Avoiding the Siren Call of the Clock in “Unreasonable Delay” Data Breach Notification Cases

Posted on by CLR Editor

The Chapman Law Review is proud to publish Evan Yahng’s article: Avoiding the Siren Call of the Clock in “Unreasonable Delay” Data Breach Notification Cases. Below, you will find the abstract from the article.

Avoiding the Siren Call of the Clock in “Unreasonable Delay” Data Breach Notification Cases

By Evan Yahng

Abstract

As online personally identifiable information (“PII”), data breaches, the blockchain, Artificial Intelligence, and other trends in the cyber ecosystem proliferate exponentially, courts are having to confront legal questions about data privacy that past courts kicked down the road. One such question that courts and scholars have yet to properly interrogate is what constitutes “unreasonable delay” in violation of state data breach notification statutes.

All fifty states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam have laws requiring companies that hold data to provide notice to data subjects in the event such data is compromised. But courts have been able to punt on the question of delay until now because statutory data breach litigation often dies early, either because the statute does not provide a cause of action, or because the harm is too speculative to support a cause of action in negligence. With courts recognizing more statutory causes of action and more harms in negligence, the time to answer the question has come. Indeed, a massive number of courts addressed allegedly unreasonably delayed data breach notices in 2024.

A substantial number of those courts made a grave error when they denied motions to dismiss solely because precedent in their jurisdictions held that a given number of days was prima facie unreasonable. I argue in this article that this approach misunderstands the purpose of data breach notification laws and leads to undesirable results including costly liability for companies and risks to individual consumers’ identities. After sampling some of these 2024 cases, I explain the myriad problems of relying on the clock as the sole indicator of reasonableness. Finally, I suggest courts follow a more practically and doctrinally desirable approach whereby they examine defendants’ post-breach investigation to determine whether any delay was unreasonable.