Data Breaches and Privacy Laws

Consumers routinely entrust businesses with personal information, including their names and addresses, financial account numbers, medical information, and other information commonly deemed “private.” Our legal system only has a few laws and enforcement mechanisms to protect consumers from data breaches that could leave them vulnerable to identity theft and other illegal schemes. Courts have also offered only cursory recognition of a general right to privacy. Most laws dealing with the privacy of consumers’ personal information fall into two categories: laws that prohibit accessing computer systems without authorization, and laws that protect specific types of information.

Data Breaches

The term “data breach” refers to any release of private, confidential, sensitive, or proprietary information into an unsecured or untrusted environment. The information could be released onto another computer or computer network, or directly onto the internet where anyone could access it. The release could be a deliberate or accidental act by someone with responsibility for the security of the information, or the result of an unauthorized intrusion into a secured computer network. High-profile data breaches include the breach of the retail company Target, which resulted in the theft of millions of customers’ credit card information, and the breach of Apple’s iCloud data storage system, which was followed by the release of the private photos of numerous (mostly female) celebrities.

The General Data Protection Regulation

Europe’s data privacy and security law, the General Data Protection Regulation (GDPR), is sometimes used as a model for new data privacy legislation. The GDPR regulates the collection and use of personal information in many ways. For instance, it requires that users be told why and for how long their personal data is being collected and be notified if they are at high risk following a data breach.

Data Breach Laws

Laws like the federal Computer Fraud and Abuse Act (CFAA) prohibit unauthorized access of computer systems. The statute originally only applied to computer systems used by the government or financial institutions, but the internet has made its coverage of any computer “used in a manner that affects interstate or foreign commerce” apply to almost any computer, smartphone, or tablet in use today. See United States v. Kramer, 631 F.3d 900 (8th Cir. 2011).

Liability for Data Breaches

Most statutes addressing data security deal with data breaches as something similar to trespass, focusing on the act of intruding on a computer or network without authorization. Consumers may also be able to assert civil claims against the network, not the person who committed the breach, if their personal information is exposed. Sony Corporation, for example, settled claims in the summer of 2014 arising from a 2011 data breach that exposed the personal data of about 77 million PlayStation Network users. Target faced multiple class action lawsuits over its 2013 data breach.

Right to Privacy

The U.S. Supreme Court ruled that the U.S. Constitution protects an individual right to privacy in Griswold v. Connecticut, 381 U.S. 479 (1965). The question of exactly how that ruling on “marital privacy” extends to digital and online privacy rights, however, remains unanswered. More than ten state constitutions recognize an individual right to privacy.

Privacy Legislation

Federal laws that address privacy generally focus on specific types of information, or specific custodians of information:

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates medical providers, health insurance providers, and other affiliated entities that routinely handle “protected health information”;
  • The Fair Credit Reporting Act (FCRA) regulates the collection and distribution of consumer credit information, particularly by the major credit reporting agencies;
  • The Electronic Communications Privacy Act (ECPA) of 1986 restricts wiretaps and other forms of electronic monitoring;
  • The Children's Online Privacy Protection Rule (COPPA) regulates the collection of data concerning children under 13 years old; and
  • The Federal Trade Commission Act allows the FTC to enforce a company's own privacy policy and representations regarding privacy.

Many states have enacted their own data privacy laws. For example, California’s Online Privacy Protection Act (CalOPPA) regulates commercial websites that collect “personally identifiable information” from users, including disclosure requirements and the consumers’ rights to review and modify their information.

The California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (CCPA) generally requires that California consumers be informed of personal data collected by businesses and allows consumers to request that a business delete collected data. Other states, such as Virginia and Colorado, have begun to enact similar laws.

Illinois' Biometric Information Privacy Act (BIPA) regulates the collection of users' biometric data, like fingerprints, retina scans, voiceprints, and facial geometry. The law requires that users receive notice of and consent to the data collection.

Several states, as well as the U.S. Congress, have introduced bills that would enable consumers to opt out of having their internet activity “tracked” by third-party websites. These bills have been compared to the Do-Not-Call lists that help consumers avoid telemarketers.

Communications and Internet Law Center Contents   

Related Areas