Files
Abstract
Data breach—the improper exposure of consumers’ personal information held in corporate databases—costs consumers and businesses hundreds of billions of dollars each year. Despite significant regulatory, legislative, and academic scrutiny of this growing problem, the scale and severity of breaches have rapidly increased over the past two decades. Existing legal tools have proven woefully insufficient at either preventing or redressing the significant harm these breaches inflict.
Though change is urgently needed, none of the incremental reforms that have been proposed by scholars and advocates— including changes to contract and tort law, expansions of regulatory authority, and liberalizations of judicial standing doctrine—have gained traction. Other literature has suggested that a problem of this scale requires a more comprehensive approach: the creation of a public insurance program. This Note begins by synthesizing these more ambitious proposals, identifying the specific elements of existing public insurance programs that have proven effective at meeting policy challenges similar to today’s data breach epidemic. Specifically, the history of workers’ compensation and vaccine injury compensation programs in the United States suggests that no-fault liability, standardized recovery, and responsible-company indemnification could significantly reduce costs and improve substantive outcomes in the data breach landscape.
But this Note’s most important contribution is to lay out a policy framework for overcoming the intense industry opposition and political paralysis that has consistently derailed data breach reform efforts over the past decade. Converting theoretical data breach reform proposals into legal realities will require meaningfully improving the status quo for all stakeholders, including the data industry itself. With congressional productivity at a historic low, states have increasingly taken the lead in innovative policymaking, and implementing a large-scale public insurance program is therefore likely most feasible at the state level. California, in particular, has an unparalleled history of leadership in privacy policy and consumer protection. Accordingly, this Note proposes authorizing the California Consumer Privacy Agency to establish a public data breach insurance program, charged with (1) stanching the enormous financial losses that data breaches inflict on both businesses and consumers and (2) redirecting currently wasted resources towards fixing the root vulnerabilities that cause these breaches in the first place.