INTRODUCTION
The legal framework that was built almost two decades ago now struggles to keep pace with the rapid expansion of technology, including quantum computing and artificial intelligence, and an ever-evolving cyber threat landscape. In 2002, California passed the first data breach notification law, with all fifty states following suit to require notice of unauthorized access to and acquisition of an individual’s personal information.1 These data breach notification laws, originally designed to capture one-off unauthorized views of data in a computerized database, were not built to address PowerShell scripts by cyber terrorists run across thousands of servers, leaving automated accessed data in their wake. Similarly, the safe harbors for encryption built into these statutes were not designed with quantum computing and its possibility of quantum decryption in mind. These evolving technologies and threats require that state data breach notification laws be reformulated for a modern era. This Comment examines the interplay between these challenges and discusses a path forward.
Table of Contents
- INTRODUCTION
- I. EMERGING THREATS HAVE UPENDED DATA BREACH NOTIFICATION LAWS
- II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION
- III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME
- IV. THE PUSH FOR FEDERAL LEGISLATION TO UNIFY A NOTICE STANDARD AND ADDRESS THESE CONCERNS