Skip to main content

Regulating Data Breaches: A Data Superfund Statute

Posted by on Tuesday, May 25, 2021 in Notes, Volume 23, Volume 23, Issue 3.

Kyle McKibbin | 23 Vand. J. Ent. & Tech. L. 649 (2021)

Collecting and processing large amounts of personal data has become a fundamental feature of the modern economy. Personal data, combined with good data analytics, are valuable to businesses as they can provide highly detailed information about individual preferences and behaviors. This data collection can also be valuable to the consumer as it generates innovative products and digital platforms. The era of big data promises great rewards, but it is not without its costs. Data breaches, or the release of personal data into unwanted hands, are pervasive and increasingly massive in scale. Despite the personal privacy harm caused by data breaches, businesses can largely externalize the costs of these breaches to the public. While privacy harm is undoubtedly an important issue, the release of data generates arguably more significant social costs. This Note argues that policy makers should view the unwanted release of data as a form of pollution that dilutes critical public goods. As such, an effective regulatory solution to data breaches should mirror the current regulatory approaches to environmental pollution. Like the physical environment, the data environment is a complex and highly interconnected system; accordingly, there is unlikely to be a single best way to regulate it. Thus far, the United States has approached data regulation in a stepwise and targeted fashion, much like environmental regulation. This approach has some advantages, but there is a pressing need for more comprehensive regulation. Current proposals point to omnibus privacy laws like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act as a solution. However, these regulations are ultimately privacy focused and impose high costs on the data economy. To balance these concerns, this Note proposes that Congress enact federal legislation implementing a data protection statute modeled after the Comprehensive Environmental Response, Compensation, and Liability Act.

PDF Download Link

Author:

Kyle McKibbin