THE GLOBAL RISE OF A DUTY TO DISCLOSE INFORMATION SECURITY BREACHES

摘要

As can be seen, the scope of the duty to disclose breaches in an organization's information security extends far beyond even the maligned section 1798.82 of California's Security Breach Information Act. In this way, the complaints about section 1798.82 are unfounded: the California law does not impose a dramatically new obligation. Moreover, as businesses become increasingly global, privacy legislation becomes increasingly widespread. Many jurisdictions have laid the foundation for an obligation to disclose breaches of information practices. In another way, the complaints about section 1798.82 reflect misgivings about a burgeoning duty to secure information. Some aspects of these misgivings are well-founded: the duty to disclose information security breaches does heighten the possibility of liability from security breaches and adds market discipline to the costs of security breaches. (One study found that publicly-traded firms which disclosed security breaches lost 2.1% of their market value within two days of the disclosure.) Misgivings about section 1798.82, and duties to secure infor-mation and disclose security breaches, stem from a disgruntled perception that collecting and maintaining data has become an increasingly risky proposition. Given the prevalence of computer intrusions and other kinds of information security breaches and the extensive obligations to ensure information security, the perception is increasingly correct. Data collectors can respond to that risk in at least three ways: they can expand the necessary resources to secure the information they collect, they can purchase the necessary insurance to guard against liability, or they can curtail their collection and maintenance of data.