Abstract
This paper analyses Data Breach Notification Duties from a jurisprudential perspective. DBNDs impose duties on people who are victims of a crime, duties whose violation in turn can trigger criminal sanctions. To analyze what type of duties a democratic society under the rule of law can impose on victims, we need a conceptual framework that links duties to participate in crime investigation and prosecution to specific roles a person can have in relation to a crime. Duff and Marshall have developed such a theory of the criminal law, which the paper applies to DBNLs, combining their approach with Floridi’s concept of the infosphere.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
United States v. ChoicePoint, Inc., No. 1:06-CV-0198 (N.D. Ga. Feb. 15, 2006), http://www.ftc.gov/os/caselist/ choicepoint/stipfinaljudgement.pdf; see also Otto et al. (2007).
- 2.
Cal. Civ. Code §§ 1798.29, .82, .84.
- 3.
ibid, Sec 4 1798 .82 a.
- 4.
So e.g. the US Health Information Technology for Economic and Clinical Health Act (HITECH Act) which in additions to information about the facts of the breach (what data, when and, if known, by whom) also mandates information about the steps individuals should take in response to the breach; steps that are carried out to investigate the breach, and steps individual may want to take to mitigate, and protect against further harm.
- 5.
In the US, entities that are regulated under the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA) and meet their more stringent and prescriptive regulations and guidelines are frequently exempted from DBNLs. See Stevens (2005) p. 6. Use of strong encryption can also create a safe harbour. (Burdon et al. 2010a, b).
- 6.
So in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15,736 (Mar. 29, 2005), a data breach notification system for the financial sector.
- 7.
Art. 4(3), Directive 2009/136/EC.
- 8.
Commission Regulation (EU) No 611/2013 Art 2 (2).
- 9.
This problem is explicitly acknowledged in the German implementation of the Directive. § 42a S. 6 BDSG ensures that the information cannot be used in criminal proceedings against the company that reported the breach. (However, German law does not recognize a fruit of the poisonous tree doctrine, so information that the prosecutors found themselves after investigating in response to the notification is probably not affected) . However, German law only awards the right against self incrimination to natural persons, so that legal persons such as companies, the typical data controller, will not be protected by this rule.
- 10.
Terrorism Act (2000) Sec 19 (b).
- 11.
28 U.S.C. § 1651.
Bibliography
Bentham, J. (1827). Rationale of judicial evidence 1–8. New York: Rothman & Co.
Bibas, S. (2002). The right to remain silent helps only the guilty. Iowa Law Review, 88, 421–432.
Burdon, M., Low, R. and Reid, J. F.. (2010a). If it’s encrypted it’s secure! The viability of US state-based encryption exemptions. In: Proceedings of the 2010 IEEE International Symposium on technology and society: Social implications of emerging technologies. IEEE http://eprints.qut.edu.au/32781/1/c32781.pdf. Accessed May 2016
Burdon, M., Reid, J., & Low, R. (2010b). Encryption safe harbours and data breach notification laws. Computer Law & Security Review, 26, 520–534.
Desmedt, Y., Burmester, M., & Seberry, J. (2001). Equitability in retroactive data confiscation versus proactive key Escrow. In K. Kim (Ed.), Public key cryptography (pp. 277–286). Springer: Berlin.
Draper, A. (2006). Identity theft: Plugging the massive data leaks with a stricter nationwide breach-notification law. Journal Marshall & Law Review, 40, 681–703.
Duff, A. (2001). Punishment, communication, and community. New York: Oxford University Press.
Duff, A. (2010a). A criminal law for citizens. Theoretical Criminology, 14(3), 293–309.
Duff, A. (2010b). The boundaries of the criminal law. Oxford: Oxford University Press.
Duff, A. (2015). Legal reasoning, good citizens, and the criminal law. Minnesota legal studies research paper 15–18. Available at SSRN: http://ssrn.com/abstract=2618684 or http://dx.doi.org/10.2139/ssrn.2618684
Duff, A., Farmer, L., Marshall, S. E., Renzo, M., & Tadros, V. (2015). Criminalization: the political morality of the criminal law. Oxford: Oxford University Press.
Esty, D. C. (2004). Environmental protection in the information age. NYUL Review, 79, 115–212.
Floridi, L. (1999). Information ethics: On the philosophical foundation of computer ethics. Ethics and Information Technology, 1, 33–52.
Floridi, L. (2002). On the intrinsic value of information objects and the infosphere. Ethics and Information Technology, 4, 287–304.
Floridi, L. (2005). Is semantic information meaningful data? Philosophy and Phenomenological Research, 70(2), 351–370.
Floridi, L. (Ed.). (2010). The Cambridge handbook of information and computer ethics. Cambridge: Cambridge University Press.
Floridi, L. (2015). Tolerant paternalism: Pro-ethical design as a resolution of the Dilemma of toleration. Science and Engineering Ethics, 21, 1–20.
Goel, S., & Shawky, H. A. (2014). The impact of federal and state notification laws on security breach announcements. Communications of the Association for Information Systems, 34, 37–50.
Hirsch, D. D. (2013). The glass house effect: Big data, the new oil, and the power of analogy. Maine Law Review, 66, 373–396.
Kerr, O. (2016). Preliminary thoughts on the Apple iPhone order in the San Bernardino case: Part 2, the All Writs Act https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/02/19/preliminary-thoughts-on-the-apple-iphone-order-in-the-san-bernardino-case-part-2-the-all-writs-act/. Accessed May 2016.
Kurzon, D. (1995). The right of silence: A socio-pragmatic model of interpretation. Journal of Pragmatics, 23, 55–69.
Lee, S. (2006). Breach notification laws: Notification requirements and data safeguarding now apply to everyone, including entrepreneurs. Entrepreneurial Business Law Journal, 1, 125–153.
Leonard, T. C., Thaler, R. H., & Sunstein, C. R. (2008). Nudge: Improving decisions about health, wealth, and happiness. Constitutional Political Economy, 19, 356–360.
Marshall, S. (2004). Victims of crime: Their station and its duties. Critical Review of International Social and Political Philosophy, 7, 104–117.
Marshall, S. (2015). It isn’t just about you’ victims of crime, their associated. Duties, and public wrongs. In A. Duff, et al. (Eds.), Criminalization: The political morality of the criminal law. Oxford: Oxford University Press.
Naess, A. (1973). The shallow and the deep, long-range ecology movement. A summary. Inquiry, 16, 95–100.
Needles, S. A. (2009). The data game: Learning to love the state-based approach to data breach notification law. NCL Review, 88, 267–310.
Nowey, T., & Federrath, H. (2007). Collection of quantitative data on security incidents. InThe second international conference on availability, reliability and security ARES (pp. 325–334). Vienna: IEEE.
Otto, P. N., Antón, A. I., & Baumer, D. L. (2007). The choicepoint dilemma: How data brokers should handle the privacy of personal information. IEEE Security and Privacy, 5, 15–23.
Sasha, R., & Acquisti, A. (2009). Privacy costs and personal data protection: Economic and legal perspectives. Berkeley Technology Law Journal, 24, 1061–1101.
Schneider, J. W. (2009). Preventing data breaches: Alternative approaches to Deter Negligent handling of consumer data. Boston University Journal of Science & Technology Law, 15, 279–304.
Schwartz, P. M., & Janger, E. J. (2007). Notification of data security breaches. Michigan Law Review, 105, 913–984.
Segall, L. (2015, September 8). Pastor outed on Ashley Madison commits suicide. CNNMoney.
Seidmann, D. J., & Stein, A. (2000). The right to silence helps the innocent: A game-theoretic analysis of the Fifth Amendment privilege. Harvard Law Review, 114, 430–510.
Simitian, J. (2009). UCB security breach notification symposium March 6, 2009: How a bill becomes a law, really. Berkeley Technology Law Journal, 24, 1009–1018.
Skinner, T. H. (2003). California’s database breach notification security act: The first state breach notification law is not yet a suitable template for national identity theft legislation. Richmond Journal Law & Technology, 10, 1–40.
Stevens, G. M. (2005). Data security breach notification laws. CRS Report for Congress R42475. https://www.hsdl.org/?view&did=706636. Accessed May 2016
Sunstein, C. R. (1999). Informational regulation and informational standing: Akins and beyond. University of Pennsylvania Law Review, 147, 613–675.
Towle, H. K. (2003). Identity theft: Myths, methods, and new law. Rutgers Computer & Technology Law Journal, 30, 237–326.
Winn, J. K. (2009). Are “Better” security breach notification laws possible? 2–3. Berkley Technology Law Journal, 24, 1133–1165.
Wintgens, L. J. (2006). Legisprudence as a new theory of legislation. Ratio Juris, 19, 1–25.
Zander, M. (1995). You have no right to remain silent: Abolition of the privilege against self-incrimination in England. Louis ULJ, 40, 659–676.
Acknowledgement
This work was supported by the Arts and Humanities Research Council [grant number AH/M009610/1]
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Schafer, B. (2017). Speaking Truth to/as Victims – A Jurisprudential Analysis of Data Breach Notification Laws. In: Taddeo, M., Floridi, L. (eds) The Responsibilities of Online Service Providers. Law, Governance and Technology Series, vol 31. Springer, Cham. https://doi.org/10.1007/978-3-319-47852-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-47852-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47851-7
Online ISBN: 978-3-319-47852-4
eBook Packages: Law and CriminologyLaw and Criminology (R0)