to breached entities. Instead, the law should target a broader set of risky actors, such as producers of insecure software and ad networks that facilitate the distribution of malware. Organizations that have breaches almost always could have done better, but there’s only so much marginal benefit from beating them up. Laws could focus on holding other actors more accountable, so responsibility is more aptly distributed.