Brandon Faulkner, Hacking into Data Breach Notification Laws

59 Fla. L. Rev. 1097 (2007) | | | |

INTRODUCTION :: On March 23, 2007, a news agency announced that the police department in Gainesville, Florida, arrested six individuals on charges that they had stolen credit card data from a corporation’s database and purchased more than $ 8 million in gift cards and electronics using stolen identities. There is a growing trend for companies that possess some of the largest “personal identification information” databases to experience substantial security breaches. On June 16, 2005, MasterCard International announced that CardSystems Solutions, Inc., a credit card transaction processor, exposed more than forty million consumer records after hackers accessed CardSystems’ database by exploiting deficiencies in CardSystems’ security measures. The hackers became privy to consumers’ names, card numbers, and card security codes.

In the modern age, the conveniences of electronic payment systems facilitate the rapid theft of millions of identities. The characteristics of cyber-crime have practically eliminated the spatial and temporal restraints that have traditionally limited the quantity of victims and the amount of damages. As a result, commercial, social, and legislative organizations must formulate new methods to confront the paradigmatic challenges that technology- enabled crimes present.


The traditional deterrent-civil litigation-has proved ineffective when a company’s negligence in securing personal information leads to identity theft. Using the internet, a hacker can operate anonymously, diminishing any likelihood that authorities will apprehend her. Only speculation and circumstantial evidence link a company’s security policies to damages caused by identity thieves. As a result, a consumer is unlikely to prevail in a tort claim because of an inability to prove duty, negligence, or causation. Additionally, a consumer whose information is compromised lacks any redress until she realizes damages. Because the risk of loss rests solely on consumers, data-storing entities are motivated to remain tight-lipped and avoid litigation.

In an attempt to resolve the issues expressed above, Part II of this Note examines the development and use of personal identification information and the adverse consequences of identity theft, one of the fastest growing crimes in the United States. In Part III, this Note focuses on the commonalities and disparities between data breach notification requirements from various state jurisdictions. The statutes of California, Florida, and North Carolina serve as a representative basis for comparison, while peculiarities of other states’ statutes are highlighted as well. Part IV discusses the federal government’s participation in resolving the notification dilemma. In Part V, this Note recommends legislation requiring data-storing entities to serve as fiduciaries of consumers’ private information.

This entry was posted in Business & Corporate Law, Computer & Internet Law, Contract Law, Evidence, Governments and Legislation, Internet Law, Tort Law, Uncategorized and tagged , , , , , , , , , , , , . Bookmark the permalink.