Skip to content

“Key” Tam: Giving Teeth to Federal Data Security Enforcement

December 31, 2024

By BRANDON STOTTLER. Full Text.

Data breaches wreak havoc on data-handling entities, weigh heavily on the minds and hearts of breach victims, and elude the efforts of regulators and scholars alike. Since 2005, declared the “Year of the Data Breach,” every year has seen an increase in the number and impact of breaches. Data breaches cost United States companies billions of dollars, undermine consumer confidence, exacerbate geopolitical tensions, increase anxiety, and even result in bodily harm and death. Nevertheless, a suitable federal framework has yet to be enacted to address the perennial problem. Though the data breach epidemic may seem like a recent phenomenon—a biproduct of the current data-dependent internet society—data privacy and security concerns have existed as early as the first United States Census. Through a process of innovation- and-response, the regulatory framework has developed into a haphazard patchwork of industry-specific standards that baffle both entities and consumers. Meanwhile, attempts to recover damages through civil actions are rarely successful in the face of procedural barriers, and the majority of federal data breach enforcement comes under a century-old law.

This Note proposes that qui tam—an enforcement mechanism that allows private individuals called “relators” to sue on behalf of the Government to vindicate public rights—would serve to address many of the issues that plague data breach enforcement. This Note argues that qui tam mechanisms should be included in federal data security legislation to properly address the underenforcement issues and barriers to successful litigation that allow the age of the data breach to rage on. It further analyzes the current use of qui tam mechanisms in the False Claims Act as recently applied to government data contractors. Finally, it proposes two possible applications of qui tam: first, applying qui tam to a data security statute under a theory of the relator as an agent of the Government; and second, applying qui tam under the theory of the relator as a partial assignee of the Government’s claim. These proposals allow for better oversight and enforcement of data security standards to put the age of the data breach in society’s rearview mirror.