February 6, 2020 - Last week, George Mason’s Antonin Scalia Law School’s Center for Law and Economics hosted a panel on Captiol Hill called The Future of Data Breach Litigation. During the event, the panelists spoke about emerging trends such as GDPR in Europe and state privacy laws in the Untied States. I often hear about data privacy from the perspective of tech companies and how it affects the development efforts of product offerings, so it was informative to hear about concerns and needs from the legal perspective. A few things I found notable:

  • The need for provable or quantifiable privacy violation: one of the challenges that faces lawyers who argue data breach cases is that it can be difficult to actually prove that the victims of the breach suffered damages.
  • Data breaches affect future cybersecurity: we tend to get caught up in the privacy violation of these breaches, but one thing that was pointed out was that the private data which is revealed in a breach could compromise other things, such as the answers to security questions used for password recovery. This means that an adversary now knows more about you, and could potentially recover or reset your password for a site without your knowledge.
  • No court has yet interpreted what and effort to cure the breach means: the California Consumer Privacy Act (CCPA) has a clause that allows a consumer to take civil action if their unencrypted data has been compromised. The consumer must provide the company who the action will be taken against with 30 days written notice, and the company then has 30 days to cure the violation. However, as mentioned above there is no formal definition outlining how to quantify or prove privacy violation and the law is so new that courts haven’t ruled on it to set precedence yet.

I found these points to be interesting food for thought because they seem to clearly involve both technical and non-technical aspects to both litigation and potential solutions as we look forward. Can we build models that help to quantify the damage of a data breach? Can we use emerging technology to find a way to mitigate (cure?) said damages?

It will also be interesting to watch the privacy law industry law evolve over the next two to three years. First of all, we will likely see some of the existing privacy laws showing up in litigation. This means that we will be able to watch as precedents are set. Some of these topics that have yet to be ruled upon will start to have decisions written in the record. Secondly, more states in the US are looking to draft their own privacy legislation. Some of this will likely start from CCPA or GDPR for fundamentals and make changes as they see fit. Its great that different states care about these privacy issues, I just wonder if the piecemeal of policy that we will have at the outset will be more confusing to people and difficult to implement for companies than its worth.