Law Commons^™

Understanding Cyber Risk: Unpacking And Responding To Cyber Threats Facing The Public And Private Sectors, Lawrence J. Trautman, Scott Shackelford, Brian Elzweig, Peter Ormerod

University of Miami Law Review

Cyberattacks, data breaches, and ransomware continue to pose major threats to businesses, governments, and health and educational institutions worldwide. Ongoing successful instances of cybercrime involve sophisticated attacks from diverse sources such as organized crime syndicates, actors engaged in industrial espionage, nation-states, and even lone wolf actors having relatively few resources. Technological innovation continues to outpace the ability of U.S. law to keep pace, though other jurisdictions including the European Union have been more proactive. Nation-state and international criminal group ransomware attacks continue; Sony’s systems were hacked by a ransomware group; MGM Resorts disclosed that recovery from their September 2023 hack …

Comparing Gdpr Against The United States’ Approach To Data Breach Notification By Examining Texas And California And The Feasibility Of A Universal Standard, Amrit Nagi

Cybaris®

No abstract provided.

The Future Of China's U.S.-Listed Firms: Legal And Political Perspectives On Possible Decoupling, Rebecca Parry, Qingxiu Bu

William & Mary Business Law Review

There is a long history of Chinese firms raising capital on leading U.S. exchanges. These shares have proved attractive and are estimated at $1 trillion value, in spite of deep mismatches between Chinese internal approaches to corporate governance and those taken under U.S. securities regulations. Chinese listings of nonstate firms, particularly in the technology sector, had depended on a largely laissez-faire initial approach to the expansion through foreign listings, including tolerance of the opaque Variable Interest Entity (VIE) structures adopted as a means to bypass Chinese restrictions on foreign ownership. Concerns regarding data security had, however, prevented compliance by Chinese …

It Outsourcing And Global Sourcing: A Comparative Approach From The Indian, U.K. And German Legal Perspectives, Ulrich Baumer, Mark Webber

Indian Journal of Law and Technology

Businesses today have been able to take advantage of technology in order to use models such as offshoring in order to reduce their costs without a corresponding decline in quality. However, concerns such as data confidentiality and security issues have emphasised the need for businesses to take considerable care when dealing with crossborder transactions, especially since some knowledge of the needs of different jurisdictions is necessary. This article examines the outsourcing model in the context of the information technology industry and looks at the most important clauses and legal issues in such contracts in the light of Indian, English and …

The Three Laws: The Chinese Communist Party Throws Down The Data Regulation Gauntlet, William Chaskes

Washington and Lee Law Review

Criticism of the Chinese Communist Party (CCP) runs a wide gamut. Accusations of human rights abuses, intellectual property theft, authoritarian domestic policies, disrespecting sovereign borders, and propaganda campaigns all have one common factor: the CCP’s desire to control information. Controlling information means controlling data. Lurking beneath the People’s Republic of China’s (PRC) tumultuous relationship with the rest of the world is the fight between nations to control their citizens’ data while also keeping it out of the hands of adversaries. The CCP’s Three Laws are its newest weapon in this data war.

One byproduct of the CCP’s emphasis on controlling …

Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa

The Scholar: St. Mary's Law Review on Race and Social Justice

Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …

Individuals As Gatekeepers Against Data Misuse, Ying Hu

Michigan Technology Law Review

This article makes a case for treating individual data subjects as gatekeepers against misuse of personal data. Imposing gatekeeper responsibility on individuals is most useful where (a) the primary wrongdoers engage in data misuse intentionally or recklessly; (b) misuse of personal data is likely to lead to serious harm; and (c) one or more individuals are able to detect and prevent data misuse at a reasonable cost.

As gatekeepers, individuals should have a legal duty to take reasonable measures to prevent data misuse where they are aware of facts indicating that the person seeking personal data from them is highly …

“Smart” Lawyering: Integrating Technology Competence Into The Legal Practice Curriculum, Dyane L. O'Leary

The University of New Hampshire Law Review

Technology has changed modern law practice. Ethics rules obligate lawyers to understand whether, when, and how to use it to deliver services. But most law schools do not incorporate the so-called “Duty of Technology Competence” into the required curriculum. Despite broad calls for legal education to make students more practice-ready, there is no clear path forward for how to weave this valuable professional skill into coursework for all students. This Article supplies one.

The legal practice course should pair technology competence with traditional legal writing and research work. Lawyers do not draft memos or perform legal research or manage caseloads …

Smart Cities And Sustainability: A New Challenge To Accountability?, Iria Giuffrida

William & Mary Environmental Law and Policy Review

From 1800 to today, the global population has shifted from only three percent living in an urban environment to well over fifty percent in 2020. As a result of urbanization, cities around the world struggle to manage traffic and waste, efficiently distribute utilities, and lower pollution to slow the progression of global warming. Smart city technologies have emerged as a tool to process cities’ various forms of data collected through networks of precisely placed sensors and map solutions to many of the environmental and social issues created by urbanization. For swelling metropolitan areas in the United States, China, and Europe …

Protection Of Data In Armed Conflict, Robin Geiss, Henning Lahmann

International Law Studies

This article presents a novel way to conceptualize the protection of data in situations of armed conflict. Although the question of the targeting of data through adversarial military cyber operations and its implications for the qualification of such conduct under International Humanitarian Law has been on scholars’ and states’ radar for the last few years, there remain a number of misunderstandings as to how to think about the notion of “data.” Based on a number of fictional scenarios, the article clarifies the pertinent terminology and makes some expedient distinctions between various types of data. It then analyzes how existing international …

Exploring Lawful Hacking As A Possible Answer To The "Going Dark" Debate, Carlos Liguori

Michigan Technology Law Review

The debate on government access to encrypted data, popularly known as the “going dark” debate, has intensified over the years. On the one hand, law enforcement authorities have been pushing for mandatory exceptional access mechanisms on encryption systems in order to enable criminal investigations of both data in transit and at rest. On the other hand, both technical and industry experts argue that this solution compromises the security of encrypted systems and, thus, the privacy of their users. Some claim that other means of investigation could provide the information authorities seek without weakening encryption, with lawful hacking being one of …

Healthy Data Protection, Lothar Determann

Michigan Technology Law Review

Modern medicine is evolving at a tremendous speed. On a daily basis, we learn about new treatments, drugs, medical devices, and diagnoses. Both established technology companies and start-ups focus on health-related products and services in competition with traditional healthcare businesses. Telemedicine and electronic health records have the potential to improve the effectiveness of treatments significantly. Progress in the medical field depends above all on data, specifically health information. Physicians, researchers, and developers need health information to help patients by improving diagnoses, customizing treatments and finding new cures.

Yet law and policymakers are currently more focused on the fact that health …

Protecting The States From Electoral Invasions, Drew Marvel

William & Mary Bill of Rights Journal

Since the 2016 U.S. presidential election, the threat of foreign interference in U.S. elections has loomed large in the minds of the American public. During the 2016 campaign season, Russian government-backed hackers infiltrated the networks and computers of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and various campaign officials, harvesting private information and installing spyware and malware for ongoing intelligence purposes. U.S. intelligence officials have indicated that, using similar tactics, the Russian hackers also targeted election systems and officials in all fifty states, successfully breaching at least two of those states’ election systems, Illinois and Florida. …

Trimming The Fat: The Gdpr As A Model For Cleaning Up Our Data Usage, Kassandra Polanco

Touro Law Review

No abstract provided.

Breaches Within Breaches: The Crossroads Of Erisa Fiduciary Responsibilities And Data Security, Gregg Moran

University of Miami Law Review

Although the drafters of the Employee Retirement Income Security Act of 1974 (“ERISA”) likely could not have anticipated the data security issues of the twenty-first century, ERISA’s duty of prudence almost certainly requires employee benefit plan fiduciaries to protect sensitive participant data in at least some manner. This Article suggests the Department of Labor should issue a regulation clarifying fiduciaries’ data security obligations. Given that fiduciaries are in the best positions to recognize their plans’ individual security needs and capabilities, the regulation should not attempt to micromanage fiduciaries’ substantive data security policies; rather, it should focus on the procedures by …

Who Are The Real Cyberbullies: Hackers Or The Ftc? The Fairness Of The Ftc’S Authority In The Data Security Context, Jaclyn K. Haughom

Catholic University Law Review

As technology continues to be an integral part of daily life, there lies an ever-increasing threat of the personally identifiable information of consumers being lost, stolen, or accessed without authorization. The Federal Trade Commission (FTC) is the U.S. government’s primary consumer protection agency and the country’s lead enforcer against companies subject to data breaches. Although the FTC lacks explicit statutory authority to enforce against data breaches, the Commission has successfully relied on Section 5 of the FTC Act (FTCA) to exercise its consumer protection power in the data security context. However, as the FTC continues to take action against businesses …

A Day In Court For Data Breach Plaintiffs: Preserving Standing Based On Increased Risk Of Identity Theft After Clapper V. Amnesty International Usa, Thomas Martecchini

Michigan Law Review

Following a data breach, consumers suffer an increased risk of identity theft because of the exposure of their personal information. Limited protection by data-breach statutes has made it difficult for consumers to seek compensation for these injuries and penalize the companies that fail to protect their information, leading consumers to bring common law claims in court. Yet courts have disagreed about whether an increased risk of identity theft qualifies as an injury-in-fact under Article III standing principles: the Seventh and Ninth Circuits have approved of increased risk standing, while the Third Circuit has rejected it. The Supreme Court has further …

Moving Beyond “Reasonable”: Clarifying The Ftc’S Use Of Its Unfairness Authority In Data Security Enforcement Actions, Timothy E. Deal

Fordham Law Review

Data security breaches, which compromise private consumer information, seem to be an ever-increasing threat. To stem this tide, the Federal Trade Commission (FTC) has relied upon its authority to enforce the prohibition against unfair business practices under section 5 of the Federal Trade Commission Act (“section 5”) to hold companies accountable when they fail to employ data security measures that could prevent breaches. Specifically, the FTC brings enforcement actions when it finds that companies have failed to implement “reasonable” data security measures. However, companies and scholars argue that the FTC has not provided adequate notice of which data security practices …

Just What The Doctor Ordered: Protecting Privacy Without Impeding Development Of Digital Pills, Amelia R. Montgomery

Vanderbilt Journal of Entertainment & Technology Law

Using technology, humans are receiving more and more information about the world around them via the Internet of Things, and the next area of connection will be the inside of the human body. Several forms of "digital pills" that send information from places like the human digestive tract or bloodstream are being developed, with a few already in use. These pills could stand to provide information that could drastically improve the lives of many people, but they also have privacy and data security implications that could put consumers at great risk. This Note analyzes these risks and suggests that short-term …

Implications For The Future Of Global Data Security And Privacy: The Territorial Application Of The Stored Communications Act And The Microsoft Case, Russell Hsiao

Catholic University Journal of Law and Technology

No abstract provided.

Exposure Without Redress: A Proposed Remedial Tool For The Victimns Who Were Set Aside, Elizabeth T. Isaacs

Oklahoma Law Review

No abstract provided.

Hacking Health Care: Authentication Security In The Age Of Meaningful Use , Gordon Gantt Jr.

Journal of Law and Health

The rapid adoption of EHRs (Electronic Health Records), to store and communicate highly personal data, raises serious concerns in terms of privacy, security, and civil and criminal liability. This note will examine the current statutory framework for addressing electronic breaches in the health care context, examine the vulnerabilities of EHRs, and look to the established world of online banking for possible legislative and practical solutions to the challenge of keeping private health information private. Finally, this note will propose key amendments to the Health Insurance Portability and Accountability Act (HIPAA) regulations to enhance authentication security.

Bleeding Data In A Pool Of Sharks: The Anathema Of Privacy In A World Of Digital Sharing And Electronic Discovery, Derek S. Witte

South Carolina Law Review

No abstract provided.

Giving Consumers A Leg To Stand On: Finding Plaintiffs A Legislative Solution To The Barrier From Federal Courts In Data Security Breach Suits, Patricia Cave

Catholic University Law Review

No abstract provided.

Limits Of The Federal Wiretap Act's Ability To Protect Against Wi-Fi Sniffing, Mani Potnuru

Michigan Law Review

Adoption of Wi-Fi wireless technology continues to see explosive growth. However many users still operate their home Wi-Fi networks in unsecured mode or use publicly available unsecured Wi-Fi networks, thus exposing their communications to the dangers of "packet sniffing," a technique used for eavesdropping on a network. Some have argued that communications over unsecured Wi-Fi networks are "readily accessible to the general public" and that such communications are therefore excluded from the broad protections of the Federal Wiretap Act against intentional interception of electronic communications. This Note examines the Federal Wiretap Act and argues that the current Act's treatment of …

The First Amendment Is An Information Policy, Jack M. Balkin

Hofstra Law Review

This essay, based on the 20th annual Hugo Black lecture at Wesleyan University, argues that we should think about individual liberties of freedom of speech, press, and assembly not in isolation, but in the larger context of policies for the spread and growth of knowledge andinformation.

Although we normally think about the First Amendment as an individual right, we should also see it as an integral part of a knowledge and information policy for a democratic state. That is because the practical ability to speak rests on an infrastructure of free expression that involves a wide range of institutions, statutory …

Disclosing Stored Communication Data To Fight Crime: The U.S. And Eu Approaches To Balancing Competing Privacy And Security Interests, Elise M. Simbro

Cornell International Law Journal

No abstract provided.

There Is A Time To Keep Silent And A Time To Speak, The Hard Part Is Knowing Which Is Which: Striking The Balance Between Privacy Protection And The Flow Of Health Care Information, Daniel J. Gilman, James C. Cooper

Michigan Telecommunications & Technology Law Review

Health information technology (HIT) has become a signal element of federal health policy, especially as the recently enacted American Recovery and Reinvestment Act of 2009 (Recovery Act or ARRA) comprises numerous provisions related to HIT and commits tens of billions of dollars to its development and adoption. These provisions charge various agencies of the federal government with both general and specific HIT-related implementation tasks including, inter alia, providing funding for HIT in various contexts: the implementation of interoperable HIT, HIT-related infrastructure, and HIT-related training and research. The Recovery Act also contains various regulatory provisions pertaining to HIT. Provisions of the …

Reasonableness Meets Requirements: Regulating Security And Privacy In Software, Paul N. Otto

Duke Law Journal

Software security and privacy issues regularly grab headlines amid fears of identity theft, data breaches, and threats to security. Policymakers have responded with a variety of approaches to combat such risk. Suggested measures include promulgation of strict rules, enactment of open-ended standards, and, at times, abstention in favor of allowing market forces to intervene. This Note lays out the basis for understanding how both policymakers and engineers should proceed in an increasingly software-dependent society. After explaining what distinguishes software-based systems from other objects of regulation, this Note argues that policymakers should pursue standards-based approaches to regulating software security and privacy. …

Best Practices And The State Of Information Security, Kevin Cronin

Chicago-Kent Law Review

The forces of globalization, together with widely available industry standards and best practices, and heightened state legislative activity, are driving the U.S. towards a more unified approach to data security. But the success of this unified approach requires more than free market efficiency and innovation. In order to maintain a state of evolutionary equilibrium in the global information economy, the U.S. must move from a fragmented approach towards data security and privacy standards, towards a more comprehensive set of standards with new penalties and effective enforcement, to better reflect the inherent value of personal data in today's global marketplace.