Privacy Law Commons^™

Integrating Nist And Iso Cybersecurity Audit And Risk Assessment Frameworks Into Cameroonian Law, Bernard Ngalim

Journal of Cybersecurity Education, Research and Practice

This paper reviews cybersecurity laws and regulations in Cameroon, focusing on cybersecurity and information security audits and risk assessments. The importance of cybersecurity risk assessment and the implementation of security controls to cure deficiencies noted during risk assessments or audits is a critical step in developing cybersecurity resilience. Cameroon's cybersecurity legal framework provides for audits but does not explicitly enumerate controls. Consequently, integrating relevant controls from the NIST frameworks and ISO Standards can improve the cybersecurity posture in Cameroon while waiting for a comprehensive revision of the legal framework. NIST and ISO are internationally recognized as best practices in information …

Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa

The Scholar: St. Mary's Law Review on Race and Social Justice

Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …

The Rise Of 5g Technology: How Internet Privacy And Protection Of Personal Data Is A Must In An Evolving Digital Landscape, Justin Rabine

Catholic University Journal of Law and Technology

No abstract provided.

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

A Deep Dive Into Technical Encryption Concepts To Better Understand Cybersecurity & Data Privacy Legal & Policy Issues, Anthony Volini

Journal of Intellectual Property Law

Lawyers wishing to exercise a meaningful degree of leadership at the intersection of technology and the law could benefit greatly from a deep understanding of the use and application of encryption, considering it arises in so many legal scenarios. For example, in FTC v. Wyndham1 the defendant failed to implement nearly every conceivable cybersecurity control, including lack of encryption for stored data, resulting in multiple data breaches and a consequent FTC enforcement action for unfair and deceptive practices. Other examples of legal issues requiring use of encryption and other technology concepts include compliance with security requirements of GLBA & HIPAA, …

What's The Harm? Federalism, The Separation Of Powers, And Standing In Data Breach Litigation, Grayson Wells

Indiana Law Journal

This Comment will argue that the Supreme Court should analyze standing in data breach litigation under a standard that is deferential to state statutory and common law. Specifically, federal standing analysis should look to state law when determining whether an injury is concrete such that the injury-in-fact requirement is met. Some argue that allowing more data breach cases to proceed to the merits could lead to an explosion of successful litigation and settlements, burdening the federal courts and causing economic losses for the breached businesses. These concerns may be valid. But if state law provides a remedy to the harm …

Eu Privacy Law And U.S. Surveillance: Solving The Problem Of Transatlantic Data Transfers, Peter Margulies

Law Faculty Scholarship

No abstract provided.

Regulating Personal Data Usage In Covid-19 Control Conditions, Mark Findlay, Nydia Remolina

Centre for AI & Data Governance

As the COVID-19 health pandemic ebbs and flows world-wide, governments and private companies across the globe are utilising AI-assisted surveillance, reporting, mapping and tracing technologies with the intention of slowing the spread of the virus. These technologies have capacity to amass and share personal data for community control and citizen safety motivations that empower state agencies and inveigle citizen co-operation which could only be imagined outside times of real and present personal danger. While not cavilling with the short-term necessity for these technologies and the data they control, process and share in the health regulation mission (provided that the technology …

The (Possibly) Injured Consumer: Standing In Data Breach Litigation, Lauren M. Lozada

St. John's Law Review

(Excerpt)

This Note will address the question of what factors a prospective plaintiff must display to “push [a] threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” Part I will delve into relevant statistics to identify the characteristics of a data breach that most often lead to eventual identity theft. Part II will explore recent data breach standing cases and analyze the factual differences and legal perspectives that have led to disparate results among the federal circuits. Lastly, Part III will recommend a method for evaluating future data breach standing issues.

The Survival Of Critical Infrastructure: How Do We Stop Ransomware Attacks On Hospitals?, Helena Roland

Catholic University Journal of Law and Technology

Our nation’s infrastructure is under an emerging new threat: ransomware attacks. These attacks can cause anything from individual laptops, to entire cities to shut down for a period of time until the victim pays a ransom to the attacker. Unfortunately, these attacks are on the rise and the attackers have a new target: hospitals. Ransomware attacks on hospitals can temporarily shut down operating room technology and limit physician access to patient files, ultimately threatening the safety of hospital patients and the surrounding community. This paper examines how the threat of ransomware attacks on hospitals is on the rise and what …

Internet Of Things For Sustainability: Perspectives In Privacy, Cybersecurity, And Future Trends, Abdul Salam

Faculty Publications

In the sustainability IoT, the cybersecurity risks to things, sensors, and monitoring systems are distinct from the conventional networking systems in many aspects. The interaction of sustainability IoT with the physical world phenomena (e.g., weather, climate, water, and oceans) is mostly not found in the modern information technology systems. Accordingly, actuation, the ability of these devices to make changes in real world based on sensing and monitoring, requires special consideration in terms of privacy and security. Moreover, the energy efficiency, safety, power, performance requirements of these device distinguish them from conventional computers systems. In this chapter, the cybersecurity approaches towards …

Protecting Personal Data: A Model Data Security And Breach Notifications Statute, Michael Bloom

St. John's Law Review

(Excerpt)

This Note argues that current law is inadequate to protect consumers in light of the prevalence and severity of data breaches in recent years, and that a unifying federal legislation combining portions of state law and the DSBNA should be enacted. Part I of this Note analyzes the DSBNA for notification requirements when data breaches occur, the requirements for the implementation of security policies, regulatory mechanisms for monitoring compliance with these requirements, and criminal penalties for failing to comply. Part II summarizes the various state laws that exist for notification of data breaches. Part III proposes a model federal …

Data Protection In An Increasingly Globalized World, Nicholas F. Palmieri Iii

Indiana Law Journal

With the rise of the internet in recent decades, it has become increasingly easy for various enterprises—including retailers, advertising agencies, and service providers—to acquire, use, and even share the personal details of their users. Such a trend is unlikely to decrease in the coming years; in fact, internet usage is only likely to increase as more and more people gain access to the internet. In the wakeof recent data breaches, including the now infamous breach of Equifax as well as the scandal involving Facebook and Cambridge Analytica, people are even more aware of the need for (and the risk of …

Risk And Anxiety: A Theory Of Data Breach Harms, Danielle K. Citron, Daniel Solove

Faculty Scholarship

In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable. Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus …

Ng9-1-1, Cybersecurity, And Contributions To The Model Framework For A Secure National Infrastructure, Andrew Jackson Coley

Catholic University Journal of Law and Technology

9-1-1 call networks form the foundation of emergency communications infrastructure. However, a lack of funding and taking such networks for granted has led to a gradual yet predictable outdating of this critical infrastructure. Fortunately, recent efforts have acknowledged as such, and dedicated public safety officials have worked to update 9-1-1 systems to Next Generation 9-1-1 (NG9-1-1).
NG9-1-1 is an IP-based network with 21^stcentury technology capable of handling increased call volume, more resilient networks, and providing significantly more data to first responders, among litany of other advancements. With this much needed advancement comes the responsibilities of ensuring a secure …

Data Collection And The Regulatory State, Ahmed Ghappour

Faculty Scholarship

The following remarks were given on January 27, 2017 during the Connecticut Law Review’s symposium, “Privacy, Security & Power: The State of Digital Surveillance.” Hillary Greene, the Zephaniah Swift Professor of Law at the University of Connecticut School of Law, offered introductory remarks and moderated the panel. The panel included Dr. Cooper, Associate Professor of Law and Director of the Program on Economics & Privacy at Antonin Scalia Law School at George Mason University, Professor Ghappour, Visiting Assistant Professor at UC Hastings College of the Law, Attorney Lieber, Senior Privacy Policy Counsel at Google, and Dr. Wu, Professor of Law …

Automating Threat Sharing: How Companies Can Best Ensure Liability Protection When Sharing Cyber Threat Information With Other Companies Or Organizations, Ari Schwartz, Sejal C. Shah, Matthew H. Mackenzie, Sheena Thomas, Tara Sugiyama Potashnik, Bri Law

University of Michigan Journal of Law Reform

This Article takes an in-depth look at the evolution of cybersecurity information sharing legislation, leading to the recent passage of the Cybersecurity Information Sharing Act (CISA) and offers insights into how automated information sharing mechanisms and associated requirements implemented pursuant to CISA can be leveraged to help ensure liability protections when engaging in cyber threat information sharing with and amongst other non-federal government entities.

Enhancing Cybersecurity In The Private Sector By Means Of Civil Liability Lawsuits - The Connie Francis Effect, Jeffrey F. Addicott

University of Richmond Law Review

The purpose of this article is to explore the threats posed by

cybersecurity breaches, outline the steps taken by the government

to address those threats in the private sector economy, and

call attention to the ultimate solution, which will most certainly

spur private businesses to create a more secure cyber environment

for the American people-a Connie Francis-styled cyber civil

action lawsuit.

Standing After Snowden: Lessons On Privacy Harm From National Security Surveillance Litigation, Margot E. Kaminski

Publications

Article III standing is difficult to achieve in the context of data security and data privacy claims. Injury in fact must be "concrete," "particularized," and "actual or imminent"--all characteristics that are challenging to meet with information harms. This Article suggests looking to an unusual source for clarification on privacy and standing: recent national security surveillance litigation. There we can find significant discussions of what rises to the level of Article III injury in fact. The answers may be surprising: the interception of sensitive information; the seizure of less sensitive information and housing of it in a database for analysis; and …

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …

Submarine Cables, Cybersecurity And International Law: An Intersectional Analysis, Tara Davenport

Catholic University Journal of Law and Technology

No abstract provided.

Authorized Investigation: A Temperate Alternative To Cyber Insecurity, Casey M. Bruner

Seattle University Law Review

This Note aims to show that legal structures created to protect the Internet in its original form are completely insufficient to protect what the Internet has become. This antiquated legal framework is exacerbating the problem. The breadth of activity that the current law restricts severely limits the remedies that cyberattack victims can pursue, and it must be updated. While full hack-back may prove necessary in the long run, I argue for a more temperate initial response to the problem—I call this response “authorized investigation.” Specifically, the Computer Fraud and Abuse Act should be amended to allow victims access to their …

Drawing The Line Between Competing Interests: Strengthening Online Data Privacy Protection In An Increasingly Networked World, Lori Chiu

San Diego International Law Journal

This article seeks to elucidate these issues and provide a roadmap for the U.S. government to create unified federal laws to provide the private sector with specific protocols regarding use and dissemination of consumer personal information. First, this article will provide an explanation of the U.S.’s current sector-by-sector approach to regulating personally identifying information and will provide a case study of the Federal Trade Commission’s (“FTC”) enforcement action against a social networking site in 2011 as one example of the FTC’s recent efforts at regulating online privacy. Next, this article will analyze the U.S.’s current challenge of judicial enforcement of …