I've posted a draft of my latest paper, Government Data Breaches to SSRN.
This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.
I then argue that the government’s duty to safeguard private data has a Constitutional foundation, either free-standing or based in Due Process, at least in cases where the government failed to take reasonable precautions to safeguard the data. This right is separate from any informational privacy rights that constrain the government's ability to acquire personal or corporate information. The key is Chief Justice Rhenquist’s opinion in DeShaney.
Under the DeShaney logic, victims of many governmental privacy breaches should have a claim against states under § 1983. Similar constitutional claims against the federal government would require a Bivens action but this is unlikely to work under current doctrine. As a result, persons injured by federal data breaches will have substantially inferior remedies available to them than will victims of state errors. And even when suing a state, however, the provision of effective remedies may be hampered by arguments based on governmental immunity, and the problem of valuing the harms caused by a breach.
It's forthcoming in the Berkeley Technology Law Journal