Data Breach Notification Laws as a Preventive Approach to Identity-Related Crimes:
Lessons from the US for Thailand’s Data Privacy Laws
Private sector organizations have increasingly collected the personal data of their customers in the course of conducting business. However, “data breach” can occur in cases of unauthorized access to personal data stored by business entities. The breach can lead to cybercrimes such as identity theft, identity fraud and identity-related crimes resulting in financial and reputational losses for both firms and customers. In response to data breach events, several U.S. states have enacted statutes or specific laws imposing responsibilities on firms to notify their customers when a data breach occurs. Although there are negative effects, data breach notification laws lead to positive results for both firms and individual customers. For instance, these laws cause firms to take preventive measures to protect personal data. In addition, they enable individuals to be aware of a breach and take preventive measures of their own that could reduce identity-related crimes. Contrary to these state laws, this paper found that Thailand’s legal system provides no specific laws regarding “data breach notification”. Although Thailand has several laws relating to the protection of personal data, e.g., the Credit Information Business Act and the Official Information Act, this paper indicates that these laws are insufficient and inappropriate as a preventive approach to identity-related crimes. Thus, this paper’s main recommendation is to propose the enactment of a specific law that incorporates a “data breach notification” principle by using the state laws of the U.S. as a model to protect the right to privacy in case of personal data being abused by identity-related criminals.