IAPP-GDPR Web Banners-300x250-FINAL

After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem?

On Friday, February 21, at the Maine Law Review 2014 Privacy Symposium, Capital University Law Prof. Dennis Hirsch suggested we look to environmental law to find an answer. At the symposium, Hirsch presented his forthcoming paper “The Glass House Effect: Big Data, Oil Spills and the Need for Clean Data Technology,” which suggests the legal and policy solutions used to reduce oil spills may provide a framework for reducing data breaches. While Hirsch admits the paper’s recommendations are “intended (to be) provocative suggestions (rather) than full-fledged proposals…to spark creative thinking about solutions,” it’s worth evaluating at least two of his suggestions.

Recognition of Noneconomic Harm

Hirsch begins by explaining that commercial fishermen and owners of businesses relying on beach tourism, whose livelihoods were devastated by oil spills, could not sue for damages until the passage of the 1990 Oil Pollution Act, which created new causes of action for damage to economic interests. Prior to the passage of the Oil Pollution Act, the law only provided recovery for damage to property. Hirsch then suggests that similar legislation recognizing noneconomic damages created by data breaches could help solve the data breach problem.

In data breach litigation, plaintiffs often struggle to prove harm because many courts are reluctant to recognize the risk of future damage as an injury. This struggle is particularly difficult for plaintiffs in federal court, who must demonstrate a “concrete and particular harm” that is “actual or imminent” to satisfy the injury-in-fact standing requirement. Plaintiffs who cannot show that the data breach resulted in identity theft or fraud are likely to have their cases dismissed for lack of standing, even if they have noneconomic harms like emotional distress or embarrassment due to the release of sensitive data like HIV status.

For years, federal circuit courts split on how to handle plaintiffs’ allegations of an increased risk of harm after a data breach. The First, Seventh and Ninth Circuit Courts had found an increased risk of future harm sufficient for standing, while the Third Circuit had not. In 2013, however, the U.S. Supreme Court held in Clapper v. Amnesty International that plaintiffs must show that the threatened harm that establishes their standing to sue for prospective relief is “certainly impending,” not merely “possible.” Even when plaintiffs can satisfy standing requirements, they often struggle with showing compensable damages, as courts traditionally calculate relief by demonstrated monetary losses.

Given that most plaintiffs sue based on an increased risk of future harm, it may be necessary for Congress to pass legislation that recognizes that increased risk is harm in and of itself. Without such legislation, it will remain difficult for consumers to successfully bring data breach actions to recover for the full range of injuries—including non-economic harms—they may sustain as a result of the data breach. Outside of the courts, there are few other means of personal redress for data breach victims, so it is important that consumers have a fair opportunity to have their cases heard. Further, an increased risk of successful litigation provides an incentive for companies to take additional measures to protect themselves against a data breach.

The judiciary has largely shaped the notion of what constitutes harm or injury in the context of a privacy violation like a data breach, while social norms and new technologies have shaped consumers’ notions of harm. Those notions don’t fit neatly within the statutory framework that currently exists for privacy violations. Hirsch’s suggestion that Congress redefine harm as it relates to data breaches deserves consideration because consumers’ notions of privacy have shifted. Further, if privacy laws exist to protect consumers, perhaps legislation should take account of consumers’ notions of privacy.

Privacy by Design Mandate

Next, Hirsch explains that oil transporters operating in U.S. waters were also required by the Oil Pollution Act to use a double-hull design, an environmentally friendly design that significantly reduced the chance of an oil spill. He later suggests that legislation could be used in a similar fashion to require “information-intensive firms” to employ Privacy by Design.

Privacy by Design is an approach to protecting privacy that incorporates privacy protections into the design of systems, processes and products at each stage of development. However, simply legislating that companies adopt a particular approach to information protection would likely yield widely varying results and would be difficult to monitor and enforce.

A statute requiring the use of Privacy by Design would likely either be too vague or too specific to bring about meaningful, sustainable change. Such a statute would need some flexibility, because technology is rapidly changing and methods appropriate to protect consumer information vary depending on a number of factors, including the type of information. Too much pliancy, however, could lead to a situation where an organization has a good-faith belief that they have implemented Privacy by Design without providing the privacy protection contemplated.

On the other hand, if the statute’s standard were more rigid, the method prescribed could be rendered obsolete by changes in technology or business models. As a result, it would be difficult for Congress to mandate any meaningful privacy or security standards by statute. To avoid such problems, the Federal Trade Commission, for example, has traditionally refused to prescribe particular technical standards for comprehensive privacy and security programs. Additionally, mandating privacy and security standards may decrease an organization’s incentive to improve upon their privacy practices or develop data security technologies that go beyond the statutory standard. Moreover, Hirsch’s suggestion that Congress adopt legislation requiring “information-intensive” firms to utilize Privacy by Design may neither yield enhanced privacy protection nor reduce the incidence of data breaches.

Nevertheless, there are alternatives to legislation that could incentivize companies to implement and maintain privacy and security measures that reduce their risk of suffering a data breach. For example, in February, the Obama administration launched the Cybersecurity Framework, a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. According to the White House, “The Framework enables organizations—regardless of size, degree of cybersecurity risk or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”

The Cybersecurity Framework was developed by the National Institute of Standards and Technology, with extensive input from businesses and industry experts. This approach is favorable because government-industry collaboration sets the foundation for future cooperation and facilitates greater accountability and buy-in among industry stakeholders. Further, collaborative efforts such as this often yield balanced standards rather than standards that favor of either public or private interests. Another benefit of avoiding the legislative process is that the resulting code of conduct can be updated and modified more quickly than a statute so that its guidance can keep up with changing technology.


Whether Hirsch’s suggestions at this stage are viable or not, these suggestions certainly open the door to new conversations about how to approach the data breach problem. There is nothing new under the sun, goes the old cliché, and so perhaps privacy professionals should take a closer look at the examples set by environmentalists and oil companies to see how we can learn from their successes and failures.

Written By

Dennis Holmes


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»