Consumers routinely entrust businesses with personal information, including their names and addresses, financial account numbers, medical information, and other information commonly deemed “private.” Our legal system only has a few laws and enforcement mechanisms to protect consumers from data breaches that could leave them vulnerable to identity theft and other illegal schemes. Courts have also offered only cursory recognition of a general right to privacy. Most laws dealing with the privacy of consumers’ personal information fall into two categories: laws that prohibit accessing computer systems without authorization, and laws that protect specific types of information.
The term “data breach” refers to any release of private, confidential, sensitive, or proprietary information into an unsecured or untrusted environment. The information could be released onto another computer or computer network, or directly onto the internet where anyone could access it. The release could be a deliberate or accidental act by someone with responsibility for the security of the information, or the result of an unauthorized intrusion into a secured computer network. Recent data breaches include the breach of the retail company Target, which resulted in the theft of millions of customers’ credit card information, and the breach of Apple’s iCloud data storage system, which was followed by the release of the private photos of numerous (mostly female) celebrities.
Data Breach Laws
Laws like the federal Computer Fraud and Abuse Act (CFAA) prohibit unauthorized access of computer systems. The statute originally only applied to computer systems used by the government or financial institutions, but the internet has made its coverage of any computer “used in a manner that affects interstate or foreign commerce” apply to almost any computer, smartphone, or tablet in use today. See United States v. Kramer, 631 F.3d 900 (8th Cir. 2011).
Liability for Data Breaches
Most statutes addressing data security deal with data breaches as something similar to trespass, focusing on the act of intruding on a computer or network without authorization. Consumers may also be able to assert civil claims against the network, not the person who committed the breach, if their personal information is exposed. Sony Corporation, for example, settled claims in the summer of 2014 arising from a 2011 data breach that exposed the personal data of about 77 million PlayStation Network users. Target faces multiple class action lawsuits over its 2013 data breach.
Right to Privacy
The U.S. Supreme Court ruled that the U.S. Constitution protects an individual right to privacy in Griswold v. Connecticut, 381 U.S. 479 (1965). The question of exactly how that ruling on “marital privacy” extends to digital and online privacy rights, however, remains unanswered. California is the only state whose constitution expressly recognizes an individual right to privacy.
Federal laws that address privacy generally focus on specific types of information, or specific custodians of information:
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 regulates medical providers, health insurance providers, and other affiliated entities that routinely handle “protected health information”;
The Fair Credit Reporting Act (FCRA) regulates the collection and distribution of consumer credit information, particularly by the major credit reporting agencies; and
California’s Online Privacy Protection Act (OPPA) regulates commercial websites that collect “personally identifiable information” from users, including disclosure requirements and the consumers’ rights to review and modify their information.
Several states, as well as the U.S. Congress, have introduced bills that would enable consumers to opt out of having their internet activity “tracked” by third-party websites. These bills have been compared to the Do-Not-Call lists that help consumers avoid telemarketers.