Could Environmental Law Help Address Data Breaches?

Data breaches are a growing threat to U.S. businesses. In the wake of Target’s high-profile data theft, which impacted more than 110 million consumers, and the more recent theft of consumer data from Neiman Marcus who disclosed that hackers invaded its systems for several months in a breach that involved 1.1 million credit and debit cards, security experts, federal lawmakers, and business leaders are all working to determine how best to protect sensitive information from falling into the wrong hands.

At a recent privacy symposium hosted by the University of Maine School of Law, Professor Dennis Hirsch of Capital University Law School proposed a novel approach to data protection. His source of inspiration — oil spills.

In his forthcoming paper, The Glass House Effect: Big Data, Oil Spills and the Need for Clean Data Technology, Hirsh takes the oft quoted analogy “’big data’ is the new oil” and extends it to spill prevention and cleanup. “Data spills occur with the regularity of oil spills. The victim of identity theft, bogged down in unwanted credit cards and bills, is just as trapped and unable to fly as the bird caught in the oil slick, its wings coated with a glossy substance from which it struggles to free itself,” he writes.

Hirsh further argues that environmental law can provide strategies that allow businesses to take advantage of big data’s many benefits, while reducing its negative impacts. He specifically cites the Clean Water Act and Oil Pollution Act as examples.

For instance, Hirsch notes that victims of data breaches are often unable to recover the full extent of their damages because they must demonstrate a “concrete and particular harm” that is “actual or imminent.” Accordingly, damages related to emotional distress and the risk of future damages are generally not allowed. As Congress expanded the Oil Pollution Act to allow for greater recovery for oil spill victims, Hirsh suggests that lawmakers should pass federal legislation that allows for the recovery of noneconomic damages created by data breaches.

In addition, Hirsh calls for legislation that authorizes a federal agency to clean up after data spills (i.e., investigating the root causes, determining the severity of the breach, and providing credit monitoring and identity theft recovery services to the public). The federal government could then recoup its expenses from the responsible party.

Finally, Hirsh notes that increasing liability for data breaches will only accomplish so much, just as it does in the oil industry. Akin to the push for viable sources of “clean energy,” Hirsh calls for the prevention of data breaches through new, “clean data” technologies and privacy-protective business models.

Hirsh acknowledges that his policy proposals are “intended (to be) provocative suggestions (rather) than full-fledged proposals . . . to spark creative thinking about solutions.” However, out-of-the box thinking may be just what is needed to solve this pressing and complex problem.

If you have any questions about the proposals discussed or would like to discuss your company’s data protection strategies, please contact me, Cyber Jurist. Fernando Pinguelo, or the Scarinci Hollenbeck attorney with whom you work. To learn more about data privacy and security, visit eWhiteHouseWatch – Where Law, Technology & Politics Collide.