The National Academies Press

Currently Skimming:

Pages 44-48

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 44... ... 44 clause challenges are made to state legislation rather than to state common law claims.605 In Crowley v. Cybersource Corporation,606 in which the plaintiff brought a class action pursuant to the Federal Wiretap Act and the ECPA, the court held that state law claims for unjust enrichment, invasion of privacy, fraud by concealment, and breach of contract were not in violation of the Constitution on the theory "that only Congress may enact legislation regarding the Internet. Read the entire page →
From page 45... ... 45 unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.612 The term "personal information" includes a person's name, SSN, driver's license number, credit card numbers, security codes, PINs, or passwords.613 For example, the Ohio statute provides that an agency must disclose a breach of the security of personal information data. Personal information is defined to be an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i) Read the entire page →
From page 46... ... 46 and civil penalties, it appears that in only 13 states and the District of Columbia would a person injured by a data breach have a private right of action,618 and that at least 4 states exempt government agencies from "enforcement proceedings."619 (c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.615 (6) Read the entire page →
From page 47... ... 47 of the security of personal information.626 Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation, whereas other state statutes specify criminal liability for a violation. In some states, however, a civil penalty will not be assessed unless an agency's action was willful or intentional. Read the entire page →
From page 48... ... 48 is not prohibited "from recovering direct economic damages from a violation…."636 In Washington, a customer who is injured by a violation of the state's statutory requirement that a notice be given of a breach of security of personal information may institute a civil action for damages;637 however, an agency is not required to disclose a technical breach of a security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.638 Finally, it may be noted that a number of class actions have been brought against private companies for damages allegedly caused by a breach of security and a theft of PII. Some cases have been dismissed, however, for lack of standing because a risk of future injury caused by a breach, such as a possible identity theft, in and of itself is "too speculative to confer standing"639 or because a plaintiff was unable to show an actual injury-in-fact.640 E Read the entire page →

From page 44...

... 44 clause challenges are made to state legislation rather than to state common law claims.605 In Crowley v. Cybersource Corporation,606 in which the plaintiff brought a class action pursuant to the Federal Wiretap Act and the ECPA, the court held that state law claims for unjust enrichment, invasion of privacy, fraud by concealment, and breach of contract were not in violation of the Constitution on the theory "that only Congress may enact legislation regarding the Internet.

Read the entire page →

From page 45...

... 45 unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a state agency or an agency of a political subdivision and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.612 The term "personal information" includes a person's name, SSN, driver's license number, credit card numbers, security codes, PINs, or passwords.613 For example, the Ohio statute provides that an agency must disclose a breach of the security of personal information data. Personal information is defined to be an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: (i)

Read the entire page →

From page 46...

... 46 and civil penalties, it appears that in only 13 states and the District of Columbia would a person injured by a data breach have a private right of action,618 and that at least 4 states exempt government agencies from "enforcement proceedings."619 (c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.615 (6)

Read the entire page →

From page 47...

... 47 of the security of personal information.626 Some state privacy statutes allow a plaintiff to recover actual damages for a privacy violation, whereas other state statutes specify criminal liability for a violation. In some states, however, a civil penalty will not be assessed unless an agency's action was willful or intentional.

Read the entire page →

From page 48...

... 48 is not prohibited "from recovering direct economic damages from a violation…."636 In Washington, a customer who is injured by a violation of the state's statutory requirement that a notice be given of a breach of security of personal information may institute a civil action for damages;637 however, an agency is not required to disclose a technical breach of a security system that does not seem reasonably likely to subject a customer to a risk of criminal activity.638 Finally, it may be noted that a number of class actions have been brought against private companies for damages allegedly caused by a breach of security and a theft of PII. Some cases have been dismissed, however, for lack of standing because a risk of future injury caused by a breach, such as a possible identity theft, in and of itself is "too speculative to confer standing"639 or because a plaintiff was unable to show an actual injury-in-fact.640 E

Read the entire page →

Key Terms

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.