Student Blog: The Status of Data Breach Law in Light of Capital One

by Zhiyao Li, RBFL Student Editor


In August 2019, Capital One announced that a hacker had illegally accessed and obtained one-hundred million Capital One credit card users and applicants’ personal information in the United States. The compromised personal information included customer names, addresses, phone numbers, email addresses, dates of birth, credit scores, payment history, and transaction data. The unauthorized individual also obtained about 140,000 social security numbers as well as 80,000 linked bank account numbers. One million Canadian customers were also affected.

A misconfiguration in Capital One’s firewall allowed the intruder to reach and obtain the user data stored by Capital One on Amazon Web Services. This incident draws parallels to the Equifax incident in 2017, which exposed the names and social security numbers of about 146 million people. Equifax, one of three major credit reporting agencies in the US, ended up paying a global settlement of up to $425 million to help victims recover from the incident.

Data breaches have become the “new normal” in the past decade. In 2017, there were 1,579 data breaches in the United States, a 44.7% increase over the number reported in 2016. Specifically, 8.5% of the total number of breaches in 2017, amounting to 134 incidents, were within the banking, credit, and financial sector. The harm of data breach usually lies in the increased risk of financial harm and anxiety: while victims of data breach incidents suffer from the exposure of their privacy, they could also fall prey to identity theft and financial fraud that cause substantial economic losses at an indefinite point of time in the future. 

The current framework of data breach law tilts heavily towards state law as few federal laws addressing the issue have been enacted. At the time of the Capital One incident, all fifty states and territories had data breach notification laws requiring business to notify affected individuals. These laws, however, generally lacked specificity when it comes to reporting standards. For example, neither New York nor California’s data notification laws impose a strict timeline for reporting incidents. The laws in both states only state that “disclosure shall be made in the most expedient time possible and without unreasonable delay.” In contrast, the General Data Protection Regulation (GDPR) in Europe has a strict 72-hour requirement for reporting data breaches. Non-compliance of the GDPR could also lead to massive fines of several hundred million dollars – a much severe penalty than current US laws would impose.

In 2019, more than twenty states are considering amendments to strengthen existing data breach laws. Most of the proposed laws would expand the definitions of personal information, shorten the timeframe for reporting data breach incidents, requiring businesses to report incidents to the state officials, and requiring businesses to provide free credit freezes or identity theft protection. If these proposals become enacted, they would provide much stronger incentives for businesses to actively prevent and respond to data breaches in the future in a timely and efficient manner, among other things. While the data protection laws in the US are still lagging behind Europe, these new proposals represent a significant step closer to the GDPR standards.



Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 Tex. L. Rev.  737, 737 (2018).

Identity Theft Res. Ctr., 2017 Annual Data Breach Year-End Review. (Feb. 8, 2017),

Information on the Capital One Cyber Incident, Capital One Fin. Corp.(Aug. 4, 2019, 9:30 PM),

Security Breach Notification Laws, Nat’l Conference of State Legislatures (Sept. 29, 2018),

2019 Security Breach Legislation, Nat’l Conference of State Legislatures(July 26, 2019),

Jack Lu, Assessing The Cost, Legal Fallout of Capital One Data Breach, Law360(Aug. 15, 2019),

2017 Cybersecurity Incident & Important Consumer Information,Equifax,

Equifax Data Breach Settlement, Fed. Trade Comm’n(Sept. 2019),

Art. 33 GDPR Notification of a personal data breach to the supervisory authority,Intersoft Consulting,

GDPR Fines / Penalties, Intersoft Consulting,

N.Y. Gen. Bus. Law§ 899-aa (Consol. 2019).

Cal. Civ. Code§ 1798.29 (Deering 2019).

  1. Assemb. 1387, 2019-2020 Reg. Sess. (N.Y. 2019).
  2. Assemb. 1035, 2019-2020 Reg. Sess. (Cal. 2019).
  3. Assemb. 1130, 2019-2020 Reg. Sess. (Cal. 2019).
  4. H. 4390, 86th Leg., 2019-2020 Reg. Sess. (Tex. 2019).

General Assemb. 270, 2019-2020 Reg. Sess. (Pa. 2019).

View all posts