SAHARA WILLIAMS,

Practicing engineer, fourteen-year entrepreneur. J.D., 2020, Indiana University Robert H. McKinney School of Law focused on Intellectual Property Law.

Over the past ten years, reported data breaches in the U.S. have increased from 656 breaches, exposing 35.7 million records, to 1,244 breaches, exposing 446.52 million records, at the end of 2018. Doing the math, that is more than ten times the stolen records per breach, indicating hackers are getting more efficient. Forty-six percent of breaches in 2018 targeted the general business sector, accounting for a staggering ninety-three percent of exposed records. The impact on U.S. businesses has been significant by damaging the brand reputation and impacting consumer trust and satisfaction. Organizations reported losing an average of $5.7 million when their customer base dropped by four or more percent due to security breaches. Even organizations affected by data breaches that were, for the most part, able to maintain customer loyalty suffered an average loss of $2.8 million.

The cost of data protection is skyrocketing due to expenses from upgrading security measures, conducting breach response activities, and litigating liability. Reported data breach response costs were up 1.5% for the first four months of 2019 over the previous year. The average response cost per record is $150, and total average response costs are $3.92 million. While businesses reported that more than fifty percent of data breach expenses amassed within a year of the data breach discovery, more than ten percent of costs accrued more than two years after the breach. The interest in data protection is not just about mitigating financial losses for businesses. Many “bad actors” in cybersecurity and data analytics are foreign nationals or state-sponsored terrorists seeking to compromise U.S. national security, gain advances in international relations, or even influence U.S. elections and political views. U.S. data protection vulnerabilities span the private and public sectors, and the strong interplay between the two creates joint liability and responsibility to address the issues.

While consumers generally face a lower financial burden than businesses, the impact of weak data protection laws can be devastating to consumers. When there is a data breach, consumers can become victims of identity theft, financial loss, jeopardized credit ratings, compromised personal privacy, and health record theft. Reported consumer losses due to identity theft were $16.8 million in 2017, and Federal Trade Commission records show an increase to $1.48billion in 2018. The economic impact of cyber hacking, the threats to national security, and the effect on consumers all demand that the United States focus on improving data protection. The question is, how should it be done? The federal government has focused on securing high-risk industries while state governments have mostly enacted consumer notification laws, and businesses have worked to better secure their networks.

Consumers, though, have started demanding a greater emphasis on data privacy. While Congress has proposed many failed data privacy measures, state governments have started to act. California led the way with the passage of the Consumer Privacy Act of 2018 (“CCPA”). Many believe the CCPA is serving as the tipping point for business sector support of a comprehensive federal data protection law in the United States.

This Note proposes enactment of a comprehensive federal data protection law that recognizes and balances individual privacy rights, enacts minimum cybersecurity standards, simplifies security breach responses, and increases efficiency in compliance and enforcement of cyber laws. Section II defines comprehensive data protection. Section III provides an overview of U.S. data protection laws. Section IV summarizes the momentum towards federal data privacy legislation. Section V identifies and analyzes alternative data protection approaches. Section VI proposes a comprehensive solution for improving data protection, and the components of the recommended comprehensive federal data protection law are summarized in Section VII. [Read entire Article here].