The legal framework that was built almost two decades ago now struggles to keep pace with the rapid expansion of technology, including quantum computing and artificial intelligence, and an ever-evolving cyber threat landscape. In 2002, California passed the first data breach notification law, with all fifty states following suit to require notice of unauthorized access to and acquisition of an individual’s personal information. These data breach notification laws, originally designed to capture one-off unauthorized views of data in a computerized database, were not built to address PowerShell scripts by cyber terrorists run across thousands of servers, leaving automated accessed data in their wake. Similarly, the safe harbors for encryption built into these statutes were not designed with quantum computing and its possibility of quantum decryption in mind. These evolving technologies and threats require that state data breach notification laws be reformulated for a modern era. This Comment examines the interplay between these challenges and discusses a path forward.
Comment: The Necessary Evolution of State Data Breach Notification Laws: Keeping Pace with New Cyber Threats, Quantum Decryption, and the Rapid Expansion of Technology
Beth Burgin Waller and Elaine McCafferty
April 10, 2022