Breached! Why Data Security Law Fails and How to Improve It

Article Source: Oxford University Press, 2022
Publication Date:
Time to Read: 2 minute read
Written By:

Search for the full article on Bing



Data breaches are preventable, but data security law has failed to reduce data breaches. Policymakers should reform data security law to take a more holistic approach, reducing systemic risk.


Policy Relevance:

Policymakers should reform the law to address the role of human error in breaches.


Key Takeaways:
  • Most data breaches are preventable and involve the same mistakes:
    • Too much data is stored in one place.
    • Stolen devices play a key role.
    • Most stolen data is not encrypted.
    • Phishing attacks defeat security with one click.
  • Data security law has failed to reduce the size, severity, or number of data breaches; more than 9000 data breaches worldwide have been reported, involving over 11.6 billion records.
  • Data security law is related to cybersecurity law (focused on developing secure systems) and to privacy law (focused on notice to the individual).
  • Data security law fails to include the best features of either cybersecurity law or privacy law.
    • Data security law focuses on notice to the individual of data breaches.
    • Data security rules for secure systems are vague and sparse.
    • Data security law fails to consider the realities of human behavior, unlike privacy law.
  • Data security law is inadequately enforced.
    • Enforcement after a data breach is redundant, as organizations that suffer from a breach are usually trying to improve.
    • Private lawsuits by consumers are often dismissed because the consumers have not suffered a sufficiently concrete injury.
  • Policymakers should take a more holistic approach, refocusing data security rules on accountability, redress, and technological design; the law should reduce security risks across the entire system, like public health rules concerning the spread of viruses.
  • Data breaches arise from the data ecosystem, which incorporates weaknesses such as the use of security numbers (easily discoverable and hard to change) as passwords.
  • Lawmakers and courts should ensure that actors involved in security are held accountable for failure.
  • Strong privacy rules create accountability for the collection and use of personal information, and can reduce security risks.
    • Bad actors can often buy sensitive data by posing as legitimate data customers.
    • Entities that collect data should act as data stewards, mapping the data they acquire.
    • Only minimal data should be collected and stored.
  • Most data security failures involve human error.
    • People select poor passwords and have trouble remembering them.
    • The answers to many security questions are easy to guess.
    • Default settings should require strong passwords and automatic security updates.
    • Use of password managers and two-factor authentication would improve security.



Daniel Solove

About Daniel J. Solove

Daniel J. Solove is the Eugene L. and Barbara A. Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is an internationally-known expert in privacy law.

Woodrow Hartzog

About Woodrow Hartzog

Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.