Stein, David, Data Insecurity Laws (July 27, 2023). __ Santa Clara High Tech. L.J. __ (Forthcoming), Available at SSRN: https://ssrn.com/abstract=4523433– “By broad consensus, data security laws have failed to stem a rising tide of data breaches. Data security laws come in three forms: duties to protect data, duties to notify consumers after a breach, and post-breach remedies. Almost every data security law is enforced through sanctions, most of which are applied after a company discovers a data breach. Lawmakers and commentators blame some combination of under-enforcement and a failure to recognize the full range of data breach harms. Proposed solutions include a variety of expansions and augmentations of existing data security laws.These proposed solutions share a fatal flaw: they are rooted in traditional theories of deterrence by punishment. In theory, companies increase their data security efforts to avoid sanctions. While appropriate for companies that purchase software, this approach is ineffective when applied to companies that build and provide software as an online service. This Article explains why improved cybersecurity increases expected sanctions in the cloud context. This finding implicates the security of almost all personal data; online services hold the lion’s share of personal data, and offline firms rely heavily on online software to operate their businesses. Fixing data security law requires more than a few adjusted provisions. This Article advocates for a completely new approach to data security regulation, founded on a systemic view of data security practice. By focusing on system-level incentives instead of individual outcomes, policymakers can recalibrate their regulatory interventions to bring data security law back into harmony with their policy goals.”