ARTICLE SUMMARY
Summary:
Data breaches are preventable, but data security law has failed to reduce data breaches. Policymakers should reform data security law to take a more holistic approach, reducing systemic risk.
POLICY RELEVANCE
Policy Relevance:
Policymakers should reform the law to address the role of human error in breaches.
KEY TAKEAWAYS
Key Takeaways:
- Most data breaches are preventable and involve the same mistakes:
- Too much data is stored in one place.
- Stolen devices play a key role.
- Most stolen data is not encrypted.
- Phishing attacks defeat security with one click.
- Too much data is stored in one place.
- Data security law has failed to reduce the size, severity, or number of data breaches; more than 9000 data breaches worldwide have been reported, involving over 11.6 billion records.
- Data security law is related to cybersecurity law (focused on developing secure systems) and to privacy law (focused on notice to the individual).
- Data security law fails to include the best features of either cybersecurity law or privacy law.
- Data security law focuses on notice to the individual of data breaches.
- Data security rules for secure systems are vague and sparse.
- Data security law fails to consider the realities of human behavior, unlike privacy law.
- Data security law focuses on notice to the individual of data breaches.
- Data security law is inadequately enforced.
- Enforcement after a data breach is redundant, as organizations that suffer from a breach are usually trying to improve.
- Private lawsuits by consumers are often dismissed because the consumers have not suffered a sufficiently concrete injury.
- Enforcement after a data breach is redundant, as organizations that suffer from a breach are usually trying to improve.
- Policymakers should take a more holistic approach, refocusing data security rules on accountability, redress, and technological design; the law should reduce security risks across the entire system, like public health rules concerning the spread of viruses.
- Data breaches arise from the data ecosystem, which incorporates weaknesses such as the use of security numbers (easily discoverable and hard to change) as passwords.
- Lawmakers and courts should ensure that actors involved in security are held accountable for failure.
- Strong privacy rules create accountability for the collection and use of personal information, and can reduce security risks.
- Bad actors can often buy sensitive data by posing as legitimate data customers.
- Entities that collect data should act as data stewards, mapping the data they acquire.
- Only minimal data should be collected and stored.
- Bad actors can often buy sensitive data by posing as legitimate data customers.
- Most data security failures involve human error.
- People select poor passwords and have trouble remembering them.
- The answers to many security questions are easy to guess.
- Default settings should require strong passwords and automatic security updates.
- Use of password managers and two-factor authentication would improve security.
- People select poor passwords and have trouble remembering them.