Optimizing breach notification

Mark Verstraete, Tal Zarsky

Research output: Contribution to journalReview articlepeer-review


Our lives depend on digital infrastructure and maintaining data security is now a crucial social objective. An emerging central strategy to promote data security is through breach notification laws, which require firms to give notice upon discovering a security breach. These laws are pervasive and prominent. All fifty states, several federal laws, and the E.U.’s General Data Protection Regulation (“GDPR”) and Organisation for Economic Co-operation and Development (“OECD”) have incorporated notification schemes into an array of privacy and data security efforts. However, these laws are in flux, with different jurisdictions constantly offering new requirements and exceptions. In view of looming and important regulatory changes, this Article interrogates the structure and efficacy of the diverse set of data breach notification statutes and proposes an optimal regulatory path forward. In doing so, it provides crucial theoretical insights about both data breach notification laws and theories about legal remedies more generally. The Article begins by introducing the “nuts and bolts” of data breach notification statutes and their normative justifications. It breaks new ground by offering a novel taxonomy of normative justifications. In particular, a data breach notification statute can be justified as set to promote four objectives: deterring firms from applying lax security ex ante, mitigating the harms caused to individuals from the breach ex post, generating information flows regarding security breaches to regulators and experts, and enhancing the autonomy of impacted individuals harmed by the breach. Importantly, different regulatory design strategies promote some of these justifications at the expense of others. Further, this Article assesses the conventional wisdom about breach notification statutes that frames these unique laws within more traditional legal remedies (such as negligence, reputational sanctions, and strict liability). The Article demonstrates that these traditional legal paradigms fail to capture the unique features of breach notification requirements. As a result, breach notification cannot be subsumed into these well-worn models. Finally, the Article examines overlooked consequences of breach notification schemes by explaining that the normative and practical foundations of data breach notification statutes are complicated by central yet under-theorized features of both cybersecurity and tort law—unfairness and moral luck and activity levels. The Article then returns to the noted basic justifications and demonstrates how they are impacted by these overlooked theoretical insights. The Article concludes by applying these insights to provide a roadmap for regulators to build a data breach notification statute that aligns with their objectives and allows them to optimize their preferences while assuring fairness and efficiency.

Original languageEnglish
Pages (from-to)803-864
Number of pages62
JournalUniversity of Illinois Law Review
Issue number3
StatePublished - 2021

Bibliographical note

Publisher Copyright:
© 2021 University of Illinois College of Law. All rights reserved.

ASJC Scopus subject areas

  • Law


Dive into the research topics of 'Optimizing breach notification'. Together they form a unique fingerprint.

Cite this