Data breach—the improper exposure of consumers’ personal information held in corporate databases—costs consumers and businesses hundreds of billions of dollars each year. Despite significant regulatory, legislative, and academic scrutiny of this growing problem, the scale and severity of breaches have rapidly increased over the past two decades. Existing legal tools have proven woefully insufficient at either preventing or redressing the significant harm these breaches inflict.

Though change is urgently needed, none of the incremental reforms that have been proposed by scholars and advocates—including changes to contract and tort law, expansions of regulatory authority, and liberalizations of judicial standing doctrine—have gained traction. Other literature has suggested that a problem of this scale requires a more comprehensive approach: the creation of a public insurance program. This Note begins by synthesizing these more ambitious proposals, identifying the specific elements of existing public insurance programs that have proven effective at meeting policy challenges similar to today’s data breach epidemic. Specifically, the history of workers’ compensation and vaccine injury compensation programs in the United States suggests that no-fault liability, standardized recovery, and responsible-company indemnification could significantly reduce costs and improve substantive outcomes in the data breach landscape.

But this Note’s most important contribution is to lay out a policy framework for overcoming the intense industry opposition and political paralysis that has consistently derailed data breach reform efforts over the past decade. Converting theoretical data breach reform proposals into legal realities will require meaningfully improving the status quo for all stakeholders, including the data industry itself. With congressional productivity at a historic low, states have increasingly taken the lead in innovative policymaking, and implementing a large-scale public insurance program is therefore likely most feasible at the state level. California, in particular, has an unparalleled history of leadership in privacy policy and consumer protection. Accordingly, this Note proposes authorizing the California Consumer Privacy Agency to establish a public data breach insurance program, charged with (1) stanching the enormous financial losses that data breaches inflict on both businesses and consumers and (2) redirecting currently wasted resources towards fixing the root vulnerabilities that cause these breaches in the first place.

Introduction

Data breaches have grown significantly in number and scale over the past decade, while the law has decidedly not kept pace.[1] After a company improperly exposes its customers’ or employees’ personally identifiable information (PII),[2] the current legal landscape requires it to devote enormous resources to responding in ways that do little to help victims manage the fallout.[3] Although breached companies collectively spend billions of dollars on notification compliance, legal negotiation, and settlement administration each year, almost none of that money ultimately reaches[4] the millions of consumers struggling to prevent or remediate credit card fraud, account takeover, identity theft, and the many other increasingly-common harms of having their PII stolen.[5]

Internet forums, news outlets, and consumer complaint databases are filled with thousands of anguished accounts of what can happen in the aftermath of a breach.[6] For example, Amy Krebs spent over two years trying to track down and close dozens of fraudulent accounts that had been opened in her name by a single criminal:

I found out I was a victim pretty early on — after [the thief had] been using my information for six months. But still, she attempted to open up in the neighborhood of 50+ accounts. So I can only imagine how many accounts would have been opened if I hadn’t found out as early as I did. . . .

I [initially] couldn’t get to two of my [credit] reports because she had infiltrated my credit history to the point that her information overrode mine. I can’t even tell you what that felt like — like someone had taken over my life. I was finally got into the third credit report by guessing questions. . . .

So, I scroll down, and I’m scrolling down, and there was account after account that wasn’t mine, inquiry after inquiry after inquiry. . . . I couldn’t keep up with her. She’s out there calling, trying to get credit and then I’m finding out about it. . . . Some things, like accounts that went to collections, didn’t show up on my credit report right away. . . . One account I found out about from a collection agency, so I then needed to work it out with both the collection agency and the original company. I sent all my information to both entities. They said it would be taken off. Six months later, I get a call from a different collection agency for that same balance with interest. I had to go back through the whole thing. . . .

I had to prove who I am, I had to go through court, I had to go through grand jury, I had to give testimony. I am very fortunate in my case that I had someone to point to. Sometimes, people aren’t as fortunate. . . .

Even if you do all the right things and shred things, and ask all the right questions, that won’t prevent you from being a victim. Wherever your information is held — where you file taxes, where you buy a car, go to school, get a job — they have your Social Security number.[7]

Krebs’s story is nightmarish, revealing how much hardship can be caused by a single breach even when the perpetrator is ultimately apprehended—which is quite rare.[8] But her story is all too common, illustrating the kinds of hardship that millions of people have had to endure for years after their PII was stolen from a company they had trusted to keep it safe.[9]

As this vignette shows, one significant barrier to meaningful consumer compensation for data breach is the months- to years-long delay in the harm that ultimately results—often well after any breach settlement has been finalized and the corresponding compensation fund exhausted.[10] Moreover, this delayed harm often makes it difficult to bring cases against breached companies at all.[11] Because distinct data breaches frequently expose many of the same pieces of PII over and over again, consumers who suffer identity theft generally cannot conclusively trace the crime back to one specific breach, which makes it impossible to establish actual causation, concrete harm, or the other elements of traditional causes of action.[12] Worse still, these delays and barriers to accountability have led data companies to deprioritize cybersecurity hygiene because they have repeatedly weathered minor breaches without suffering long-term financial consequences; ironically, this false sense of impunity only increases the long-term risk of more massive breaches and associated liabilities.[13] Despite extensive governmental and academic scrutiny, this paradox has continued to drive a vicious cycle of corporate failure and consumer harm.[14]

Fortunately, U.S. policymakers have confronted similarly daunting challenges several times before. The innovative public insurance schemes that were key to overcoming these challenges in the context of workers’ compensation and vaccine injury are readily adaptable to the similar structural challenges of data breach. Part I of this Note describes the problems with current data breach law and explains why it is in urgent need of reform. Part II surveys existing reform proposals before delving into the history of no-fault workers’ compensation and the National Vaccine Injury Compensation Program (VICP). Part III picks up where the current literature stops and proposes a blueprint for implementing an insurance-backed strict liability approach to data breach within the confines of contemporary political and jurisprudential constraints.

In whole, this Note synthesizes applicable lessons from previously successful public insurance programs into a proposal for a public insurance system for data breach, administered by a centralized data breach arbitration authority (DBA). Such an authority would be able to replace today’s frustrating and wasteful deluge of breach notifications and class action settlements with automatic monetary compensation to all affected consumers based on how much their stolen PII is actually worth. These payments would come from a public insurance fund that indemnifies breached companies, protecting them from further unanticipated expenses that would only distract from breach response and prevention. The fund would be supplied by predictable premium payments tied to each company’s demonstrated data security performance, such that a company’s premiums would go down if its data security posture improved and rise sharply if the company continued to handle PII irresponsibly.

Current political and judicial realities require that such a scheme be piloted at the state level, preferably from within an existing agency that already has the relevant funding and authority necessary to administer a large-scale public insurance program.[15] As the home of both Silicon Valley and the California Privacy Protection Agency (CPPA), California is uniquely well-equipped to break this ground. And should this approach prove successful in the birthplace of both the digital economy and digital privacy regulation, it can serve as a model for how to simultaneously reduce data companies’ breach response costs and expand consumer compensation across the country.

I. The Costly and Ineffective Status Quo

A.     The Data Breach Pandemic

Though much about data breach law is contested, there is no dispute about the enormity of the challenges facing the field. For the past two decades, analysts have consistently reported year-over-year increases in the number, size, and severity of data breaches.[16] In 2015, a national survey indicated that sixty-four million Americans had received at least one data breach notification in the preceding year; half of those positive respondents had received two or more.[17] That notification-based estimate turned out to significantly understate the problem: The number of sets of PII actually breached in 2014 was closer to eighty-five million.[18] By 2017, the plague had become an epidemic, with 1,500 significant data breaches collectively exposing nearly two hundred million records. In aggregate, these records contained over 1.8 billion distinct (albeit overlapping) sets of PII.[19]

Since then, the number of sets of PII that belong to U.S. persons and are exposed in breaches each year has consistently exceeded the total U.S. adult population, often several times over.[20] This seemingly nonsensical statistic indicates that hundreds of millions of Americans have had their PII stolen over and over again, often multiple times each year.[21] The impact to businesses that handle PII is similarly ubiquitous: A 2022 industry survey showed that “84% of respondents said their organization has experienced an identity-related breach [between June 2021 and June 2022], with 78% citing a direct business impact as a result.”[22]

Despite increasingly alarmed commentary from politicians and industry insiders, the frequency and severity of data breaches only continue to increase. In the first half of 2024, several of the biggest U.S. consumer service providers—including AT&T, UnitedHealth, and Ticketmaster—were severely compromised, resulting in the exposure of over one billion records.[23] A concurrent but separate breach of the massive data broker National Public Data exposed 2.9 billion more records, with the attackers boasting that they had obtained Social Security numbers for “the entire [U.S.] population.”[24] Despite the enormity of these figures, they represent a tiny fraction of the tens of thousands of breaches affecting tens of billions of records over the past two decades.[25] Although many policy papers have been written and many hearings held about this problem, the “data suggests that companies and government regulators’ attempts to squash the . . . cyberattacks plaguing organizations have hardly made a dent.”[26]

B.     Consumer Harm

Data breaches inflict staggering financial costs on millions of consumers each year. A frequent consequence of data breach is identity theft: A criminal actor uses a consumer’s stolen PII to open new financial accounts or access existing ones, runs up balances and claims refunds, and then disappears.[27] Approximately one in four victims of data breach suffers identity theft in the subsequent twelve months following the breach[28]—over twice the rate of identity theft experienced by members of the population who have not had their PII exposed in a recent data breach.[29] The Federal Trade Commission (FTC) received 1.1 million reports of identity theft in 2024—a decrease from the all-time high of 1.4 million reports in 2021, but more than double the pre-2020 annual average.[30] Furthermore, this number is likely a vast underestimate of how many identity theft victims there really are, as only a small fraction of identity theft victims submit reports to the FTC. Multiple analyses suggest that the actual number of annual victims is at least ten times higher.[31] The annual cost to consumers of identity theft exceeds $20 billion.[32]

The sophistication of identity theft has grown in tandem with its frequency, making each instance more damaging and difficult to mitigate. Synthetic account fraud is becoming increasingly common, with identity thieves combining real stolen data elements with fabricated names and contact information to make it harder for affected consumers to detect and contest the associated activity.[33] By using a synthetic identity to “apply for credit cards, loans, and government benefits” in exactly the right order,[34] perpetrators can generate a smokescreen of supporting documentation that primes the identity for subsequent exploitation.[35] Perpetrators will then use the new identity responsibly for a while to “build[] a good credit score,” only to ultimately “max out an identity’s credit and abandon its accounts.”[36]

Consumers have little ability to protect themselves from having their personal information stolen from a third-party company and little support for managing the fallout once a breach inevitably happens. Consumers broadly lack control over how their PII is shared in today’s information economy: Many breaches involve subcontractors, data aggregators, credit bureaus, and other companies to whom consumers never knowingly entrust any PII at all.[37] And once a breach does happen—now a near certainty for companies that handle PII[38]—the fallout can be very costly for consumers. One recent survey of identity theft victims found that a third of respondents “reported losses between $100-$500 . . . [and] 15% reported financial losses greater than $1,000.”[39] Another survey reported an “average per-victim loss from traditional identity fraud . . . [of] $1,551.”[40] Unexpected expenses of this magnitude would pose a significant hardship to most consumers. As of September 2023, 63 percent of American employees reported being “unable to cover a $500 emergency expense.”[41]

While identity theft insurance does exist, it is a new type of product that is largely unregulated and has significant limitations.[42] Notably, such plans “typically don’t cover stolen money or direct financial losses from fraudulent purchases and other unauthorized use of credit accounts.”[43] Moreover, most consumers simply do not have this kind of insurance: “[N]early two-thirds of victims (64%) had no identity theft insurance at the time” their identity was stolen.[44]

Accordingly, consumers have minimal control over who has access to their PII, minimal recourse once their PII has been exposed to bad actors, and minimal support for dealing with the financial fallout of such breaches. And despite their protestations of caring about consumer privacy,[45] data companies are not currently doing much to rectify any of these deficiencies.[46]

Current data privacy law merely requires breached companies to notify affected consumers that they were compromised, imposing no legal obligation to provide further recourse.[47] Accordingly, the typical breach disclosure is analogous to “a doctor telling you that you have cancer, and when you ask about next steps for treatment the doctor [says] that’s it, now you know.”[48] Moreover, a notification does no good at all for a consumer who never receives it—and given that most companies satisfy the notification requirement by sending physical letters to affected consumers, it is easy for notifications to be lost in the mail, sent to an old address, or simply thrown away unopened.[49]

Indeed, the single-digit consumer response rate to most breach and settlement notices leads many analysts to believe that even when a notification reaches its intended destination, most consumers “probably [do not] read the disclosure notice” because they “th[ink] it [i]s junk mail.”[50] Even if a breached company offers compensation of some kind, and an affected consumer receives the offer, and actually opens it, she “may not . . . read all the way through the notice to get to the point where” compensation is offered.[51]

To malicious actors, breach notifications present yet another opportunity to extract even more PII. When scammers find out about a “large data breach[,] they then take advantage of it,” sending “mailers out to thousands of consumers that may not even use [the breached] company.”[52] These fake notices often claim that the recipient’s “information has been compromised” and purport to offer support for dealing with the breach via a phone helpline or webform that actually does nothing but solicit more personal information.[53]

Finally, even in the unlikely event that a consumer overcomes all of these obstacles, the go-to compensation offered by breached companies is a service that consumers either already have or do not want.[54] Breached companies occasionally offer affected consumers a short-term subscription to a “credit monitoring service”—support that many consumers already have as a result of their involvement in previous breaches.[55] These offers provide no value to consumers who already have monitoring in place.

Furthermore, signing up for credit monitoring services often requires consumers to entrust even more sensitive personal information to a company associated with the preceding breach, which only further compounds consumer fear and frustration. In 2015, for example, fifteen million T-Mobile subscribers had their personal information exposed by Experian through a data management subcontract.[56] By way of apology, Experian “offer[ed] T-Mobile customers two free years of credit monitoring services at ProtectMyID.com, which Experian owns.”[57] Unsurprisingly, customers balked at “using a credit monitoring service from the company that just exposed 15 million users’ data.”[58] Consumers were similarly unenthusiastic about Equifax’s response to its massive 2017 data breach. Near the end of a year-long sign-up window, “only 2% of victims” had accepted Equifax’s unusually generous offer of ten years of free credit monitoring services, even though the “retail value of [the] credit monitoring was an estimated $1,920”[59] and the FTC had run a marketing campaign to get affected consumers to sign up.[60] Likewise, consumers largely spurned Target’s offer of free credit monitoring after it suffered a major credit card information leak in 2013. As one affected consumer said, “I’m scared of links. I won’t put my Social Security number in . . . . They try to help you, but they’re asking for more information.”[61] Digital security analysts share consumers’ alarm at how free credit monitoring offers require consumers to “fork over [more] personal information to a company that’s just lost it.”[62]

Clearly, the industry-standard breach notifications and offers of free credit monitoring do not meaningfully compensate consumers for the hassle and expense of dealing with PII exposures. If anything, such communications often just make consumers even more angry, overwhelmed, and vulnerable. And neither notification nor monitoring does anything to help victims recover from the financial harms of data breach.[63]

C.     Costs to Data Companies

Even as current law gives victims of data breach little to no recourse against the companies responsible for losing their PII, the companies themselves are not faring particularly well either.[64] The average corporate cost of a data breach in the United States in 2023 was $9.5 million, over twice the global average and significantly higher than in any other country “for the 13th consecutive year.”[65] Per capita, breached companies had to spend over $181 for each exposed set of PII, only a tiny sliver of which was returned to the victims.[66] In fact, corporations’ typical response to data breaches only further compounded the resulting consumer harm: “[H]alf of breached organizations [were] unwilling to increase security spend[ing] despite soaring breach costs,” preferring to “pass incident costs onto consumers” instead of investing in better data security hygiene.[67]

The self-defeating irony in this response is that a full 30 percent of corporations’ post-breach costs in 2023 came from losing business due to reputational fallout.[68] Indeed, “75% of U.S. consumers [say they] would stop purchasing from a brand if it suffered a cyber incident.”[69] While this threat significantly overstates what consumers actually do following a data breach, it is still a compelling indicator of the effect a breach can have on a company’s relationship with its customers.[70] In fact, there is considerable evidence that breaches inflict significant long-term economic damage on affected businesses: “60% of organizations that have experienced data breaches have raised their prices,” and “companies experiencing a significant data breach incident underperform the NASDAQ by 8.6% after one year.”[71] Repeatedly exposing consumer PII and raising product costs—while failing to compensate victims or shore up defenses to prevent subsequent breaches—is likely to only further increase customer attrition. Given that “83% of organizations experienced more than one data breach during 2022,” data companies are stuck in a very damaging spiral.[72]

One particularly dysfunctional driver of this vicious cycle is the patchwork of distinct but overlapping federal and state data breach notification laws and the compliance headaches they create.[73] Despite how little support mandatory notifications offer to consumers, the costs of sending them can be significant.[74] In 2022, sending required consumer disclosures constituted 8 percent of overall data breach response costs, having doubled from 4 percent in 2018.[75] The proliferation of data breach notification laws has likely contributed directly to these rising costs, as “even the most ‘local’ business finds that it has collected data from residents of multiple jurisdictions and that it therefore must comply with the laws of each of those jurisdictions with different, sometimes conflicting, requirements.”[76]

Yet data breach notification laws have continued to be legislatures’ preferred remedy “because it looks like [they are] doing something for security” without appearing to impose significant burdens on industry.[77] But rather than protecting data companies from excess costs, this approach creates massive compliance burdens while all but requiring consumers seeking compensation to embark on a costly legal crusade to get it: Current law provides no recourse for most breaches other than “fact-intensive” private lawsuits based on ill-fitting tort theories.[78] Consequently, another significant cost of responding to data breaches is legal advice, which represented nearly a quarter of data companies’ data breach response costs from 2017 through 2021.[79]

II. Existing Proposals and Proven Solutions

A.     No-Fault Liability, Arbitration, and Insurance

There is a broad consensus that the current legal landscape is woefully ill-equipped to handle data breach claims.[80] Patchy evolution in state and federal data privacy statutes,[81] stasis in common law theories of recovery,[82] and regression in standing doctrine[83] have inflicted great harm on consumers and data companies alike.[84] Dozens of academic articles discuss various thorny aspects of data breach liability, offering a wide range of solutions.[85] Many examine the numerous challenges of bringing data breach cases under tort common law, which include satisfying the breach and actual harm elements of negligence and evading the pure economic loss doctrine.[86] Other authors analyze problems of establishing standing in federal courts, which has always been difficult but became sharply more so after Spokeo v. Robins[87] and TransUnion LLC v. Ramirez:[88] Many “data breach actions[] are stalled at the motion to dismiss stage as courts debate whether the plaintiffs have standing to sue based on unrealized risks of harm.”[89] Still other authors point out how scattershot the statutory landscape is with respect to data privacy mandates, with some types of sensitive PII protected by weak federal laws that preempt stronger state equivalents. The unfortunate result is that state privacy laws are either restricted to protecting only less-sensitive information or entirely superseded in many of the highest-risk domains, including banking and healthcare.[90]

A considerable body of prior work has explored implementing insurance mandates for all companies that handle private data—though most of this literature struggles to define a clear and coherent standard for what kinds of companies should be included in the mandate and articulate why private insurers would want to participate in such a high-risk market.[91] A handful of articles have specifically proposed the creation of a standing arbitrative authority empowered to compensate data breach victims without any showing of fault, arguing that “[a]dministered compensation funds seem to be most appropriate for circumstances with unexpected harms, innocent victims, and incidents that were largely out of the defendants’ control.”[92] Given the borderless nature of digital information, the majority of these discussions advocate for solutions to be implemented at the federal level, whether by agency rulemaking or federal legislation to define the breach of one’s PII as a legally-cognizable harm:

A limited approach that both creates a consumer remedy and a regulatory authority to govern all data breach matters would improve outcomes for both consumers and organizations. The creation of a National Fund for Identity Theft will provide data subjects with direct redress for their harms and reduce transaction costs and administrative fees. The empowerment of a regulatory body and the creation of a safe-harbor based incentive scheme will hold organizations more accountable and provide them with cost certainty and elimination of catastrophic data breach risk.[93]

An important problem that prior work has not addressed, however, is how a strict liability approach to data breach would successfully manage the enormous financial liabilities involved, which pose a prohibitively high risk of insolvency to even the largest insurer.[94] Indeed, the commercial data breach insurance that is currently available has significant limitations and exclusions that are designed to limit consistent victim recovery—for “even if there is a robust re-insurance market, a large scale cyber-attack could bankrupt the insurance companies issuing the policies.”[95] Just indemnifying companies from the current annual cost of data breaches without adding any meaningful compensation for victims could easily exceed $30 billion.[96]

Existing proposals to reform data breach recovery via private insurance do not generally offer any solutions for defraying these massive liabilities or incentivizing private insurance companies to participate in such a high-risk market.[97] The steady erosion of the private home insurance market in California has highlighted the difficulty of getting private insurers to serve extremely high-risk markets without charging prohibitively high premiums.[98] But the homeowners insurance crisis also teaches an important lesson with great relevance to data breach law: When private insurance markets fail due to excessive risks that are unprofitable but socio-politically essential to indemnify, only large public institutions have the capacity to pick up the slack.[99] The question here, then, is how to implement a public data breach insurer in a way that is politically feasible and financially sustainable.

Unfortunately, contemporary political and jurisprudential realities all but foreclose the many innovative proposals to reform data breach law at the federal level, whether by legislation, regulatory rulemaking, or doctrinal evolution.[100] Despite the widely-recognized need for a sea change in data breach law, dozens of federal bills (with numerous cosponsors) proposing improvements to federal privacy law have failed to secure even an initial committee vote over the past two decades.[101] Even if such a bill were to somehow make its way through Congress in the future, it would likely face constitutional challenges in a Supreme Court that increasingly refuses to recognize types of rights and harms not rooted in “history” and “tradition.”[102] Similarly, a Consumer Financial Protection Bureau (CFPB) or FTC agency rule asserting the authority to regulate data breach under existing law would stand even less chance of surviving the scrutiny of a Court that has become deeply skeptical of administrative agency autonomy.[103] Accordingly, instituting a strict-liability approach to data breach will likely require proving the efficacy of such a scheme at the state level—following the same path that workers’ compensation took to broad adoption over a century ago.[104]

B.     Workers’ Compensation

Workers’ compensation is a “grand compensation bargain” wherein workers “trade[] the right to sue an employer for damages in the tort or civil law system for benefits in a ‘no-fault’ administrative law system.”[105] The no-fault aspect of workers’ compensation is its “central tenet”: “[Workplace] accidents are accepted as a fact of life and the system exists to deal with their financial consequences in as expeditious a manner as possible.”[106] “In return for relatively more certain and more generous average postaccident benefits under workers’ compensation, however, workers forfeit[] their rights to common-law negligence suits.”[107] Thus, workers’ compensation allows an employer “to eliminate the uncertainties of large court awards in return for providing his workers with a set of benefits that on average [are] higher than those under negligence liability.”[108]

The pervasive dysfunctionality in workplace injury litigation at the turn of the twentieth century—remarkably similar to the legal breakdowns in the data breach landscape—made clear the urgent need to address “both labor and employer concerns about high rates of work-related injuries, insufficient compensation to injured workers, and continuing employer uncertainty about how to predict the costs related to these injuries.”[109] Before the rediscovery[110] of no-fault compensation for workplace injury in 1906, “injured workers trying to recover medical expenses, lost wages, and other damages had to prove the negligence of their employer in a long, costly, and uncertain process.”[111] Because fewer than one in five injuries could be conclusively traced to employer behavior, most injured workers received no compensation whatsoever.[112] Moreover, “workers had little opportunity to purchase accident or life insurance to help protect their potential loss of earnings” as such insurance was not yet widely available, and few workers were “aware of the importance and availability” of such insurance.[113]

Workers’ compensation was designed to tackle all of these challenges at once: “(1) to ensure that the cost of industrial injuries [was made] part of the cost of goods rather than a burden on society, (2) to guarantee prompt, limited compensation for an employee’s work injuries, regardless of fault, as an inevitable cost of production, (3) to spur increased industrial safety, and (4) in return, to insulate the employer from tort liability for his employees’ injuries.”[114] As audacious as those goals were, no-fault workers’ compensation quickly proved so successful that within fifteen years of the passage of the first small pilot program in the United States in 1906,[115] all but six states had passed their own workers’ compensation statutes, and most had made employer participation in the programs mandatory.[116]

Workers’ compensation in the United States has several key features designed to make recovery for injury prompt, predictable, and fair. Across all fifty states, workers’ compensation is structured as an insurance mandate, wherein employers make regular fixed payments either to dedicated insurance providers (some public, some private) or self-insurance funds.[117] In exchange for these premiums, employers are broadly indemnified from having to make any direct payments to compensate injured workers, who file claims against and are paid out of the insurance funds.[118] Dedicated state agencies generally handle filing, adjudication, and administration of claims, and only appeals of the decisions of those agencies receive judicial review (except in five states where courts also handle the initial claims).[119]

Workers’ compensation has proven remarkably successful, reliably compensating injured workers while reducing both employers’ rates of accidents and their accident-related expenses.[120] For workers, “the switch to workers’ compensation increased the amount of postaccident payments . . . [across] all types of accidents . . . by between 75 and 200 percent.”[121] For employers, workers’ compensation bought “labor peace . . . stem[med] the tide of court rulings that increasingly favored injured workers[,] . . . reduce[d] the costs of settling accident claims[,] . . . [and] reduced uncertainty about their accident payouts.”[122] Indeed, despite constituting “a major de jure redistribution of income,” workers’ compensation is overwhelmingly embraced by employers.[123] In 2019, 144 million jobs—90 percent of all jobs in the United States[124]—were covered by workers’ compensation at a cost (to employers) of $100 billion.[125] Over that same period, $63 billion of workers’ compensation benefits were disbursed—meaning that 63 percent of the money paid into the system was returned directly to its intended beneficiaries.[126] By comparison, “[t]he total economic cost of the U.S. tort system in 2020 was $443 billion,”[127] and “victims who file claims receive an average of 46 cents from each direct dollar spent on the system (with the other 54 cents going to attorneys’ fees and insurance expenses).”[128] Accordingly, workers’ compensation is at least 37 percent and as much as 74 percent[129] more efficient than the tort system at compensating injury victims, at a fraction of the overall cost.

Overall, workers’ compensation has proven that a strict-liability mandatory insurance scheme can provide effective redress for harms that are uncommon but inevitable, and for which recovery under traditional legal doctrines is onerous and inconsistent. Moreover, the history of workers’ compensation shows how a public insurance system can start out small and administered on a state-by-state basis but rapidly achieve massive scale and broad stakeholder support.

C.     The National Vaccine Injury Compensation Program (VICP)

Much like workers’ compensation, the VICP was conceived as “a no-fault alternative to the traditional tort system,”[130] which had (once again) proven to be ill-equipped to handle inevitable but blameless accidents in a very different domain. The VICP was created to address a distinctly twentieth-century market failure: In 1986, the rising rate of vaccination had naturally increased the incidence of (rare) adverse events from vaccination, and the resulting increase in high-profile lawsuits “threatened to cause vaccine shortages and reduce vaccination rates” and ultimately disincentivize the creation of new vaccines.[131] Accordingly, the VICP was created to “ensure an adequate supply of vaccines; stabilize vaccine costs; and establish and maintain an accessible and efficient forum for individuals found to be injured by certain vaccines.”[132]

The VICP embraced a no-fault and largely causation-agnostic approach out of the “desire to minimize the time and expense of litigating a case” and “resolve a petition quickly.”[133] A harmed vaccine recipient seeking compensation from the program (a petitioner) does not have to make any showing of negligence or defect in the particular vaccine administered.[134] Moreover, although the program nominally requires a showing that a covered vaccine was the actual cause of a “severe” injury,[135] “[a]pproximately 60% of all compensation awarded by the VICP comes as result of a negotiated settlement between the parties in which [the U.S. Department of Health & Human Services] has not concluded . . . that the alleged vaccine(s) caused the alleged injury.”[136]

Having dispensed with duty and breach analysis, the VICP broadly indemnifies vaccine manufacturers and administrators from most legal claims for adverse events associated with VICP-covered vaccines[137]—but these protections are “not absolute.”[138] For example, individual claims for damages of $1,000 or less “may be permitted to be filed in state or federal court without first filing a petition in the VICP,”[139] as such actions pose no significant risk of harming the vaccine market. Additionally, while the VICP requires a petitioner to “exhaust their remedies under the VICP before they can pursue legal actions against vaccine manufacturers or administrators,” the scheme allows victims of adverse events to pursue independent legal action if the “Court has failed to enter judgment within the time provided by the Act” or the petitioner rejects the offered judgment.[140] However, pursuing litigation permanently bars a petitioner from receiving compensation from the VICP fund for the injury at issue.[141]

Although the VICP has a number of compelling features with potential applicability to structurally-similar problems, its approach to funding and judicial review likely cannot scale to domains with higher claims rates.[142] First, VICP claims are adjudicated through full judicial review: The “U.S. Court of Federal Claims [(CFC)] makes the final decision regarding whether a petition is compensated and the type and amount of compensation.”[143] Subjecting all petitions to judicial review is only possible because of the VICP’s relatively small size. Although “over 4 billion doses” of vaccines covered by the program were administered between 2006 to 2021, during this time only “11,247 petitions were adjudicated by the [CFC], and of those 8,044 were compensated.”[144] Second, the VICP is funded via small but abundant $.75 excise taxes levied on every covered vaccine administered in the United States, pooled in a Vaccine Injury Compensation Trust Fund.[145]

Issues of scale and increasing polarization within Congress aside, the history of the VICP shows that this kind of structure has historically enjoyed strong bipartisan and multistakeholder support.[146] It is remarkable that a federal program founded to “stabilize . . . costs; and establish and maintain an accessible and efficient forum for individuals found to be injured”[147] has proven so successful that it has inspired multiple similar programs, enacted by conservative congressional majorities and signed by conservative presidents.[148] Notably, the vaccine industry rarely contests VICP claims even absent proof of actual causation, finding that “minimiz[ing] the time and expense of litigating a case” is more advantageous than challenging claims with lengthy proof disputes.[149] This history suggests that even the wealthiest industries can derive significant benefit from public insurance schemes, which both smooth the volatile costs of litigation and settlement into highly consistent remittances and add a layer of intermediation that disassociates consumer compensation from corporate culpability.

III. Establishing a State Data Breach Arbitrator and Insurance Fund

A.     Overview

The successes of the VICP and workers’ compensation illustrate how a similar no-fault insurance scheme can provide a significant improvement over the status quo for breached data companies, consumers harmed by those breaches, and society at large. Both the VICP and workers’ compensation schemes are narrowly scoped to address specific types of harm that are nearly impossible to prevent and for which culpability is equally difficult to prove. Both approaches balance strict liability with broad indemnification from other legal action for covered injuries. Both approaches offload the actual payment of claims to separately administered insurance funds, shielding businesses from any direct monetary consequences when victims recover. And both approaches permit judicial review only after a claim has proceeded fully through the arbitration process, making further litigation vastly less attractive than accepting the immediately available settlement.[150] Part III explores how these elements can be synthesized into a blueprint for a state data breach arbitrator (DBA).

B.     Core Architecture: Insurance and Indemnification

Data breach is exactly the kind of failure that is well-suited to mitigation with insurance. Much like workplace and vaccine injuries, data breaches are accidental, often cannot be blamed on any one party, and are impossible to wholly prevent—but can be made less frequent with appropriate safeguards and financial incentives.[151] A data breach insurance scheme would allow data companies to pay predictable premiums based on their size, the sensitivity and extent of PII they handle, and their demonstrated level of data security. In exchange, companies would be indemnified for liability stemming from data breaches. Whenever a breach occurred, the affected company would transmit to the DBA a list of all distinct PII elements and contact information for all consumers whose data resided in the breached system(s).[152] The DBA, by default, would presume that all parties and PII elements in the affected company’s system(s) at the time of a breach were affected. The company would be able to rebut this assumption only with clear and convincing evidence to the contrary.[153] Having transmitted the list of affected parties and fields to the DBA, breached companies would be relieved of all responsibility for notifying and compensating consumers.

This model would have significant benefits for all companies that handle consumer PII. Data companies would be able to redeploy resources previously allocated to notification and litigation to mitigating vulnerabilities and preventing future breaches.[154] Because payments to victims would come directly from the DBA insurance fund, those payments would no longer show up as liabilities on corporate balance sheets (which, as seen in both VICP and workers’ compensation, has a proven track record of making it easier for industry to get behind such a scheme).[155]

Additionally, data companies would be directly incentivized to use these savings to improve their data security posture because doing so would further lower the insurance premiums that the DBA would charge them. Much as car insurers incorporate information about a policyholder’s recent driving record into their specific rates on a regular basis, the DBA would be able to raise or lower rates depending on how many breaches a particular company suffered over discrete periods of time.[156] Repeat offenders would see their rates rise until they opted to invest in data security hygiene.[157] Companies that effectively protected their clients’ PII from improper exposure for extended periods of time would see their rates fall.[158] This approach would allow the DBA’s funding to scale organically with the size of its responsibilities—expanding as long as threats continued to rise and contracting once the escalating premiums forced companies to better internalize data insecurity costs.

This realignment of incentives would likely generate significant improvements in corporate cybersecurity compliance, which would in turn significantly improve the safety of consumers’ PII. But data breach victims would also receive more direct and immediate benefits from public data breach insurance. The current deluge of unexpected postcards from unknown breach administrators would be replaced with a customizable feed of updates from a single trusted authority, which would be permanently archived in a secure online portal for future reference. Instead of requiring consumers to read and respond to multiple confusing claims forms, the DBA would automatically disburse cash payments to every California consumer affected by a covered breach. The efficiencies of this model would allow significantly more money to be returned directly to each consumer than even the largest breach settlement funds currently support. Moreover, because the DBA fund would survive the bankruptcy and liquidation of any given company, consumers who ultimately experienced unusually severe identity-based harms could potentially qualify for additional need-based financial support from the DBA months or years after the initial payout.

As with all insurance, this model would be vulnerable to the problem of overuse: A company that experienced many breaches in a short span of time might have its premiums rise beyond its capacity to pay or even create a claims burden high enough to threaten the financial viability of the insurer.[159] Fortunately, there are a range of well-established policy frameworks that address this risk in other domains. Drawing on the more minimalist models commonly used in consumer home and auto insurance, legislators could give the DBA the authority to enforce liability limits—per incident, per year, or both—leaving any covered entity fully exposed to any liability that exceeded those limits.[160] Alternatively, legislators could also implement a maximalist approach like the one used in most workers’ compensation systems, making DBA insurance compulsory and setting no limits on the premiums that it can charge.[161]

By themselves, neither of these extremes is well-suited to the context of data breach. Under the minimalist approach, the worst offenders would remain in exactly the same dysfunctional position they are in today: accountable only to private rights of action that have proven woefully insufficient to deter irresponsible behavior. Under the maximalist approach, entities that suffered multiple breaches in a short span of time would be rapidly rendered insolvent by their escalating insurance premiums.

Accordingly, the most effective solutions to the threat of DBA overuse likely fall somewhere between these two extremes. To strike that balance, the DBA can draw from other architectural features of workers’ compensation schemes that have effectively managed similar tensions for over a century. When workers’ compensation schemes were first proposed, debates raged about whether “this new social insurance should be public or private” and whether “insurance should be mandatory or elective.”[162] Employers envisioned a parade of horribles: insurance carriers might “reap unfair profits” by imposing excessive premium rates; insurance mandates might depress both corporate bottom lines and state economies; some firms might even “be forced out of business if refused coverage by insurance companies.”[163] The design of state-administered workers’ compensation insurance funds ultimately addressed all of these concerns. The funds’ stability and strong government oversight “protect[ed] employers from underwriting uncertainties” and ensured that risks were pooled and spread so widely as to effectively guarantee “continuing availability of coverage” for all who wanted it, at reasonable rates.[164]

A DBA design that embraced a similar balance of public administration and private autonomy would strike a healthy balance between the minimalist and maximalist approaches described above. For example, legislators could give the DBA the power to limit or terminate an entity’s coverage to protect the viability of the insurance pool and simultaneously give private attorneys general the right to collect punitive (treble) damages whenever a private suit is successfully brought against an entity operating without full DBA coverage.[165]

C.     Notification and Payout Administration

The DBA would assume responsibility for communicating with affected consumers on behalf of all data companies they cover, thereby reducing the cost and increasing the efficacy of consumer notification. Streamlining data breach notifications would significantly reduce the 8 percent of U.S. data breach costs—nearly three-quarters of a million dollars per breach, on average—currently spent hiring communications firms to identify, locate, and reach out to the same affected consumers over and over and over again.[166] Moreover, the DBA would be able to reach affected consumers much more cheaply and reliably than private companies currently can by pulling contact information from tax filings, motor vehicle registrations, and other public records.[167] The DBA would also provide a permanent resource hub for all consumers for data breach compensation and recovery—one that would persist long after the conclusion of any single company’s breach response, and perhaps even the company itself in the event of liquidation or bankruptcy. By taking on these responsibilities, the DBA would spare companies the expense of having to hire crisis PR firms and settlement administrators, allowing them to focus on better protecting their core operations from future breaches.

The most significant benefit the DBA would provide to consumers would be prompt monetary compensation, without requiring the consumer to respond or provide additional documentation by a particular deadline. The DBA might even allow consumers to set up permanent e-notification preferences and direct deposit profiles—thereby sparing them from having to divulge more PII to companies that had just been breached. The DBA would thus create significant economies of scale, ensure that consumers reliably receive notification and compensation after every breach, and save consumers and data companies a significant amount of frustration, time, and money.

D.    Recovery Schedules and Formulas

Given the rising frequency and scale of data breaches[168] and resulting flood of protracted multi-district litigation,[169] an effective replacement system must streamline the contentious process of calculating data breach damages. Workers’ compensation offers an easily-adaptable solution: a fixed schedule of compensation rates based on the type of data compromised.[170] Just as set schedules of benefits based on specific injury types have streamlined workers’ compensation, standardized data breach recovery formulas would maximize the financial benefits of no-fault insurance for both data companies and breach victims.[171] The data breach recovery schedule, maintained by the DBA, would commission an annual review of the schedule by a standing committee composed of economists, cybersecurity analysts, industry representatives, and consumer advocates—much as the Centers for Disease Control and Prevention (CDC) charges a committee of doctors and public health experts with determining which vaccines should be covered by the VICP.[172]

While some argue that it is impossible to accurately value consumer PII, there are numerous sources of high-quality information about how much a specific element of PII is worth.[173] Business analysts regularly issue reports showing how much the loss of a specific record type costs a breached company.[174] Cybersecurity firms continuously monitor illegal marketplaces where stolen data are sold and maintain comprehensive price lists of how much each type of PII fetches.[175] Given the wide availability of real-world pricing information, valuing PII elements should be no more difficult than valuing the loss of an arm or leg, which is both an essential and broadly accepted component of workers’ compensation (despite the widely-variant recovery schedules adopted by different states).[176]

Additionally, the DBA schedule would adopt the workers’ compensation model of allowing mitigating or aggravating factors to decrease or increase the valuation of an injury.[177] For example, the loss of an encrypted PII element would be valued as a fraction of the value of its unencrypted counterpart, due to the increased difficulty that a malicious party would have exploiting the encrypted information.[178] Conversely, synergy formulas would assign greater values to combinations of those PII that might be more sensitive in combination than their constituent parts would be separately. For example:

Table 1: PII Base Values

Table 2: Aggravating & Mitigating Factors

Given the current enormity of data breach size and frequency, immediately implementing this example schedule would likely bankrupt any entity charged with automatically compensating all victims. Indeed, even paying a minimal $5 for each set of PII breached in 2023 would cost over $1.7 billion.[184] At the same time, the demonstrable failure of industry and government efforts to inhibit the out-of-control growth in data breaches is a clear sign of a significant market failure. There is an urgent need for companies to better internalize the costs of their poor data handling practices.

To reconcile these competing interests and establish a foundation for long-term financial sustainability, the DBA would implement the recovery schedule in a staggered and pro rata fashion, initially focusing on supporting victims who could show concrete harm from identity theft.[185] For example, suppose that five hundred companies[186] initially signed up for coverage and paid average annual premiums of $2,000, contributing $1 million to the insurance fund.[187] Suppose further that twenty-four thousand Californians submitted claims showing direct monetary harm resulting from covered breaches that took place that year.[188] Those figures would allow for an average recovery of approximately $40—well in excess of what consumers typically receive from data breach settlements,[189] and aligned with survey data about average actual damages.[190]

Over time, as the DBA’s insurance fund collected premiums (which would likely happen quickly under current conditions),[191] the recovery schedule would be updated to allow for automatic recovery to all victims, at whatever pro rata share of actual market value fund liquidity permitted. Meanwhile, rapidly increasing premiums would force companies to invest more in cybersecurity, which would decrease the rate of breaches and thus the rate of DBA claims. By the time that happened, the DBA insurance fund would be flush with premium payments from the initial few years of rampant breaches as well as data showing how to calibrate premiums to ensure long-term liquidity.

E.     Arbitrated Settlement with Opportunity to Appeal

As a matter of basic due process, the DBA must provide both consumers and breached companies with a mechanism for appealing arbitrated settlement offers—just as both VICP and workers’ compensation do. [192] At the same time, there must be sufficient conditions placed on the appeals process to deter speculative and opportunistic claims. Without such protections, the DBA might fail to divert most claims and simply add one more phase to the already long and wasteful process of data breach litigation.[193]

To balance these competing interests, the DBA would incorporate key elements of both VICP and workers’ compensation. First, the DBA would adopt VICP’s requirement that disputants fully complete the arbitrative process and formally reject the proposed settlement before undertaking other legal action.[194] Second, the DBA would embrace the workers’ compensation model of limiting the scope of appeals and authorizing broad discretion to impose penalties on frivolous arguments.[195] The precise mix of mechanisms available to the DBA for disincentivizing further legal action would need to be ironed out through the legislative process, but there are many time-tested options available. Any party that unsuccessfully appeals a DBA settlement proposal—either a consumer demanding more compensation or a company arguing that its breach was less severe than the DBA found—could be held responsible for all attorneys’ fees associated with the proceeding, just as in workers’ compensation.[196] Any settlement payment contested by a breached company or rejected by a consumer could be declared null and void from the moment of rejection, such that a contesting company exposes itself to full liability in the courts with no indemnification from the DBA and a rejecting plaintiff risks forfeiting any compensation, just as in the VICP.[197] Additional approaches that could disincentivize further litigation include limiting the allowable subject matter of appeals to issues of law, not fact, and exposing companies that reject DBA settlement proposals to punitive (treble) damages if they ultimately lose their case.[198]

F.     The California Privacy Protection Agency as Host

Although the DBA could be implemented by any state, California has already built a natural institutional home for such an authority, complete with authorizing statutes that would need only minor modification to support the DBA. The California Consumer Privacy Act (CCPA) charges the California Privacy Protection Agency (CPPA) with “protect[ing] the fundamental privacy rights of natural persons with respect to the use of their personal information” and “balanc[ing] the goals of strengthening consumer privacy while giving attention to the impact on businesses.”[199] That would be the DBA’s precise mission.

Moreover, the CCPA already authorizes strict liability damages and automatic consumer recovery; the DBA would merely systemize the administration of these remedies. The CCPA’s subsection on Personal Information Security Breaches currently authorizes private claims to be brought by “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure . . . .”[200] The statute authorizes “damages in an amount not less than . . . $100 . . . and not greater than . . . $750 . . . per consumer per incident or actual damages, whichever is greater.”[201] The DBA would simply implement this statute proactively, without requiring consumers to bring suit to enforce it.

Furthermore, the CPPA already maintains a “Consumer Privacy Fund,” which holds all administrative penalties collected by the agency. These funds are used to “offset any costs incurred by the state courts, the California Privacy Protection Agency, and the Attorney General in connection with [the CCPA].”[202] Accordingly, a dedicated breach response fund already exists and is charged with supporting exactly the kinds of activities that the DBA will conduct.

Thus, while the legislature would need to authorize the CPPA to act as an insurer and dispense with proximate cause and proof of harm requirements, otherwise existing law already grants all the authority required for the DBA to assess penalties, compensate consumers, and incentivize data companies to handle consumer PII responsibly.

G.    Likely Objections and Rebuttals

Despite the benefits that a state-administered public insurance fund could provide to both individual and corporate data breach victims, any such program will face several key questions related to constitutional permissibility and practical administrability. Fortunately, these concerns have been effectively addressed in the context of similar federal and state programs. Questions about due process have been conclusively resolved during the implementation of workers’ compensation; data privacy law is already severally enforced by state and federal authorities without raising preemption problems; and self-funded government programs have existed for decades without significantly burdening the public fisc.

1.     Constitutional Due Process Concerns

Although no-fault liability schemes tend to face criticism for violating constitutional due process guarantees, the Supreme Court considered and rejected precisely that argument in the workers’ compensation context in 1917.[203] Despite strong initial resistance from lower courts,[204] constitutional objections were quickly abandoned and vacated once employers, employees, and the high Court saw how arbitrated settlements significantly improved outcomes for all interested parties and society at large:

It is not unreasonable for the state, while relieving the employer from responsibility for damages . . . to require him to contribute a reasonable amount, and according to a reasonable and definite scale . . . irrespective of the question of negligence, instead of leaving the entire loss to rest where it may chance to fall,—that is, upon the injured employee or his dependents. Nor can it be deemed arbitrary and unreasonable, from the standpoint of the employee’s interest, to supplant a system under which he assumed the entire risk of injury in ordinary cases, and in others had a right to recover an amount more or less speculative upon proving facts of negligence that often were difficult to prove, and substitute a system under which, in all ordinary cases of accidental injury, he is sure of a definite and easily ascertained compensation . . . .[205]

Similarly, the Court has given full-throated support to adjudicative mechanisms that ensure “streamlined proceedings and expeditious results,” particularly through the embrace of “a national policy favoring arbitration.”[206] The DBA will implement that very mandate, relieving courts overloaded with protracted data breach settlement negotiations of a significant volume of work. In that vein, any further concerns about due process could be resolved the same way corporations currently handle binding arbitration clauses: by opting everyone in by default.[207] In this context, the legislature could opt in all California consumers and PII-handling companies registered with the Secretary of State to DBA coverage by default, while giving them the opportunity to opt out.

2.     Overlapping Federal and State Data Privacy Laws

Just as existing state and federal data privacy laws largely coexist without conflict, the DBA would simply complement any overlapping federal law. Federal data privacy statutes, including the Health Insurance Portability and Accountability Act,[208] the Gramm-Leach-Bliley Act,[209] and the Fair Credit Reporting Act,[210] preempt overlapping state-level regulations only to the extent that the state regulations specifically conflict with or are weaker than the federally-established floor.[211] Since DBA coverage would offer protections beyond those provided by federal law, it should be largely immune from a conflict preemption challenge.

A related wrinkle is that the DBA would have no formal legal authority to indemnify companies from suits brought under federal law, which would seem to attenuate the value of its indemnification coverage. However, the DBA could use the common insurance mechanisms of subrogation, assignment of rights, and release of claims to ensure that consumers who accept a DBA-arbitrated settlement assign all future interests in related litigation to the DBA and do not subsequently receive additional compensation from any other source.[212] Should external proceedings compel a DBA-indemnified company to issue duplicative payments for claims the DBA has already resolved, the DBA could be authorized to recover those payouts on behalf of the consumers it previously compensated.[213] The DBA could then either return the recovered funds to the indemnified company or retain and credit them against the companies’ annual claims tally for premium calculation purposes. Helpfully, the DBA’s centralization of data breach notifications and consumer compensation would give it unparalleled visibility into the data breach landscape, and companies would be required to promptly notify the DBA both about initial breaches and subsequent out-of-state litigation as conditions of maintaining their indemnity coverage. However, making that insight actionable would require the DBA to have a division tasked with coordinating with courts, other insurers, and settlement administrators to confirm that claimants in external disputes have not already been compensated for the associated breaches by the DBA.

3.     Implementation and Administration Costs

The DBA would need significant seed funding to pay out claims during its first months of existence, before it has had a chance to fund its insurance pool with premiums and calibrate those premiums with actual claims data. However, this challenge has been successfully overcome by every agency that operates without recurring legislative funding.[214] In this context, it should not be difficult to convince the California legislature to invest in an agency that would quickly achieve financial independence, significantly alleviate burden on the courts, and advance the rights of millions of Californians.[215] The legislature could even require that a percentage of DBA’s surplus revenues be returned to the state treasury, either for a discrete period (e.g., until the seed funding that the DBA relied on during its first years is repaid) or in perpetuity.[216] Such a mechanism would be consistent with two core goals of this and many other proposals for data breach reform: to assign real value to the use (and misuse) of consumers’ personal information and to tax that activity in a way that both protects consumers and prevents companies from continuing to exploit this valuable resource without any public accountability.[217]

Conclusion

Implementing a no-fault, publicly arbitrated scheme for reliably compensating data breach victims would address numerous hitherto-intractable problems in the data breach landscape. Such a solution is urgently needed, as the status quo inflicts billions of dollars of economic damage on data companies, consumers, and the national economy each year. Moreover, the damage is rapidly escalating despite extensive (and expensive) efforts to stanch the bleeding with mandatory notification band-aids. Clearly, stronger medicine is needed.

Creating the DBA would effectively redress significant consumer harm for which current law offers no reliable remedy while sparing data companies the significant time and expense of sending out breach notifications which offer little to no benefit to harmed consumers. This approach would ensure that consumers receive compensation each time their PII is compromised while reducing “breach fatigue” for both breached companies and affected consumers.[218]

In addition to automatically compensating consumers for the mishandling of their data, the DBA could even provide further support for the subset of consumers who eventually suffered more severe identity-based harm, without those victims having to trace that harm back to any specific breach. Such an approach would be consistent with the common data breach settlement practice of offering the general population of victims nominal damages while keeping a portion of the fund in reserve for victims who submit documentation of specific (higher) monetary detriment.[219] Because the DBA would far outlast any specific settlement arrangement (both in temporal lifetime and financial capacity), it could potentially serve as a standing public insurer for all PII-based harms.

For data companies, the DBA would ensure that they accurately internalized the cost of inevitable data breaches without being disproportionately penalized for honest accidents and could pay that price in a predictable, consistent way. By removing the burdens of notification, litigation, and settlement administration, the DBA would save breached companies significant time and money—resources that the companies could reallocate to shoring up cybersecurity defenses to prevent subsequent breaches. The DBA would thus standardize the currently unregulated jungle of cybersecurity insurance and create meaningful, performance-linked incentives for data companies to improve their data security and privacy practices.[220]

The current data breach landscape is broken, for many of the same reasons that workers’ compensation was unworkable a hundred years ago and vaccine injury redress was in crisis fifty years later. This history shows that no-fault accident compensation backed by public insurance has proven effective in contexts that share many of the distinctive standing and proof problems that make data breach so intractable. Looking to that history and to the longstanding no-fault arbitration programs that the Supreme Court has declared to be integral parts of the American tradition points the way to an equally strong solution for data breach.

Copyright © 2025 Jordan Hefcart, J.D., Berkeley Law 2025; Berkeley Law Center for Consumer Law & Economic Justice Fellow, 2024–2025. Many thanks to David Nahmias for his assistance crafting the initial structure of this Note; to Professor Ted Mermin for pressure-testing early drafts; to the Editors of the California Law Review for making innumerable improvements to the Note’s substance and flow; and to my partner, Rin, for her extensive editing and constant support.

           [1].     See Daniel J. Solove & Woodrow Hartzog, Breached! Why Data Security Law Fails and How to Improve It 9 (2022).

           [2].     PII is a term of art used across fields that involves the processing of consumer information. The term has slightly different definitions when used in different contexts, but the core principle these definitions share is that PII “can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Computer Security Resource Center Glossary, Personally Identifiable Information, Nat’l Inst. Standards & Tech., https://csrc.nist.gov/glossary/term/personally_identifiable_information [https://perma.cc/7WJF-SHKQ] (providing several other variants on this definition for comparison).

           [3].     See Rachael M. Peters, Note, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. 1171, 1171 (2014) (“[W]hen a data breach does occur, companies must consult the state law of each affected consumer to determine whether that consumer must be notified, and when notification must occur. This may be extremely burdensome for large, nationwide companies with thousands or even millions of consumers in multiple states. Most importantly, even when these various state data-breach laws are effective and consumers are notified of a breach, they have almost no legal recourse against the entity whose security breach led to the unlawful or unauthorized procurement of their personal information. There is no clear-cut state or federal civil cause of action for consumers to bring, and existing causes of action have had limited success when applied to data breaches due to issues with standing and injury.”).

           [4].     See João Marinotti, Data Types, Data Doubts & Data Trusts, 97 N.Y.U. L. Rev. 146, 149 (2022) (“Even when companies are unquestionably at legal fault, the victims of data malfeasance are frequently unable to receive adequate compensation, if anything at all. . . . Such settlements neither affect the business practices of these global giants, nor do they provide adequate remedies for the victims harmed. If these consequences neither deter future cyber-negligence nor compensate victims for harms experienced, what, then, are they for? Unfortunately, some argue they are ‘mostly exercises in public relations,’ remediating the reputation of both regulators and companies alike.”) (quoting Jason Aten, Equifax Promised It Would Give You $125. Then It Made It Clear that Was Never Going to Happen. Here’s What You Should Do Now, Inc. (Sep. 17, 2019), https://www.inc.com/jason-aten/equifax-promised-it-would-give-you-125-then-it-made-it-clear-that-was-never-going-to-happen-heres-what-you-should-do-now.html [https://perma.cc/32VH-2T6D]). This structural problem is exemplified by one of the most infamous data breach settlements of all time, stemming from the massive Equifax breach of 2017. See Amy Loftsgordon, Equifax Data Breach Settlement: How to Get Compensation, Nolo (Aug. 2019), https://www.nolo.com/legal-updates/equifax-data-breach-settlement-how-to-get-compensation.html [https://perma.cc/JN6N-P69Z] (estimating that the paltry $31 million allocated to data breach victims would only come out to an average payout of $7 per person). Final payouts ultimately ranged from $14.90 to as low as $2.64. See Shahar Ziv, I Got a Measly $14.90 from Equifax’s Data Breach Settlement, Forbes (Feb. 22, 2023), https://www.forbes.com/sites/shaharziv/2023/02/22/i-got-a-measly-1490-payment-from-equifaxs-data-breach-settlement/ [https://perma.cc/8BU7-BDKC] (reporting that “the modal amount anecdotally appears to be around $5.20”).

           [5].     See Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 Tex. L. Rev. 737, 756–57 (2018) (“Identity thieves may plunder victims’ credit, riddling victims’ credit reports with false information including debts and second mortgages obtained in victims’ names. Victims struggling with identity theft may be forced to file for bankruptcy, and some may lose their homes. Victims may be turned down for loans or end up paying higher interest rates on credit cards. Their utilities may be cut off and their services denied. Victims’ stolen health information may be used to obtain medical care, saddling them with hefty hospital bills and a thief’s treatment records. Victims may incur legal fees and have to cover bounced checks. . . . On average, it takes up to thirty hours to resolve problems when identity thieves open new accounts in victims’ names.”).

           [6].     See, e.g., Complaints: Equifax, Inc., Better Bus. Bureau, https://www.bbb.org/us/ga/atlanta/profile/credit-reporting-agencies/equifax-inc-0443-3443/complaints [https://perma.cc/H4U4-5V86]; Complaints: Experian LLC, Better Bus. Bureau, https://www.bbb.org/us/ca/costa-mesa/profile/credit-reporting-agencies/experian-1126-31551/complaints [https://perma.cc/ZSF3-9VQZ]; Complaints: Trans Union LLC, Better Bus. Bureau, https://www.bbb.org/us/il/chicago/profile/credit-reporting-agencies/transunion-llc-0654-2713/complaints [https://perma.cc/UT47-TFDW] (collectively listing over thirty-six thousand complaints made against the three major credit reporting agencies over the past three years, overwhelmingly concerning either fraudulent activity appearing on credit reports or the difficulty of removing such fraudulent entries).

           [7].     Laura Shin, ‘Someone Had Taken over My Life’: An Identity Theft Victim’s Story, Forbes (Nov. 18, 2014), https://www.forbes.com/sites/laurashin/2014/11/18/someone-had-taken-over-my-life-an-identity-theft-victims-story/ [https://perma.cc/C34E-CWQH].

           [8].     See Roger Grimes, Why It’s So Hard to Prosecute Cyber Criminals, CSO Online (Dec. 6, 2016), https://www.csoonline.com/article/559099/why-its-so-hard-to-prosecute-cyber-criminals.html [https://perma.cc/6CM2-JDXB] (listing barriers to prosecuting digital crimes, including the fact that “[m]ost of the time, the person committing the crime is located outside of the country (or at least outside the legal jurisdiction of the court and prosecutors seeking the conviction)”); id. (“It has taken decades for law enforcement agencies, legal systems, and juries to get up to speed on cyber crime. . . . The vast majority of internet crimes are never reported [because] most people have no idea of where and how to report internet crime, and if they do, rarely does anything come of it.”). Computer-based crime is rarely investigated for a variety of reasons. See Michael Rubinkam, Scammers Are Swiping Billions from Americans Every Year. Worse, Most Crooks Are Getting Away with It, N. Platte Tel. (July 13, 2024), https://nptelegraph.com/life-entertainment/nation-world/technology/online-fraud-billions-of-dollars-scammers-seniors-aarp-fraud-watch-network-criminals-not-caught/article_f6017229-d253-51a0-bcea-9eb9446ac9fe.html [https://perma.cc/7TCA-3ZFP] (reporting that “[s]ome police departments don’t take financial scams as seriously as other crime [sic] . . . . [f]ederal prosecutors typically don’t get involved unless the fraud reaches a certain dollar amount . . . . [and] the ‘vast majority’ of frauds go unreported”). As a result, even when victims attempt to seek accountability, they generally “wind up discouraged and demoralized.” Id.

           [9].     See Solove & Citron, supra note 5, at 756 (“It may take months or years before leaked personal data is abused, but when it happens, the harm can be profound.”); see also David W. Opderbeck, Cybersecurity and Data Breach Harms: Theory and Reality, 82 Md. L. Rev. 1001, 1017–26 (2023) (discussing several categories of consumer harm in detail, including “payment card fraud,” “true identity theft,” “synthetic identity fraud,” “embarrassment, blackmail, stalking, catfishing,” and “social engineering campaigns”).

         [10].     See Solove & Citron, supra note 5, at 757 (“The data is sold off, and it could be a while before it’s used. There’s often a very big delay before having a loss.”) (quoting Andrea Peterson, Data Exposed in Breaches Can Follow People Forever. The Protections Offered in Their Wake Don’t., Wash. Post (June 15, 2015), http://www.washingtonpost.com/blogs/the-switch/wp/2015/06/15/data-exposed-in-breaches-can-follow-people-forever-the-protections-offered-in-their-wake-dont/ [https://perma.cc/JBF5-4K6X]).

         [11].     See id. at 758 (“Without information about where an identity thief obtained the data, a plaintiff will have difficulty linking the harm to a particular data breach or data disclosure. Ironically, the very factors that make identity theft so harmful—the difficulty in catching the perpetrators and the fact that it can continue indefinitely—are what impede victims’ ability to obtain redress in the courts.”).

         [12].     See id. (“In cases involving privacy violations and inadequate data security, consumers bear the lion’s share of [resulting] costs because courts view them as too attenuated to recognize as harm.”).

         [13].     See Marinotti, supra note 4, at 148 (“[Data companies are not] held sufficiently financially accountable for data malfeasance . . . [and hence] have few reasons to protect or prioritize our privacy and data security over their singular—and legally legitimate—duty to maximize shareholder value. From this point of view, underinvesting in cybersecurity and failing to meet even the most basic of inform-and-consent privacy policies may be a successful business practice in today’s regulatory environment.”).

         [14].     See Solove & Hartzog, supra note 1, at 9 (“Despite data security law’s obsession with data breaches, the law doesn’t seem to be reducing the size, severity, or number of breaches. Data breaches are steadily increasing.”).

         [15].     See Aniket Kesari, Do Data Breach Notification Laws Work?, 26 N.Y.U. J. Legis. & Pub. Pol’y 173, 217 (2023) (“Scholars of federalism have noted how in recent decades states have transformed from ‘backwaters to major policymakers’ . . . . In the face of congressional paralysis, the importance of states as policymakers grows even more.”) (quoting Jacob M. Grumbach, From Backwaters to Major Policymakers: Policy Polarization in the States, 1970–2014, 16 Persps. on Pol. 416 (2018)). Kesari suggests that any data breach reform effort implemented at the federal level would likely “mimic the baseline requirements [already] imposed by states . . . . [T]here is little evidence that the baseline notification requirement affect[s] identity-theft report rates.” Id. at 216. Worse, a federal approach “could preempt further state innovation that might be effective at reducing identity theft.” Id. Accordingly, if reducing rates of identity theft is the priority, “the state-by-state approach is more valuable at this point.” Id.

         [16].     Ani Petrosyan, Annual Number of Data Compromises and Individuals Impacted in the United States from 2005 to 2024, Statista (July 14, 2025), https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/ [https://perma.cc/66QR-GGUQ].

         [17].     Lillian Ablon, Paul Heaton, Diana Catherine Lavery & Sasha Romanosky, Rand Corp., Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information 39 (2016), https://www.rand.org/content/dam/rand/pubs/research_reports/RR1100/RR1187/RAND_RR1187.pdf [https://perma.cc/8Y4F-VZ59]; see also Petrosyan, supra note 16 (confirming that there were 783 significant breaches affecting at least eighty-five million sets of PII in 2014).

         [18].     Petrosyan, supra note 16.

         [19].     Id. Petrosyan’s analysis of data breach impact uses the metric “numbers of records exposed” from 2005 to 2019 but introduced a new metric—“individuals impacted”— in 2015. The methodologies behind these metrics are not specified. However, over the span of years for which both metrics are reported, “individuals impacted” is consistently larger than “numbers of records exposed.” This difference suggests that the “numbers of records exposed” is based on sources that could not reliably disaggregate how many distinct individuals each breached record implicated, whereas “individuals impacted” is based on more sophisticated and granular sources. But whatever the precise methodologies behind each metric are, the larger of the two is always the most salient, as it represents the best available estimate of how many times a distinct set of PII containing the information for a single U.S. person was improperly (re)exposed each year.

         [20].     Compare id., with Total Population by Child and Adult Populations in United States, Annie E. Casey Found.: Kids Count Data Ctr. (July 2024), https://datacenter.aecf.org/data/tables/99-total-population-by-child-and-adult-populations [https://perma.cc/P6NG-J6HE]. Petrosyan’s data admittedly appears to show a relative decrease in the number of people affected in 2019 and 2023. Petrosyan, supra note 16. But the fact that the breach figures for those years still significantly exceeded the U.S. adult population makes these decreases of little practical import. Id. Moreover, the decrease was only temporary: The figures for 2024 show the number of affected consumers returning to historic highs. Id.

         [21].     Petrosyan, supra note 16.

         [22].     New Study Reveals 84% of Organizations Experienced an Identity-Related Breach in the Last Year, Identity Defined Sec. All. (June 22, 2022), https://www.idsalliance.org/press-release/new-study-reveals-84-of-organizations-experienced-an-identity-related-breach-in-the-last-year/ [https://perma.cc/UE9G-CQKP].

         [23].     Zack Whittaker, The Biggest Data Breaches in 2024: 1 Billion Stolen Records and Rising, TechCrunch (Oct. 14, 2024), https://techcrunch.com/2024/08/12/2024-in-data-breaches-1-billion-stolen-records-and-rising/ [https://perma.cc/D2GX-TYD9].

         [24].     Lily Hay Newman, The Slow-Burn Nightmare of the National Public Data Breach, WIRED (Aug. 16, 2024), https://www.wired.com/story/national-public-data-breach-leak/ [https://perma.cc/VPD7-QU5F].

         [25].     Petrosyan, supra note 16; see also Vilius Petkauskas, Mother of All Breaches Reveals 26 Billion Records: What We Know So Far, Cybernews (Jan. 29, 2024), https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ [https://perma.cc/V3Z6-DPDD] (describing a “supermassive leak contain[ing] data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records”).

         [26].     Sam Sabin, 2023 Toll of Data Breaches and Leaks Already Tops 2022, Axios (Oct. 13, 2023), https://www.axios.com/2023/10/13/2023-data-compromises-surpass-2022 [https://perma.cc/23MU-TAYS].

         [27].     Nicole Valentine, What is Identity Theft, and How Does it Happen?, Money (Oct. 16, 2023), https://money.com/what-is-identity-theft/ [https://perma.cc/Q266-QN9Z].

         [28].     See Stu Sjouwerman, 28 Percent of Data Breaches Lead to Fraud, KnowBe4 (Mar. 7, 2013), https://blog.knowbe4.com/bid/252486/28-percent-of-data-breaches-lead-to-fraud [https://perma.cc/JH4L-28MS].

         [29].     Erika Harrell, U.S. Dep’t Just., Bureau Just. Stats., Just the Stats: Data Breach Notifications and Identity Theft, 2021 (Jan. 2024), https://bjs.ojp.gov/data-breach-notifications-and-identity-theft-2021 [https://perma.cc/3LM5-NZZL].

         [30].     Jack Caporal, Identity Theft and Credit Card Fraud Statistics for 2025, Motley Fool Money (May 6, 2025), https://www.fool.com/the-ascent/research/identity-theft-credit-card-fraud-statistics/ [https://perma.cc/527S-SPFW].

         [31].     See Kenneth Terrell, Identity Fraud Hit 42 Million People in 2021, AARP (Apr. 7, 2022), https://www.aarp.org/money/scams-fraud/info-2022/javelin-report.html [https://perma.cc/5RNS-MMHT]; see also John Buzzard, 2022 Identity Fraud Study: The Virtual Battleground, Javelin Strategy (Mar. 29, 2022), https://javelinstrategy.com/2022-Identity-fraud-scams-report [https://perma.cc/85AV-8G9S].

         [32].     See Buzzard, supra note 31. (“In 2021, traditional identity fraud losses—those involving any use of a consumer’s personal information to achieve illicit financial gain—amounted to $24 billion (USD) and ensnared 15 million U.S. consumers.”).

         [33].     See Opderbeck, supra note 9, at 1024 (“[A]uthentic information from different people is

mixed with fabricated information to create a fictitious composite, which can be employed to obtain credit or hide the true identities of persons engaged in various criminal activities.”); Caporal, supra note 30 (observing that such synthetic account fraud has exploded by over 300 percent from 2019 to 2023).

[34].    Caporal, supra note 30.

         [35].     Id.

         [36].     Id.

         [37].     See, e.g., Corey Fedde, Consumers Wary of Experian’s Credit Monitoring Service After Data Breach, Christian Sci. Monitor (Oct. 2, 2015), https://www.csmonitor.com/Technology/2015/1002/Consumers-wary-of-Experian-s-credit-monitoring-service-after-data-breach [https://perma.cc/A7F7-9MV6] (describing how fifteen million T-Mobile customers had their “addresses, birthdates, personal information, and Social Security numbers” exposed in a “security breach of credit reporting agency Experian, which T-Mobile uses to run credit checks on potential customers”).

         [38].     Keman Huang, Xiaoqing Wang, William Wei & Stuart Madnick, The Devastating Business Impacts of a Cyber Breach, Harv. Bus. Rev. (May 4, 2023), https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach [https://perma.cc/M84E-FZFK] (“83% of organizations experienced more than one data breach during 2022.”).

         [39].     Rob Lever, U.S. News & World Report Identity Theft Survey 2023, U.S. News & World Rep. (Sept. 12, 2023), https://www.usnews.com/360-reviews/privacy/identity-theft-protection/identity-theft-fraud-survey [https://perma.cc/K4DA-YLZP].

         [40].     Terrell, supra note 31.

         [41].     Lorie Konish, 63% of Workers Unable to Pay a $500 Emergency Expense, Survey Finds. How Employers May Help Change That, CNBC (Aug. 31, 2023), https://www.cnbc.com/2023/08/31/63percent-of-workers-are-unable-to-pay-a-500-emergency-expense-survey.html [https://perma.cc/HW8B-QJLN].

         [42].     See What Is Identity Theft Insurance?, Equifax, https://www.equifax.com/personal/education/identity-theft/articles/-/learn/id-theft-insurance/ [https://perma.cc/8LWW-JLKN] (“Policies vary, but compensation is usually limited to between $10,000 and $15,000.”); see also U.S. Gov’t Accountability Off., GAO-17-254, Identity Theft Services: Services Offer Some Benefits but Are Limited in Preventing Fraud 36 (2017), https://www.gao.gov/assets/d17254.pdf [https://perma.cc/YE5N-EFFQ] (“[I]dentity theft service providers . . . acknowledged that identity theft insurance is of limited value to a consumer.”). Having collected claims rates from various insurers, the Government Accountability Office found that “a provider with a government contract covering more than 4 million people said that, as of April 2016, its insurance had paid out one claim.” Id. at 20.

         [43].     Equifax, supra note 42.

         [44].     Lever, supra note 39.

         [45].     Annie Greenley-Giudici, Data Privacy: What Brands Are Taking It Seriously?, TrustArc, https://trustarc.com/resource/data-privacy-most-trusted-brands/ [https://perma.cc/VMS7-BRLB] (“This Super Bowl Sunday, among all the multimillion-dollar commercials you’re likely to see a few companies touting their data privacy practices as part of their ad campaign.”).

         [46].     See Emily Stewart, Companies Lose Your Data and then Nothing Happens, Vox (Apr. 21, 2022), https://www.vox.com/the-goods/23031858/data-breach-data-loss-personal-consequences [https://perma.cc/XAR2-TRSN].

         [47].     Marcia Ernst, Data Breaches, Tr. The Leaders (Summer 2016), https://www.sgrlaw.com/ttl-articles/data-breaches/ [https://perma.cc/SBH7-BEMP].

         [48].     Stewart, supra note 46.

         [49].     See Laurel Thomas, Data Breaches: Most Victims Unaware when Shown Evidence of Multiple Compromised Accounts, Univ. Mich. News (June 21, 2021), https://news.umich.edu/data-breaches-most-victims-unaware-when-shown-evidence-of-multiple-compromised-accounts/ [https://perma.cc/TJ53-EP9X] (“Either people are not being notified by breached companies, or the notifications are crafted so poorly that people might get an email notification or letter but disregard it.”).

         [50].     Bob Sullivan, Few Takers for Free Credit Monitoring, NBC News (Apr. 20, 2006), https://www.nbcnews.com/business/consumer/few-takers-free-credit-monitoring-flna6c10406733 [https://perma.cc/EQM3-8N42] (“People are accustomed to ignoring pieces of paper with a lot of dense print on them . . . . [It is likely that] a very small percentage of those who received the [breach notifications] actually read the letters.”).

         [51].     Id.; see also Alîna Bizga, Half of Consumers Don’t Follow Up on Data Breach Notification Practices, Do You?, Bitdefender Indus. News (Nov. 23, 2021), https://www.bitdefender.com/en-us/blog/hotforsecurity/half-of-consumers-dont-follow-up-on-data-breach-notification-practices-do-you [https://perma.cc/T4F4-P8ZH] (summarizing the results of a 2021 survey, which found that of the already-few customers who receive, open, and read data breach notifications, “most . . . don’t follow security practices or take firm action to prevent negative after-effects of such security incidents”). The top reasons respondents gave for doing nothing after receiving a breach notification included believing that there would be no benefit to taking protective measures because the “data is already out there”; trusting that “organizations are responsible for protecting [PII] and would address any issues” caused by the breach; “not know[ing] what to do” to mitigate the damage done by the breach; and thinking that “the data breach notice was a scam.” Id. Bizga refers to the broader cynicism that these attitudes reflect as “data breach fatigue.” Id.

         [52].     Data Breach Letter in the Mail, Experts Say Be Careful with Next Steps, KOAA News (Colorado) (July 13, 2023), https://www.koaa.com/money/consumer/did-you-get-a-data-breach-letter-in-the-mail-experts-say-be-careful-with-the-next-steps [https://perma.cc/3L43-DELL].

         [53].     Id.

         [54].     See Ron Shevlin, Another Data Breach, More Credit Monitoring. There’s a Better Solution, Forbes (Aug. 19, 2024), https://www.forbes.com/sites/ronshevlin/2024/08/19/another-data-breach-more-credit-monitoring-theres-a-better-solution/ [https://perma.cc/R3W6-CY4X].

         [55].     See id. (“We’ve become numb to data breaches. Many consumers believe that ‘all of my data is already out there,’ so they think there’s nothing to do. And they’ve already been offered credit monitoring 25 times over.”).

         [56].     See John Legere, A Letter from CEO John Legere on Experian Data Breach, T-Mobile (Sept. 30, 2015), https://www.t-mobile.com/news/blog/experian-data-breach [https://perma.cc/EM6U-5P86].

         [57].     Fedde, supra note 37.

         [58].     Id.

         [59].     Andrew Keshner, Only 2% of the Equifax Data Breach Victims Have Signed Up for Free Credit Monitoring So Far, MarketWatch (Nov. 1, 2019), https://www.marketwatch.com/story/only-2-of-the-equifax-data-breach-victims-have-signed-up-for-free-credit-monitoring-so-far-2019-10-30 [https://perma.cc/B5HQ-7CR8].

         [60].     See FTC Encourages Consumers to Opt for Free Credit Monitoring, as Part of Equifax Settlement, Fed. Trade Comm’n (July 31, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-encourages-consumers-opt-free-credit-monitoring-part-equifax-settlement [https://perma.cc/Q7YD-HK5J].

         [61].     Beth Pinsker, Consumers Vent Frustration and Anger at Target Data Breach, Reuters (Jan. 13, 2014), https://www.reuters.com/article/us-target-consumers/consumers-vent-frustration-and-anger-at-target-data-breach-idUSBREA0D01Z20140114 [https://perma.cc/4SFZ-M5LQ].

         [62].     Sullivan, supra note 50.

         [63].     See Kesari, supra note 15, at 218 (reporting that laws enforcing universal data breach disclosure requirements are broadly ineffective, partly because “too many notices may confuse or upset consumers”). Partly for this reason, Kesari advocates allowing breached companies to forgo notifying consumers about breaches if internal “harm analysis” indicates that consumers are unlikely to suffer adverse consequences, which he found to be more effective at reducing rates of subsequent identity theft than blanket notification requirements. Id. at 211. However, Kesari also found that even the most effective breach disclosure laws—requiring investigations of actual risk of subsequent harm, disclosure to state regulators, and avenues for meaningful recourse—decreased subsequent rates of reported identity theft by at most 10 percent. Id. As discussed supra Part I.A, 10 percent is considerably less than the annual growth rate of data breaches and resulting identity thefts.

         [64].     See Solove & Hartzog, supra note 1, at 8 (“Breaches set in motion a series of legal responses that often drag on for years and mire organizations in millions of dollars in expenses.”); see also Huang et al., supra note 38.

         [65].     IBM Security, Cost of a Data Breach Report 2023, at 10–11 (2023), https://www.ibm.com/reports/data-breach [https://perma.cc/C3F9-N4K7]. The average global cost of security breaches was $4.45 million. Id. Although the report does not explain the United States’ remarkably high costs, it is clear the United States’ approach to data breach is uniquely dysfunctional.

         [66].     Id. at 18.

         [67].     Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs, IBM Newsroom (July 24, 2023), https://newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs [https://perma.cc/M4LV-C8GK].

         [68].     IBM Security, supra note 65, at 15.

         [69].     75% of U.S. Consumers Would Stop Purchasing from a Brand If It Suffered a Cyber Incident, Digicert Vercara Rsch. (Dec. 18, 2023), https://vercara.digicert.com/news/vercara-research-75-of-u-s-consumers-would-stop-purchasing-from-a-brand-if-it-suffered-a-cyber-incident [https://perma.cc/ZL7J-F83Z].

         [70].     Empirically, the 83 percent of businesses that have experienced a cybersecurity breach in the past year have not all lost 75 percent of their clientele, as that would have produced the worst economic depression in U.S. history. See Huang et al., supra note 38.

         [71].     Id.

         [72].     Id.

         [73].     See John T. Soma, J. Zachary Courson & John Cadkin, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value” of Financial Assets, 15 Rich. J.L. & Tech. 11, 26 (2009) (“[P]rivacy regulation in the United States is best described as a haphazard set of industry specific regulations, at both the federal and state level, which frequently overlap and are often contradictory.”).

         [74].     See Ani Petrosyan, Estimated Notification Costs of Data Breaches Worldwide in 2018, by Country, Statista (Jan. 9, 2024), https://www.statista.com/statistics/1000126/data-breaches-notification-costs-worldwide/ [https://perma.cc/5DDE-3H67] (showing an estimated average breach notification cost of $740,000 in the United States, which vastly exceeded the average cost of notification compliance in all other regions; the next closest was the Middle East at $300,000).

         [75].     IBM Security, supra note 65, at 15.

         [76].     Ernst, supra note 47.

         [77].     Stewart, supra note 46 (quoting Professor Daniel Solove).

         [78].     See Jay P. Kesan & Carol M. Hayes, Liability for Data Injuries, U. Ill. L. Rev. 295, 317 (2019) (“[M]ost compromised data holders do not have the requisite intent for an intentional tort claim. . . . [N]egligence [may] not [be] an appropriate framework” either due to proximate causation or concrete harm elements.).

         [79].     Net Diligence, Cyber Claims Study 2022 Report 13 (2022), https://netdiligence.com/wp-content/uploads/2022/10/NetD_2022_Claims_Study_1.0_PUBLIC.pdf [https://perma.cc/Y54P-9CS4].

         [80].     See Solove & Hartzog, supra note 1, at 35–38.

         [81].     See Soma et al., supra note 73, at 26.

         [82].     See Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L. Rev. 255, 296 (2005) (advocating for modest innovation in the application of various tort law theories to data breach, while largely embracing the significant limitations on recovery imposed by prevailing understandings of those theories).

         [83].     See, e.g., Devin Urness, The Standing of Article III Standing for Data Breach Litigants: Proposing a Judicial and a Legislative Solution, 73 Vand. L. Rev. 1517 (2020); Patrick J. Lorio, Access Denied: Data Breach Litigation, Article III Standing, and a Proposed Statutory Solution, 51 Colum. J.L. & Soc. Probs. 79 (2017); Bradford C. Mank, Data Breaches, Identity Theft, and Article III Standing: Will the Supreme Court Resolve the Split in the Circuits?, 92 Notre Dame L. Rev. 1323 (2017). Unfortunately, all of the thoughtful advocacy for a more permissive interpretation of Article III requirement for data breach has proved unconvincing to the Supreme Court, which proceeded to further heighten those requirements in TransUnion LLC v. Ramirez, 594 U.S. 413, 417–19 (2021) (holding that Article III standing requires that “the asserted harm [have] a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts,” and finding that contamination of plaintiffs’ credit files with information about other people did not meet that requirement). The TransUnion Court rejected the proposition that Article III standing requirements could be relaxed through congressional action, making clear that “the Court will not recognize a congressionally-granted right of action in the absence of plaintiffs suffering a concrete injury.” Christopher M. Deucher, Note, Data Breach Standing: How Plaintiffs May Find Their Footing After TransUnion v. Ramirez, 84 Ohio State L.J. 37, 38 (2023).

         [84].     See Solove & Hartzog, supra note 1, at 17, 111.

         [85].     See, e.g., Jordan Glassman, Too Dangerous to Exist: Holding Compromised Internet Platforms Strictly Liable Under the Doctrine of Abnormally Dangerous Activities, 22 N.C. J.L. & Tech. 293, 293 (2020) (proposing to extend the tort doctrine of abnormally dangerous activities to “internet platforms whose inevitable compromises are situated to proximately cause catastrophic economic damages”); James C. Cooper & Bruce H. Kobayashi, Unreasonable: A Strict Liability Solution to the FTC’s Data Security Problem, 28 Mich. Tech. L. Rev. 257, 276 (2002) (proposing that data breach is a market failure that would be best addressed by a strict-liability regulatory approach enforced by the FTC); Opderbeck, supra note 9, at 1066 (arguing that expanding the scope of tort liability to better encompass data breach would “merely [transfer] rents to class action lawyers” and advocating for systemic fixes to be enacted at the federal level).

         [86].     See, e.g., Nicolas N. LaBranche, The Economic Loss Doctrine & Data Breach Litigation: Applying the “Venerable Chestnut of Tort Law” in the Age of the Internet, 62 B.C. L. Rev. 1665 (2021).

         [87].     Spokeo, Inc. v. Robins, 578 U.S. 330, 333, 341 (2016) (holding that “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right,” and thus that the Fair Credit Reporting Act could not grant a plaintiff standing to seek relief for the inclusion of false information about him in a “people search engine” database without proof of resulting “concrete harm”).

         [88].     TransUnion, 594 U.S. at 414 (holding that Article III standing requires “the asserted harm [have] a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts,” and finding that contamination of the plaintiffs’ credit files with information about other people did not meet that requirement) (quoting Spokeo, 578 U.S. at 340).

         [89].     Abigail Perdue & Bethany Corbin, An OSM for IoT: Establishing an Office of Special Masters to Resolve Certain Cases Involving the Internet of Things, 124 W. Va. L. Rev. 1, 18 (2021).

         [90].     See, e.g., Robert M. Gellman, Can Privacy Be Regulated Effectively on a National Level? Thoughts on the Possible Need for International Privacy Rules, 41 Vill. L. Rev. 129 (1996) (describing the general problem of inconsistencies and conflicts between state and federal data privacy law).

         [91].     See Minhquang N. Trang, Compulsory Corporate Cyber-Liability Insurance: Outsourcing Data Privacy Regulation to Prevent and Mitigate Data Breaches, 18 Minn. J.L. Sci. & Tech. 389, 416–17 (2017) (making a strong case for imposing mandatory cyber-liability insurance on all companies that handle sensitive PII, while acknowledging that such a mandate could be imposed only on large companies, as “premiums for coverage are unaffordable” for smaller organizations because they “are more at risk than large corporations due to their inadequate resources”); see also Kevin DiGrazia, Cyber Insurance, Data Security, and Blockchain in the Wake of the Equifax Breach, 13 J. Bus. & Tech. L. 255, 256, 269 (2018) (discussing the “potential benefits of standalone cyber insurance policies as a source of protection in the case of a cyber-attack,” but noting that commercial policies are often written to exclude the biggest and most common breach response costs to protect their own solvency, as “even if there is a robust re-insurance market, a large scale cyber-attack could bankrupt the insurance companies issuing the policies”).

         [92].     Kesan & Hayes, supra note 78, at 355 (pointing to workers’ compensation, the VICP, and the 9/11 Victims Compensation Fund as potential models for such an approach).

         [93].     Max Meglio, Note, Embracing Insecurity: Harm Reduction Through a No-Fault Approach to Consumer Data Breach Litigation, 61 B.C. L. Rev. 1223, 1264 (2020).

         [94].     See DiGrazia, supra note 91, at 269.

         [95].     Id.

         [96].     This number is based on the 3,200 significant data breaches in the United States in 2023, see Petrosyan, supra note 16, and the current average breach cost of $9.5 million, see IBM Security, supra note 65, at 10–11. See also DiGrazia, supra note 91, at 268–69 (“Based on the nature of cyber events, an exploited vulnerability could have a massive cascading effect causing trillions in insured losses. . . . [A] large cyber incident could potentially trigger all of the cyber insurance policies underwritten by an insurance company, irrespective of geographic location, which would create a situation far worse than other catastrophic losses suffered by the insurance industry from incidents such as Hurricane Katrina.”).

         [97].     See DiGrazia, supra note 91, at 268–69.

         [98].     See Natalie Todoroff, Limited Home Insurance Options in California as Major Carriers Pull Back, Bankrate (Aug. 12, 2024), https://www.bankrate.com/insurance/homeowners-insurance/carriers-exit-california-home-insurance/#why-are-insurers-limiting-new-policies-in-california [https://perma.cc/G8JG-FPHS] (articulating how the state laws that are designed to keep insurance rates affordable have caused most private insurers to pull out of the California home insurance market altogether because the insurers deem the risks from increasingly intense wildfires to be too high to underwrite without raising premiums beyond the level permitted by state law).

         [99].     See id. (describing how the erosion of the private insurance market is dramatically expanding reliance on California’s FAIR plan, the “last-resort home insurance option for homeowners who have been unsuccessful in the private market”).

       [100].     See, e.g., Meglio, supra note 93, at 1263 (leaving implementation details for others—the typical position taken by most of the existing literature).

       [101].     See, e.g., Data Care Act of 2023, S. 744, 118th Cong. (2023); Online Privacy Act of 2023, H.R. 2701, 118th Cong. (2023) (expressly proposing to establish a “new federal entity . . . the Digital Privacy Agency”). The Online Privacy Act of 2023 has been introduced in substantially the same form in multiple previous sessions as the Online Privacy Act of 2019, H.R. 4978, 116th Cong. (2019); Online Privacy Act of 2021, H.R. 6027, 117th Cong. (2021); Online Privacy Act, H.R. 3175, 115th Cong. (2017); and Consumer Privacy Protection Act of 2017, H.R. 4081, 115th Cong. (2017). Not one of these bills made it out of any committee in the chamber in which it was introduced. See also Kesari, supra note 15, at 217 (summarizing this same history and observing that while “federalism should see the federal government consolidate various state laws after some experimentation . . . congressional gridlock makes it hard to imagine such an effort succeeding with regularity”).

       [102].     See, e.g., TransUnion LLC v. Ramirez, 594 U.S. 413, 424–25 (2021), discussed supra notes 83, 88.

       [103].     See, e.g., Cmty. Fin. Servs. Ass’n of Am. v. Consumer Fin. Prot. Bureau, 51 F.4th 616 (5th Cir. 2022) (finding that the congressional grant of authority and funding to the Consumer Financial Protection Bureau violated the Appropriations Clause); see also West Virginia v. EPA, 597 U.S. 697, 721, 723 (2022) (holding that the “major questions doctrine” requires “clear congressional authorization” for any federal agency action with “economic and political significance”) (citations omitted).

       [104].     See Kesari, supra note 15, at 217 (“In the face of congressional paralysis, the importance of states as policymakers grows even more.”).

       [105].     The History of Workers’ Compensation in California, Cal. Applicants’ Att’ys Ass’n, https://www.caaa.org/?pg=HistoryofWC [https://perma.cc/XTS4-2SND].

       [106].     Gregory P. Guyton, A Brief History of Workers’ Compensation, 19 Iowa Orthopaedic J. 106, 108 (1999).

       [107].     Price V. Fishback & Shawn Everett Kantor, The Adoption of Workers’ Compensation in the United States, 1900–1930, 41 J.L. & Econ. 305, 306 (1998).

       [108].     Id. at 314.

       [109].     The History of Workers’ Compensation in California, supra note 105.

       [110].     The construct of no-fault compensation for worker injury dates back to the dawn of recorded history: Ancient Sumerian law, Hammurabi’s Code, and “Ancient Greek, Roman, Arab, and Chinese law” all provided “sets of compensation schedules, with precise payments for the loss of a body part.” Guyton, supra note 106, at 106. Unfortunately, social safety nets largely disappeared in feudal Europe, and English common law devised an “unholy trinity” of defenses that made it all but impossible for workers to recover any compensation for on-the-job injuries. See id. The doctrines of contributory negligence, assumption of risk, and (to a lesser extent) the fellow servant rule continue to feature prominently in U.S. law to this day and may help to explain the American legal system’s initial skepticism of no-fault insurance schemes. See id. at 108 (“Failed or limited efforts to pass comprehensive workers’ compensation acts were attempted in New York (1898), Maryland (1902), Massachusetts (1908), and Montana (1909).”).

[111].    Ann Clayton, Workers’ Compensation: A Background for Social Security Professionals, 65 Soc. Sec. Bull. 7, 8 (2005).

       [112].     See id. (“[O]nly about 17 percent of accidents were due to employer fault. . . . In a few cases, accident victims, their families, or both received substantial payments, but in far more cases no payments were made at all.”).

       [113].     Id.

       [114].     S.G. Borello & Sons, Inc. v. Dep’t of Indus. Rels., 769 P.2d 399, 406 (Cal. 1989) (in bank).

       [115].     Guyton, supra note 106, at 108.

       [116].     See Clayton, supra note 111, at 8.

       [117].     Guyton, supra note 106, at 108–09.

       [118].     Id.

       [119].     Id. at 109.

       [120].     See Stefan A. Riesenfeld, Efficacy and Costs of Workmen’s Compensation, 49 Calif. L. Rev. 631, 650 (1961).

       [121].     Fishback & Kantor, supra note 107, at 309.

       [122].     Id.

       [123].     Id.

       [124].     Job Market Remains Tight in 2019, As the Unemployment Rate Falls to Its Lowest Level Since 1969, U.S. Bureau of Lab. Stats. (April 2020), https://www.bls.gov/opub/mlr/2020/article/job-market-remains-tight-in-2019-as-the-unemployment-rate-falls-to-its-lowest-level-since-1969.htm [https://perma.cc/4CFL-HNCN].

       [125].     Griffin T. Murphy, Jay Patel, Leslie I. Boden & Jennifer Wolf, Nat’l Acad. of Soc. Ins., 2021 Workers’ Compensation: Benefits, Coverage, and Costs (2019 Data) 2 (2021), https://www.nasi.org/wp-content/uploads/2021/10/2021-Workers-Compensation-Report-2019-Data.pdf [https://perma.cc/Y99J-2RY2].

[126].     Id.

       [127].     Editorial Board, How Lawsuits Cost You $3,600 a Year, Wall St. J. (Dec. 11, 2022), https://www.wsj.com/articles/how-lawsuits-cost-you-3-600-a-year-tort-system-chamber-of-commerce-institute-for-legal-reform-report-11670460820 [https://perma.cc/GGF6-D4M5].

       [128].     The Costs and Benefits of Tort Liability, Justia (Oct. 2024), https://www.justia.com/injury/docs/us-tort-liability-primer/costs-and-benefits-of-tort-liability/ [https://perma.cc/5N3M-SERZ].

       [129].     Compare id., with Murphy et al., supra note 125. Murphy reported $63 billion recovery on $100 billion spent in 2019 would constitute a 37 percent improvement over the tort system’s 46 percent efficiency. Justia reported that “transaction costs are proportionately much smaller in public insurance programs—20 percent nationwide in state workers’ compensation programs . . . .” Justia, supra note 128. An 80 percent recovery rate would constitute a 74 percent improvement over the tort system’s average efficiency.

       [130].     About the National Vaccine Injury Compensation Program, Health Res. & Servs. Admin. (June 2025), https://www.hrsa.gov/vaccine-compensation/about [https://perma.cc/CU9Y-CTZJ]; see also National Childhood Vaccine Injury Act of 1986, 42 U.S.C. §§ 300aa-1–300aa-34.

       [131].     About the National Vaccine Injury Compensation Program, supra note 130.

       [132].     Id.

       [133].     Vaccine Injury Compensation Data, Health Res. & Servs. Admin. (June 2025), https://www.hrsa.gov/vaccine-compensation/data [https://perma.cc/WCR6-PY49].

       [134].     See Frequently Asked Questions, Health Res. & Servs. Admin. (June 2025), https://www.hrsa.gov/vaccine-compensation/faq [https://perma.cc/8TYH-EDTH] (“VICP is a no-fault compensation program. Generally, petitioners need only show that the injured person received a vaccine set forth in the Vaccine Injury Table . . . . There are no requirements that the petitioner show that the vaccine was used pursuant to Food and Drug Administration labeling or specific Advisory Committee on Immunization Practices or Centers for Disease Control and Prevention administration recommendations, or otherwise was administered pursuant to any standard of care.”).

       [135].     The requisite harm to support a claim is defined as an adverse effect that “[l]asted for more six months after the vaccination; or [r]esulted in inpatient hospitalization and surgical intervention; or [r]esulted in death.” Who Can File a Petition, Health Res. & Servs. Admin. (June 2025), https://www.hrsa.gov/vaccine-compensation/eligible [https://perma.cc/CXB7-779G].

       [136].     Vaccine Injury Compensation Data, supra note 133.

       [137].     Covered Vaccines, Health Res. & Servs. Admin. (June 2025), https://www.hrsa.gov/vaccine-compensation/covered-vaccines [https://perma.cc/DDA7-NJGY] (identifying covered vaccines as those recommended “for routine administration to children or pregnant women” by the Centers for Disease Control and Prevention).

       [138].     Frequently Asked Questions, supra note 134.

       [139].     Id.

       [140].     Id.

       [141].     See Cong. Rsch. Serv., IF12213, The National Vaccine Injury Compensation Program and the Office of Special Masters 1 (2022), https://sgp.fas.org/crs/misc/IF12213.pdf [https://perma.cc/XZU2-8CKE] (“If the petitioner rejects the judgment, he or she is not entitled to money damages but may sue . . . in court for the alleged injury . . . .”).

       [142].     See Lauren Gardner, Vaccine Injury Compensation Programs Overwhelmed as Congressional Reform Languishes, Politico (June 1, 2022), https://www.politico.com/news/2022/06/01/vaccine-injury-compensation-programs-overwhelmed-as-congressional-reform-languishes-00033064 [https://perma.cc/KK5C-ATSW] (describing how the VICP has been overwhelmed by claims as its roster of “covered” vaccines has expanded to include the flu vaccine and a few others). As of 2022, the program had a “backlog of cases . . . more than two years long.” Id.; see also National Vaccine Injury Compensation Program Needs Modernizing, Hearing Before the H. Select Subcomm. on the Coronavirus Pandemic, 118th Cong. (2024) (statement of Renée J. Gentry, Director, George Washington University Law School Vaccine Injury Litigation Clinic), https://oversight.house.gov/wp-content/uploads/2024/03/Gentry-Testimony.pdf [https://perma.cc/B82X-2VBD].

       [143].     About the National Vaccine Injury Compensation Program, supra note 130.

       [144].     Monthly Statistics Report, Health Res. & Servs. Admin. (Nov. 1, 2023), https://www.hrsa.gov/sites/default/files/hrsa/vicp/vicp-stats-11-01-23.pdf [https://perma.cc/R479-3ZBK].

       [145].     About the National Vaccine Injury Compensation Program, supra note 130; see also Kevin J. Hickey & Hannah-Alise Rogers, Cong. Rsch. Serv., R46982, Compensation for COVID-19 Vaccine Injuries 7 (2025) (“From implementation of the Program in 1988 through February 1, 2025, 28,292 petitions for compensation have been filed, of which 24,602 have been adjudicated, with 11,659 determined to merit compensation. The Program has paid out more than $5.3 billion in compensation since its inception, and as of September 30, 2024, the Trust fund has a current balance of more than $4.6 billion.”). These figures represent a minute fraction of the annual claims rates and liabilities associated with data breach. See discussion supra Part I.B.

       [146].     See National Childhood Vaccine Injury Act of 1986, H.R. 5546, 99th Cong. (1986) (passed by voice vote); S. 1744, 99th Cong., amended by, H. Amdt. 1318, 99th Cong. (1986) (incorporating H.R. 5546, passed by voice vote); Pub. L. No. 99-660, 100 Stat. 3743 (enacting the Act into law upon President Ronald Regan’s signature).

       [147].     About the National Vaccine Injury Compensation Program, supra note 130.

       [148].     See, e.g., Public Health Service Act, 42 U.S.C. §§ 247d-6d, 247d-6e (creating the Countermeasures Injury Compensation Program (CICP) to support victims of pandemics while broadly immunizing the implementers of pandemic countermeasures from liability); Air Transportation Safety and Stabilization Act, Pub. L. No. 107-42 (2001) (creating the September 11th Victim Compensation Fund to provide compensation to victims of the 9/11 terrorist attacks, after receipt of which claimants were “barred from pursuing certain lawsuits such as those against the City of New York, the airlines, the airports, the Port Authority of New York and New Jersey, and the security companies involved in the events of September 11”); see also U.S. Dep’t of Just., Off. of the Inspector Gen., The September 11 Victim Compensation Fund of 2001 Audit Report 04-01, at ii (2003), https://oig.justice.gov/reports/plus/a0401/final.pdf [https://perma.cc/ME57-BNT6].

       [149].     See Vaccine Injury Compensation Data, supra note 133 (“60% of all compensation awarded by the VICP comes as a result of a negotiated settlement between the parties in which HHS has not concluded, based upon review of the evidence, that the alleged vaccine(s) caused the alleged injury.”).

       [150].     See supra Part II.C; see also Hickey & Rogers, supra note 145, at 7 (“By limiting liability exposure for vaccine manufacturers, expanding the availability of compensation for injured parties, and lowering the burden of proof, the Program reduces uncertainty for both injured persons and vaccine manufacturers.”).

       [151].     See Trang, supra note 91, at 412 (proposing that data breach would be best addressed by industry-wide cyber-insurance mandates).

       [152].     The usage of “system” here is deliberately vague and intended to encompass the entirety of a company’s information technology systems. Companies will have the burden of proving that a breach was contained to one or more specific datasets and that the attackers were not able to jump from those locations to other points in the corporate network. See Alper Kerman, Zero Trust Cybersecurity: ‘Never Trust, Always Verify,’ Nat’l Inst. Standards & Tech.: Taking Measure (Oct. 28, 2020), https://www.nist.gov/blogs/taking-measure/zero-trust-cybersecurity-never-trust-always-verify [https://perma.cc/P64S-66CQ].

       [153].     This approach is rooted in the cybersecurity best practice of “zero trust” or “assumed breach” architecture: “[Z]ero trust assumes that the system will be breached and designs security as if there is no perimeter [separating what is and is not compromised]. Hence, don’t trust anything by default, starting with the network.” Id.

       [154].     See supra Part I.C.

       [155].     See supra Part II.B–C.

       [156].     See Am I Eligible for the California Good Driver Discount?, WalletHub (Sept. 17, 2020), https://wallethub.com/answers/ci/california-good-driver-discount-2140722141 [https://perma.cc/U3EH-GXP3] (noting that California law mandates all insurers provide 20 percent discounts to drivers who have clean driving records “for the past 3 consecutive years”).

       [157].     Andrew Lopez, 6 Factors Causing Cyber Insurance Rates to Increase, Sequoia Legal: Blog (June 13, 2023), https://sequoialegal.com/blog/factors-causing-cyber-insurance-rates-to-increase [https://perma.cc/736Z-AGNP] (identifying the “Increased Frequency and Severity of Cyber Attacks” as a primary cause of the rapid rise in cyber insurance premiums).

       [158].     Demystifying the Cost of Cyber Liability Insurance: Factors that Influence Premiums, Kyber Sec. (Aug. 7, 2024), https://kybersecure.com/demystifying-the-cost-of-cyber-liability-insurance-factors-that-influence-premiums/ [https://perma.cc/R6EJ-XW2S] (“A company’s history of cyber insurance claims also affects premium costs. Companies with multiple claims are considered higher risk by insurers, leading to higher premiums. In contrast, a business with a clean claims record is likely to pay less for cyber liability insurance.”).

       [159].     See Mark V. Pauly, Overinsurance and Public Provision of Insurance: The Roles of Moral Hazard and Adverse Selection, 88 Q. J. Econ. 44, 44 (1974) (“[I]n the absence of perfect information [about the likelihood and severity of risks being insured against,] the competitive outcome in markets for insurance may be nonoptimal [and] compulsory public insurance might produce an improvement over the market outcome . . . .”).

       [160].     See What Are Insurance Limits?, Progressive, https://www.progressive.com/answers/insurance-limits/ [https://perma.cc/S3DL-3PV8] (“Most insurance policies, including home and auto insurance, have different types of coverages with separate coverage limits,” including per person, per accident, and overall property damage limits.) Additionally, many states give commercial insurers the right to cancel policies mid-term for a wide variety of reasons, including anything that can be described as a “change in the risk” being insured against. See Indep. Agent, Mid-Term Cancellations by State 3 (Aug. 14, 2017), https://www.independentagent.com/wp-content/uploads/2024/04/Mid-Term-Cancellations-by-state.pdf [https://perma.cc/2V3Y-ZAVU].

       [161].     See Insuring Your Business: Small Business Owners’ Guide to Insurance, Ins. Info. Inst., https://www.iii.org/publications/insuring-your-business-small-business-owners-guide-to-insurance/specific-coverages/workers-compensation-insurance [https://perma.cc/HA7V-58ZS] (“Unlike other types of insurance, workers comp coverage has no ceiling or limit on the policy amount. . . . High-risk businesses, businesses with a history of many claims and businesses in new industries without a previous industry claims history are [consequently often un]able to get workers comp insurance in the private market.”). Instead, high-risk employers are assigned to assigned risk pools run by state-administered insurers of last resort, which impose high premiums, enhanced oversight, and far greater limitations, but also guarantee these pools in the event of a liquidity crisis. Id.

       [162].     Clayton, supra note 112, at 9.

       [163].     Id.

       [164].     Id.

       [165].     See Cal. Civ. Code § 3294 (defining criteria for when punitive damages may be awarded in California). One of the core principles underlying this proposal is that data breaches inevitably cause significant consumer harm. Accordingly, there is a strong argument that any company that either lacks sufficient liability insurance to cover its operational risks or advances specious arguments to avoid compensating consumers is engaged in “oppression,” defined by the legislature as “conduct that subjects a person to cruel and unjust hardship in conscious disregard of that person’s rights.” Id.

       [166].     See Petrosyan, supra note 74. This figure is further supported by the independent observations that consumer notification constitutes 8 percent of companies’ breach response costs, and those costs currently average $9.5 million. See IBM Security, supra note 65, at 10–11.

       [167].     See How Information Is Protected or Disclosed, Cal. Dep’t of Motor Vehicles, https://qr.dmv.ca.gov/portal/driver-education-and-safety/educational-materials/fast-facts/how-your-information-is-shared-ffdmv-17/ [https://perma.cc/83BR-RB29] (describing a wide variety of authorities under which “[s]tate departments [may] request [PII from the department] for legitimate government purposes”). Most relevant to this proposal, the “California Teachers’ Retirement System may request information to obtain correct contact information for retirees.” Id.

       [168].     See Petrosyan, supra note 16; supra Part I.A.

       [169].     See Editorial Team, Data and Privacy Breaches Fuel Cyber Insurance Claims Surge, Risk & Ins. (Oct. 9, 2024), https://riskandinsurance.com/data-privacy-breaches-fuel-cyber-insurance-claims-surge/ [https://perma.cc/M23B-DMQL] (“Over 1,300 data privacy related class action lawsuits were filed in the U.S. in 2023, more than double the number filed in 2022 and four times that filed in 2021, according to law firm Duane Morris.”).

       [170].     See Cal. Lab. Code § 4660.1; see also Cal. Dep’t of Indus. Rel., Schedule for Rating Permanent Disabilities (2005), https://www.dir.ca.gov/dwc/pdr.pdf [https://perma.cc/RQR3-EFD5] (providing detailed tables and formulas for calculating the precise value of particular injuries and combinations of injuries).

       [171].     See Hospital Outpatient Payments Lower and Growing Slower in States with Fixed-Amount Fee Schedules, Workers Comp. Rsch. Inst., (May 23, 2024), https://www.wcrinet.org/news/detail/wcri-hospital-outpatient-payments-lower-and-growing-slower-in-states-with-fixed-amount-fee-schedules2 [https://perma.cc/5DCP-STFQ] (“[A] new study from the Workers Compensation Research Institute (WCRI) finds that hospital outpatient payments are lower and growing slower in states with fixed-amount fee schedules.”).

       [172].     See Role of the Advisory Committee on Immunization Practices in CDC’s Vaccine Recommendations, Ctr. for Disease Control & Prevention (Sept. 17, 2024), https://www.cdc.gov/vaccines/acip/committee/role-vaccine-recommendations.html [https://perma.cc/PHP6-KDBQ].

       [173].     See, e.g., Soma et al., supra note 73, at 12 (“PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets.”).

       [174].     See, e.g., IBM Security, supra note 65, at 18 (estimating the business costs associated with the compromise of customer PII, employee PII, intellectual property, and other corporate data).

       [175].     See, e.g., Michael Kan, Here’s How Much Your Identity Goes for on the Dark Web, PC Mag. (Nov. 15, 2017), https://www.pcmag.com/news/heres-how-much-your-identity-goes-for-on-the-dark-web [https://perma.cc/JCH9-HVA7] (“Basic stolen identity information on a US citizen, which only includes the Social Security number, full name and birth date, can range from $1 to $8 per person. But in some cases, hackers will package the offering with the victim’s stolen credit card information, and charge from $20 to $75.”); Ravi Sen, Here’s How Much Your Personal Information Is Worth to Cybercriminals—and What They Do with It, PBS (May 14, 2021), https://www.pbs.org/newshour/science/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it [https://perma.cc/GJ8F-9GBN] (reporting that market prices for stolen bank account login information ranged from $25 to $240 in 2021); How Much Is Your Personal Information Worth on the Dark Web?, Geekflare (Jan. 22, 2025), https://geekflare.com/personal-data-on-the-dark-web/ [https://perma.cc/T8C6-89ZU] (“Social media and email accounts vary between $35 and $80. . . . Prices for forged copies of driver’s licenses of different states vary between $20-$100. . . . [A] U.S. valid social security number goes for $2.”).

       [176].     Workers’ Compensation Laws: 50-State Survey, Justia (Nov. 2022), https://www.justia.com/workers-compensation/workers-compensation-laws-50-state-survey/ [https://perma.cc/MS6J-RQ5M]; see also Michael Grabell & Lena V. Groeger, Methodology for Workers’ Comp Benefits: How Much Is a Limb Worth?, ProPublica (Mar. 5, 2015), https://www.propublica.org/article/workers-comp-benefits-how-much-is-a-limb-worth-methodology [https://perma.cc/S34G-6Z8E].

       [177].     See Cal. Lab. Code. § 4660.1(a) (“In determining the percentages of permanent partial or permanent total disability, account shall be taken of the nature of the physical injury or disfigurement, the occupation of the injured employee, and the employee’s age at the time of injury.”).

       [178].     See Jamie Wilson, How Much Is Your Data Actually Worth?, Cyber Def. Mag. (July 28, 2022), https://www.cyberdefensemagazine.com/how-much/ [https://perma.cc/NRW2-4WXG] (“When data is safely and securely encrypted, any files a cybercriminal gains access to will be worthless to them without an encryption key.”) Flaws in encryption algorithms and procedures sometimes allow particularly dedicated attackers to unscramble encrypted content, but the amount of time and resourcing required usually makes such decoding economically prohibitive. As a result, organizations “using strong encryption had an average breach cost that was 29.4 [percent] lower than those using low standard or no encryption.” Id.

       [179].     These example penalties are based on actual data from criminal marketplaces. See Kan, supra note 175. Full email account access can often be used to identify and break into virtually every account a consumer maintains. See Mat Honan, How Apple and Amazon Security Flaws Led to My Epic Hacking, WIRED (Aug. 6, 2012), https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ [https://perma.cc/77V7-72H5].

       [180].     This figure is based in part on the federal cap on consumer financial liability for credit card fraud. 15 U.S.C. § 1643. This classification intentionally overvalues government ID numbers—particularly Social Security numbers, which go for as little as $1 in the criminal market because they are already widely available due to prior breaches. See Kan, supra note 175. Because government ID numbers can be used to execute fraud of enormous magnitude, they should be valued significantly higher than their actual value on the criminal market.

       [181].     See, e.g., CWE-327: Use of a Broken or Risky Cryptographic Algorithm, MITRE (June 29, 2023), https://cwe.mitre.org/data/definitions/327.html [https://perma.cc/XZ3M-Z687] (“It is common for an algorithm to be considered ‘unsafe’ even if it was once thought to be strong. This can happen when new attacks are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought.”).

       [182].     See, e.g., Chrissy Kidd, Data Encryption Methods & Types: A Beginner’s Guide, Splunk (Oct. 18, 2024), https://www.splunk.com/en_us/blog/learn/data-encryption-methods-types.html [https://perma.cc/U322-Z9W3] (encouraging the use of well-vetted encryption algorithms such as the Advanced Encryption Standard or Triple Data Encryption Standard).

       [183].     See Cal. Civ. Code § 1798.150(a)(1) (assuming breach of PII if a victim’s “email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure”).

       [184].     See Petrosyan, supra note 16 (reporting that 353 million sets of PII were breached in 2023).

       [185].     While the ultimate goal of this proposal would be to retire the regressive principle that consumers must suffer and prove proximate harm to receive compensation for the breach of their PII, temporarily retaining this archaic requirement would protect the nascent DBA from immediately collapsing under the enormous liabilities of the ongoing data breach epidemic.

       [186].     This figure is based on the conservative premise that fewer than one in ten of the technology companies incorporated in California would initially choose to participate (even though the program would be open to all companies that do business in the state, regardless of origin). See CompTIA, California Tech Workforce Grows in Depth and Breadth: CompTIA Releases Year in Review State of the Tech Workforce Report, PR Newswire (Mar. 30, 2023), https://www.prnewswire.com/news-releases/california-tech-workforce-grows-in-depth-and-breadth-comptia-releases-year-in-review-state-of-the-tech-workforce-report-301785982.html [https://perma.cc/2723-NNQX] (“There are an estimated 55,868 tech business establishments in the state.”). Of course, not all technology firms directly process PII—but the CPPA’s Data Broker registry indicates that there are over five hundred registered data brokers in the state, and most companies that handle PII do not have to register as data brokers. See Data Broker Registry, Cal. Privacy Prot. Agency, https://cppa.ca.gov/data_broker_registry/ [https://perma.cc/54S9-WNG7] (“A data broker is a business that consumers don’t directly interact with, but that buys and sells information about consumers from other businesses.”). Given the legislature’s demonstrated appetite for regulating data brokers, the DBA could be initially funded by imposing a mandatory insurance requirement solely on this industry.

       [187].     DBA premiums could be initially calibrated based on current cyber insurance premiums—and “[i]n 2024, the average amount that businesses spent on cyber insurance was between $1,200 and $7,000 annually, with a median cost of around $2,000 per year.” How Much Does Cyber Insurance Cost in 2025?, Embroker (Feb. 4, 2025), https://www.embroker.com/blog/cyber-insurance-cost/ [https://perma.cc/ZV7S-CZV2].

       [188].     This figure is based on the 1.1 million reports of identity theft to the FTC in 2024, the fact that California comprises 11.7 percent of the U.S. population, and a survey finding that approximately 80 percent of data breach victims had no associated out-of-pocket costs. See Caporal, supra note 30; Bruce E. Cain & Preeti Hehmeyer, California’s Population Drain, Stan. Inst. for Econ. Pol’y Rsch. (Oct. 2023), https://siepr.stanford.edu/publications/policy-brief/californias-population-drain [https://perma.cc/UX6G-XCPY]; Ponemon Inst., The Aftermath of a Data Breach: Consumer Sentiment 7 (2014), https://www.ponemon.org/local/upload/file/Consumer%20Study%20on%20Aftermath%20of%20a%20Breach%20FINAL%202.pdf [https://perma.cc/U4XB-XPY6].

       [189].     See Loftsgordon, supra note 4.

       [190].     See Ponemon Inst., supra note 188, at 7 (noting that among those who suffered any monetary losses, those losses “averaged about $38”).

       [191].     See Risk & Ins., supra note 169 (“The frequency of large cyber claims — those in excess of 1 million euros ($1.1 million) — in the first six months of 2024 was up 14% while severity increased by 17% . . . [with the United States] accounting for 72% of large claims . . . .”).

       [192].     Indeed, courts have repeatedly found that workers’ compensation boards have made unjust procedural mistakes, and that foreclosing judicial review of such mistakes could threaten the constitutionality of the entire workers’ compensation model. See, e.g., Gangwish v. Workers’ Comp. Appeals Bd., 108 Cal. Rptr. 2d 1, 9 (Cal. Ct. App. 2001) (finding that the workers’ compensation appeals board “rejected the [workers’ compensation judge’s] reasons and introduced its own rationale for the decision,” and that it does not comport with due process for a “decision [to be] based on a completely different theory than presented by the parties, without affording a chance for rebuttal”).

       [193].     See Fishback & Kantor, supra note 107, at 313 n.18. (“Workers’ waiving their rights to a lawsuit prior to an accident was central to workers’ compensation’s success.”).

       [194].     See Frequently Asked Questions, supra note 134 (“[P]ersons with petitions of vaccine-related injuries or deaths resulting from covered vaccines must first exhaust their remedies under the VICP before they can pursue legal actions against vaccine manufacturers or administrators.”).

       [195].     See Cal. Lab. Code § 5952 (stating that workers’ compensation decisions can be reversed for actions “in excess” of the appeals board’s powers and for fraud, unreasonableness, and lack of substantial evidence); id. § 5953 (“The findings and conclusions of the appeals board on questions of fact are conclusive and final and are not subject to review.”).

       [196].     See id. § 5813(a) (specifying that “the workers’ compensation referee or appeals board may order a party, the party’s attorney, or both, to pay any reasonable expenses, including attorney’s fees and costs, incurred by another party as a result of bad-faith actions or tactics that are frivolous or solely intended to cause unnecessary delay”).

       [197].     See Hickey & Rogers, supra note 145, at 10.

       [198].     See Cal. Civ. Code § 3294.

       [199].     Cal. Civ. Code §§ 1798.199.40(c), (l).

       [200].     Cal. Civ. Code § 1798.150(a)(1).

       [201].     Id. § 1798.150(a)(1)(A).

       [202].     Id. § 1798.160(b)(1).

       [203].     See New York Cent. R.R. Co. v. White, 243 U.S. 188, 204–05 (1917) (“The provision for compulsory compensation, in the act under consideration cannot be deemed to be an arbitrary and unreasonable application of the principle, so as to amount to a deprivation of the employer’s property without due process of law.”).

       [204].     See, e.g., Ives v. S. Buffalo Ry. Co., 94 N.E. 431 (N.Y. 1911) (holding that “in its basic and vital features the right given to the employee by this statute, does not preserve to the employer the ‘due process’ of law guaranteed by the Constitutions, for it authorizes the taking of the employer’s property without his consent and without his fault”).

       [205].     White, 243 U.S. 188 at 203–04.

       [206].     See, e.g., 15 U.S.C. § 1681 (creating the Fair Credit Reporting Act as an administrative and adjudicative mechanism to expedite consumer credit investigations); AT&T Mobility LLC v. Concepcion, 563 U.S. 333, 346 (2011) (upholding the creation of the Federal Arbitration Act as a valid mechanism to compel speedy arbitration despite state concerns about unconscionability).

       [207].     See Tim R. Samples, Katherine Ireland & Caroline Kraczon, TL;DR: The Law and Linguistics of Social Platform Terms-of-Use, 39 Berkeley Tech. L.J. 47, 101 (2024) (“[C]onsumers are unlikely to opt-out of arbitration even when directly presented with the option in a prompt.”).

       [208].     42 U.S.C. § 1320d; see also How OCR Enforces the HIPAA Privacy & Security Rules, U.S. Dep’t of Health & Hum. Servs. (Nov. 20, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html [https://perma.cc/R3AP-VU4K] (describing how HIPAA is implemented by HHS’s Office of Civil Rights).

       [209].     15 U.S.C. § 6821; see also FTC Safeguards Rule: What Your Business Needs to Know, Fed. Trade Comm’n (Dec. 2024), https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know [https://perma.cc/4CQ5-N3UF] (describing how the Gramm-Leach-Bliley Act is implemented by the FTC).

       [210].     See Spokeo, Inc. v. Robins, 578 U.S. 330, 341 (2016), discussed supra note 87.

       [211].     U.S. State Privacy Laws, Elec. Priv. Info. Ctr., https://epic.org/issues/privacy-laws/state-laws/ [https://perma.cc/N5BM-8FAW] (“[F]ederal law only supersedes state and local law that conflicts with or is contrary to federal law.”).

       [212].     See Julia Kagan, Subrogation in Insurance: What It Is and Why It’s Important, Investopedia (Jul. 16, 2024), https://www.investopedia.com/terms/s/subrogation.asp [https://perma.cc/VA99-9ALD] (describing how subrogation allows an insurer to “step into the shoes of the policyholder” and thereby assert “the same rights and legal standing as the policyholder when seeking compensation for losses”).

       [213].     See United States v. Aetna Cas. & Sur. Co., 338 U.S. 366, 367–68 (1949) (holding that “an insurance company [may] bring suit in its own name . . . upon a claim to which it has become subrogated by payment to an insured who would have been able to bring such an action”). One of the three cases consolidated in this grant of certiorari was a suit by a workers’ compensation insurer to recover for an injury sustained by a worker employed by one of the insurer’s clients. See id. The Court allowed the insurer’s suit to proceed even though the injured employee was not a party to the suit. Id.; see also Guyton, supra note 106, at 108–09 (describing how workers’ compensation schemes generally handle this class of problem: “Employees can sue third parties who may be responsible for their on-the-job injuries, but any proceeds from such suits must first go to reimburse their employer’s compensation insurance carrier”).

       [214].     See Charles Kruly, Self-Funding and Agency Independence, 81 Geo. Wash. L. Rev. 1733, 1735–36 (2013) (listing six high-profile federal agencies that are self-funded and indicating that there are “a handful of others”).

       [215].     See, e.g., Housing, Cal. Bus. Consumer Servs. & Hous. Agency, https://bcsh.ca.gov/housing/index.html [https://perma.cc/R5W3-ZQVG] (describing the California Housing Finance Agency as “a completely self-supporting agency” whose “bonds are repaid with revenues generated through mortgage loans”). The California Housing Finance Agency periodically receives seed money from the legislature to start new initiatives, which then become self-funded through mortgage servicing fees and interest. See Tomiquia Moss & Rebecca Franklin, 2024 California Dream for All Annual Report, Cal. Hous. Fin. Agency 7 (2025), https://www.calhfa.ca.gov/about/press/reports/DFA-report-2025-01.pdf [https://perma.cc/LM38-VZCW] (“The 2023-24 State Budget provided $20 million in addition to the remaining $200 million from the 2022-23 state budget to support Phase 2 of the Dream For All program. . . . Additional funds generated by [program] earnings will also be deployed in Phase 2.”).

       [216].     See, e.g., Cal. Civ. Code § 1798.160(b)(1) (allocating all funds received by the Consumer privacy Fund first to “offset[ting] any costs incurred by the state courts, the California Privacy Protection Agency, and the Attorney General in connection with this title”). This language could be expanded to require gradual reimbursement of any initial legislative outlays required to create the DBA.

       [217].     See, e.g., Marinotti, supra note 4, at 172 (“Th[e] rapid expansion of the datasphere will only further cement the need for data governance strategies that successfully balance scientific innovation, economic prosperity, personal privacy, and individual autonomy, among the many other interests at stake . . . .”).

       [218].     See Bizga, supra note 51.

       [219].     See, e.g., Welcome to the Equifax Data Breach Settlement Website, Equifax Data Breach Settlement, https://www.equifaxbreachsettlement.com/ [https://perma.cc/V5QG-H7VL] (describing precisely such a bifurcated structure offering “payments for time spent and alternative compensation of up to $125 . . . distributed on a proportional basis,” in addition to separate “reimbursement for valid Out-of-Pocket losses or Time Spent”).

       [220].     See supra Part III.B.