Section 1798.82 requires computer database operators to disclose security breaches involving personal data information to both the subjects of the data and the owners of the personal data. However, this commentary views Section 1798.82 with apprehension, but takes the position that much broader duties to disclose such breaches are already in place. This article begins with a discussion about legislation that expressly require disclosure of computer security breaches, such as Section 1798.82 and Article 4 of the European Union Telecommunications and Electronic Communications Privacy Directives. Then it follows with a discussion about legislation and common law that implicitly requires disclosure of computer security breaches. The article notes that the these legislation that explicitly require disclosure may not be as groundbreaking as they are now perceived because such disclosure requirements are already implicitly present in other existing legislation that do not expressly require disclosure. There is discussion about current existing American, British, and other commonwealth laws and how these laws deal with the restrictions placed upon disclosure of data.
Ethan Preston & Paul Turner, The Global Rise of a Duty to Disclose Information Security Breaches, 22 J. Marshall J. Computer & Info. L. 457 (2004)