1. III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME

III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME

The evolution of encryption and, specifically, quantum decryption technology, also exposes the need to transform data breach notification laws to fit a modern era. In his Note, Data Breach Notification Laws and the Quantum Decryption Problem, Phillip Harmon argues that “the impending realization of quantum decryption threatens to radically disrupt efficacy of the current state-level data breach notification patchwork.”²⁵

Large-scale quantum computers threaten to turn the safety of encrypting messages on its head.²⁶ Indeed, the risk is so grave that beginning in 2016, the National Institute of Standards and Technology (NIST) “initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.”²⁷ The race is on, essentially, with “the goal of post-quantum cryptography (also called quantum-resistant cryptography) [being] to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.”²⁸

²⁵. See Harmon, supra note 1, at 513.

²⁶. See Post-Quantum Cryptography, NIST (Jan. 3, 2017), https://perma.cc/44RC-SYE4 (last updated Dec. 2, 2021) (“If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.”).

²⁷. Id.

²⁸. Id. (emphasis omitted).

Many state data breach notification statutes were designed with a safe harbor for encryption of data. For example, Virginia’s data breach notification statute provides that “breach of the security of the system” is defined as

the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.²⁹

The Commonwealth defines “encrypted” as the “transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable.”³⁰

As Harmon points out in his Note, in the age of quantum computing, with quantum decryption looming, how does one consider a statute like Virginia’s that speaks to the “low probability of assigning meaning without the use of”³¹ a decryption key?

Harmon addresses a number of issues related to quantum decryption technologies in his Note. Harmon concludes that “to soften the impact of this development, data breach notification laws should separate any reference of encryption from the definition of a breach to require alerts corresponding to past breaches made presently harmful by shifts in relative encryption security.”³² Similarly, he argues that “statutes should require that data holders keep accurate records of data that they have held so that they can issue comprehensive notifications regarding past breaches.”³³

²⁹. VA. CODE ANN. § 18.2-186.6 (2021).

³⁰. Id.

³¹. Id.

³². Harmon, supra note 1, at 513.

³³. Id. at 514.

Though changes to data breach notification laws were proposed in 2021, those proposed changes are modest.³⁴ The National Conference of State Legislatures notes that in 2021 the trends included legislation that would “[e]stablish or shorten the time frame within which an entity must report a breach”; “[r]equire state or local government entities to report data breaches”; “provide an affirmative defense for entities that had reasonable security practices in place at the time of a breach”; “[e]xpand definitions of ‘personal information’ (e.g., to include biometric information, health information, etc.)”; and “require private sector entities to report breaches to the state attorney general or other state entity.”³⁵

What are absent from these 2021 legislative changes are amendments to capture an evolving threat landscape coupled with evolving technologies. These state data breach notification laws effectively create a patchwork quilt of requirements that national businesses and organizations must navigate, law by law, in the midst of a large-scale consumer data breach. The result can be that the same incident may give rise to notification requirements under one state law but not the other, with similarly situated consumers in different states facing wildly different outcomes.

Table of Contents

• INTRODUCTION
• I. EMERGING THREATS HAVE UPENDED DATA BREACH NOTIFICATION LAWS
• II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION
• III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME
• IV. THE PUSH FOR FEDERAL LEGISLATION TO UNIFY A NOTICE STANDARD AND ADDRESS THESE CONCERNS