Data Breach: From Notification to Prevention Using PCI DSS

With over 350 million records containing sensitive personal information having been compromised since 2005, it is evident that data breaches are an epidemic problem. After demonstrating the security breach problem, the Note begins by discussing California's pioneering data breach notification law, which requires breached entities to notify those affected that their personal information has been compromised. Drawing on various provisions found in California's notification law, the Note evaluates current state and federal data breach laws. To further explore the relationship between federal and state enforcement, two recent data breaches, the ChoicePoint and TJX breaches, are discussed in-depth. The Note then examines proposed federal and state legislation to strengthen the argument that data breach laws, which currently focus on notification, must also advance to breach prevention. Finally, the Note proposes a solution for preventing data breaches by increasing liability for merchants who fail to meet heightened security standards based on those used in the credit card industry. I. INTRODUCTION In an age when internet transactions have become a part of everyday life, both individual users and corporations have become more sophisticated. Users who used to receive content only passively now actively engage in e-commerce. Companies that used to only keep paper files now maintain digital databases worldwide. Because private information is increasingly available over the internet, there is a rising demand for data breach laws that protect private information. Approximately eighty to ninety percent of Fortune 500 companies and government agencies have experienced data breaches.1 Since January 2005, over 350 million records containing sensitive personal information have been compromised in data breaches.2 The leading cause of these security breaches is hacker intrusion, followed by stolen laptops and computers, and insider thefts of private information.3 Terrorists have also increasingly utilized the internet not only to communicate and recruit, but also to perpetrate online crimes to obtain financial support for their agendas.4 Furthermore, data breaches often result in fraud. The Internet Crime Complaint Center reported that fraud-related losses totaled $264.6 million in 2008, up from $239.1 million in 2007.5 These figures only address reported losses; computer crime experts agree that most computer-related crimes go either undetected or unreported.6 With personal information being compromised almost daily in data breaches,7 the main question is: what are state and federal governments doing about this problem? Having demonstrated that a security breach problem exists, this Note will go on to describe the current state and federal laws addressing the problem, highlight certain enforcement actions that have been undertaken in response to the problem, and, finally, propose that lawmakers craft legislation that focuses not only on notification of injured parties and damage control but also on data breach prevention. Part II begins by discussing California's pioneering data breach law and then draws on that law to evaluate current state data breach laws. Part III examines the current federal laws addressing data breach issues, specifically the Gramm-Leach-Bliley Act and various Federal Trade Commission acts. Part IV illuminates the need for legislation that goes beyond requiring consumer notification after data breaches to prevent such breaches. This section also explores the relationship between federal and state data breach laws using the Choice Point and TJX breaches. Part V discusses pending state and federal legislation to demonstrate that data breach laws need to progress toward preventing data breaches. Finally, Part VI proposes a solution: data breaches can be prevented by increasing liability for merchants who fail to meet heightened security standards based on those used in the credit card industry. …