Defending Our Data: The Need for Information We Do Not Have (forthcoming)
暂无分享,去创建一个
Data breaches occur at the rate of over two a day. The aggregate social cost is high. Security experts have long explained how to defend better. So why does society tolerate a significant loss that it has the means to avoid? Current laws are ineffective in providing an adequate incentive to avoid the loss. As Thomas Smedinghoff notes, laws — current and proposed — “obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures.” However, most the laws “simply obligate companies to establish and maintain ‘reasonable’ or ‘appropriate’ security measures, controls, safeguards, or procedures, but give no further direction or guidance.” We contend that the consequence is that the laws fail to provide an adequate incentive to improve information security. The solution is to provide better guidance about what counts as reasonable security measures. Data breach notification laws may seem like a viable alternative, but we argue they are unlikely to sufficiently improve security.