The laws governing data breaches: An update

Abstract

Working remotely has compounded vulnerabilities; cybercriminals have exploited the pandemic as an opportunity to target companies. Even before the pandemic, data breaches were increasing in both breadth and scope. According to data from Norton,1 the first half of 2019 saw 3,800 publicly disclosed breaches, exposing 4.1bn records.2 That reflected a rise of 54 per cent, compared with the same time period in 2018.3 States across the country have started to react, enacting privacy, data security, cyber security and data breach notification laws, and courts have continued — slowly and inconsistently — to embrace broader theories of potential recovery by victims of those breaches. The past two years have seen several noteworthy developments in the courts and in the legislatures. This paper examines those judicial developments, as well as state statutes and regulations such as the California Consumer Privacy Act of 2018 (CCPA), the 2019 amendment to the Massachusetts Data Breach Notification Act (MA-DBNA) and the New York Stop Hacks and Improve Electronic Data Security Act of 2020 (SHIELD Act). After examining those developments, this paper concludes with insights into best practices in light of the ever-shifting judicial, legislative and regulatory climate surrounding data breaches.