The Data Breach Notification That Cried Wolf: How Connecticut’s Overbroad Data Breach Notification Statute Undermines the Effectiveness of Consumer Protection

Robinson & Cole LLP
Contact
LinkedIn
Facebook
X
Send
Embed

[author: Jackson Raymond Schipke]

Connecticut’s data breach statute is a wolf in sheep’s clothing. That statute’s definition of “breach of security” is overbroad, encourages over-notification, and undermines the goal of protecting consumers from identity theft. In Connecticut, notification is triggered by mere access of personal information, a statutory feature that encourages over-notification. Over-notification refers to a Boy-Who-Cried-Wolf-like phenomenon. Specifically, when consumers receive many notices of breaches that do not result in identity theft, notices of high-risk breaches will be ignored because the “average” data breach poses no risk of harm – a result that clearly undermines the statute’s consumer protection goals.

Importantly, Connecticut’s data breach law only applies to Connecticut businesses. Therefore to the extent that data breach notices damage a business’s reputation (which they surely do) Connecticut businesses are placed at a disadvantage to similarly situated businesses in other states due to the greater frequency of required disclosure of breaches. Under Connecticut’s regime of over-notification consumer backlash ceases to be a free market force that rightfully punishes businesses that have exposed their customers to identity theft, thus making consumer backlash in this context an artificial, ineffective, and frankly unfair market force. While fully in line with Connecticut’s well-earned reputation as anti-business, this negative effect is likely unintended and certainly does not further the statute’s consumer protection policy goals.

Connecticut’s regime of over-notification fails to apprise consumers to notices of true threats to their financial security, which at best makes the statute ineffective and at worst puts consumers at greater risk of identity theft. The policy goal should be to provide more effective notice in the form of less volume and more substance. Such legislation needs to be re-drafted to optimize consumer protection while minimizing unnecessary harm and cost to Connecticut businesses. Until then, breach notices will continue to cry-wolf to Connecticut’s consumers, and Connecticut businesses will suffer under a law that is, in its effect, anti-consumer and anti-business.

[View source.]

Written by:

Robinson & Cole LLP
Robinson & Cole LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson & Cole LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide