Law Commons^™

That Was Close! Reward Reporting Of Cybersecurity “Near Misses”, Jonathan Bair, Steven M. Bellovin, Andrew Manley, Blake Reid, Adam Shostak

Publications

Building, deploying, and maintaining systems with sufficient cybersecurity is challenging. Faster improvement would be valuable to society as a whole. Are we doing as much as we can to improve? We examine robust and long-standing systems for learning from near misses in aviation, and propose the creation of a Cyber Safety Reporting System (CSRS).

To support this argument, we examine the liability concerns which inhibit learning, including both civil and regulatory liability. We look to the way in which cybersecurity engineering and science is done today, and propose that a small amount of ‘policy entrepreneurship’ could have substantial positive impact. …

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …

Health Information Equity, Craig Konnoth

Publications

In the last few years, numerous Americans’ health information has been collected and used for follow-on, secondary research. This research studies correlations between medical conditions, genetic or behavioral profiles, and treatments, to customize medical care to specific individuals. Recent federal legislation and regulations make it easier to collect and use the data of the low-income, unwell, and elderly for this purpose. This would impose disproportionate security and autonomy burdens on these individuals. Those who are well-off and pay out of pocket could effectively exempt their data from the publicly available information pot. This presents a problem which modern research ethics …

Standing After Snowden: Lessons On Privacy Harm From National Security Surveillance Litigation, Margot E. Kaminski

Publications

Article III standing is difficult to achieve in the context of data security and data privacy claims. Injury in fact must be "concrete," "particularized," and "actual or imminent"--all characteristics that are challenging to meet with information harms. This Article suggests looking to an unusual source for clarification on privacy and standing: recent national security surveillance litigation. There we can find significant discussions of what rises to the level of Article III injury in fact. The answers may be surprising: the interception of sensitive information; the seizure of less sensitive information and housing of it in a database for analysis; and …

The Privacy Policymaking Of State Attorneys General, Danielle K. Citron

Faculty Scholarship

Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been ignored: the state attorneys general. This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources — first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.

Much as Justice Louis Brandeis imagined states as laboratories of the law, offices …

Data Breaches, Identity Theft And Article Iii Standing: Will The Supreme Court Resolve The Split In The Circuits, Bradford Mank

Faculty Articles and Other Publications

In data breach cases, the lower federal courts have split on the question of whether the plaintiffs meet Article III standing requirements for injury and causation. In its 2013 decision Clapper v. Amnesty International USA, the Supreme Court, in a case involving alleged electronic surveillance by the U.S. government’s National Security Agency, declared that a plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are “certainly impending.” Since the Clapper decision, a majority of the lower federal courts addressing “lost data” or potential identity theft cases in which there is …

Trending @ Rwulaw: Professor Peter Margulies's Post: Cybersecurity: A 'Must-Know' For Lawyers And Citizens, Peter Margulies

Law School Blogs

No abstract provided.

Newsroom: Fcc's Sohn On Consumer Protection, Roger Williams University School Of Law

Life of the Law School (1993- )

No abstract provided.

Empirical Analysis Of Data Breach Litigation, Sasha Romanosky, David A. Hoffman, Alessandro Acquisti

All Faculty Scholarship

In recent years, many lawsuits have been filed by individuals seeking legal redress for harms caused by the loss or theft of their personal information. However, very little is known about the drivers, mechanics, and outcomes of those lawsuits, making it difficult to assess the effectiveness of litigation at balancing organizations’ usage of personal data with individual privacy rights. Using a unique and manually-collected database, we analyze court dockets for over 230 federal data breach lawsuits from 2000 to 2010. We investigate two questions: Which data breaches are being litigated, and which data breach lawsuits are settling. Our results suggest …