Law Commons^™

Redefining The Injury-In-Fact: Treating Personally Identifying Information As Bailed Property, Austin Headrick

Georgia Law Review

There is a long-existing circuit split among federal courts of appeals as to whether an individual has standing under Article III of the United States Constitution when their personally identifying information (PII) is stolen from an entity to which they entrusted it such as a hospital or bank. Federal courts disagree as to whether an individual whose PII has been stolen—without more—has suffered an injury-in-fact, a necessary element of standing. The disagreement between the courts centers on whether the injury-in-fact has already occurred at the time the PII is stolen or whether the injury occurs once the PII has been …

The Need For Cyber Resilience Of Space Assets: Law And Policy Considerations Of Ensuring Cybersecurity In Outer Space, Daniella Febbraro

Canadian Journal of Law and Technology

In 2018, NASA’s Jet Propulsion Laboratory was the subject of a data breach where over 500 megabytes of data from a major mission system was stolen by hackers. This attack affected NASA’s Deep Space Network, prompting the United States Johnson Space Center to disconnect the International Space Station from the affected gateway due to fears that mission systems could become compromised. NASA has acknowledged that its vast online presence, which includes thousands of publicly accessible datasets, offers a large potential target for cybercriminals. The 2018 incident was one of many, with NASA experiencing more than 6000 cyberattacks from 2017-2021 alone. …

Cyberattacks: An Underlying Condition Exacerbated By The Covid-19 Pandemic, Kaitlyn Palmeter

The Journal of Business, Entrepreneurship & the Law

COVID-19 continues to change the world in unforeseen ways triggering a new era of corporate data breaches. This article will illustrate how cyberattacks have increased in severity during the pandemic, how current laws and government officials are trying to evolve with the current threats and technology, how victims of cyberattacks risk sanctions and potential lawsuits, and concludes by suggesting solutions throughout to increase Cybersecurity.

Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove

Shorter Faculty Works

In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.

Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil …

Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa

The Scholar: St. Mary's Law Review on Race and Social Justice

Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …

Breached!: Why Data Security Law Fails And How To Improve It, Woodrow Hartzog, Daniel Solove

Books

Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.

Drawing insights from many fascinating stories about data breaches, Solove and …

Patching The Data Security Blanket: How A Stronger, Collaborative Ftc Is The Answer Right Under Our Nose, Jose A. Gonzalez Lopez

Marquette Intellectual Property & Innovation Law Review

None

Breached! Why Data Security Law Fails And How To Improve It (Chapter 1), Daniel J. Solove, Woodrow Hartzog

GW Law Faculty Publications & Other Works

Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.

Drawing insights from many fascinating stories about data breaches, Solove and …

Data Vu: Why Breaches Involve The Same Stories Again And Again, Daniel J. Solove

GW Law Faculty Publications & Other Works

This short essay discusses why data security law fails to effectively combat data breaches, which continue to increase. With a few exceptions, current laws about data security do not look too far beyond the blast radius of the most data breaches. Only so much marginal benefit can be had by increasing fines to breached entities. Instead, the law should target a broader set of risky actors, such as producers of insecure software and ad networks that facilitate the distribution of malware. Organizations that have breaches almost always could have done better, but there’s only so much marginal benefit from beating …

An Overview Of Privacy Law In 2022, Daniel J. Solove, Paul M. Schwartz

GW Law Faculty Publications & Other Works

Chapter 1 of PRIVACY LAW FUNDAMENTALS (6th edition, IAPP 2022) provides an overview of information privacy law circa 2022. The chapter summarizes the common themes in privacy laws and discusses the various types of laws (federal, constitutional, state, international). It contains a list and brief summary of the most significant U.S. federal privacy laws. The heart of the chapter is an historical timeline of major developments in the law of privacy and data security, including key cases, enactments of laws, major regulatory developments, influential publications, and other significant events. The chapter also contains a curated list of important treatises and …

Five Approaches To Insuring Cyber Risks, Christopher C. French

Journal Articles

Cyber risks are some of the most dangerous risks of the twenty-first century. Many types of businesses, including retail stores, healthcare entities, and financial institutions, as well as government entities, are the targets of cyber attacks. The simple reality is that no computer security system is completely safe. They all can be breached if the hackers are skilled enough and determined. Consequently, the worldwide damages caused by cyber attacks are predicted to reach $10.5 trillion by 2025. Insuring such risks is a monumental task.

The cyber insurance market currently is fragmented with hundreds of insurers selling their own cyber risk …

Circuit Courts Split: Victim Of A Data Breach? Can You “Stand” And Sue In Federal Court?, Darlyn De La Rosa

FIU Law Review

No abstract provided.

Symposium: The California Consumer Privacy Act, Margot Kaminski, Jacob Snow, Felix Wu, Justin Hughes

Loyola of Los Angeles Law Review

Loyola of Los Angeles Law Review is pleased to publish the third “symposium discussion” series in which leading experts are invited to engage in an evening symposium on a new or emerging area of law. The subject of our second evening symposium was the California Consumer Privacy Act (CCPA), a statute signed into state law by then- Governor Jerry Brown on June 28, 2018 and effective as of January 1, 2020.

As with most new law, there are many unsettled issues, disagreements about the likely impact of the law, and much to be developed as regulations are established and the …

Forging A Path Towards Meaningful Digital Privacy: Data Monetization And The Ccpa, Rebecca Harris

Loyola of Los Angeles Law Review

The California Consumer Privacy Act (CCPA) was passed in response to a number of newsworthy data breaches with widespread impacts, and which revealed how little digital privacy consumers actually have. Despite the large market for consumer data, individual consumers generally do not earn money when their personal data are sold. Further, consumers have very little control over who collects their data, what information is collected, and with whom it is shared. To place control back in the hands of the consumer, affirmative consent should be required to collect and sell consumer’s data, and consumers should have the ability to sell …

Untangling The Privacy Law Web: Why The California Consumer Privacy Act Furthers The Need For Federal Preemptive Legislation, Jordan Yallen

Loyola of Los Angeles Law Review

No abstract provided.

The (Possibly) Injured Consumer: Standing In Data Breach Litigation, Lauren M. Lozada

St. John's Law Review

(Excerpt)

This Note will address the question of what factors a prospective plaintiff must display to “push [a] threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” Part I will delve into relevant statistics to identify the characteristics of a data breach that most often lead to eventual identity theft. Part II will explore recent data breach standing cases and analyze the factual differences and legal perspectives that have led to disparate results among the federal circuits. Lastly, Part III will recommend a method for evaluating future data breach standing issues.

Legislative And Regulatory Obligations On Corporate Attorneys: Production Data In The World Of Sarbanes Oxley And General Data Protections, David Tersteeg

Northern Illinois University Law Review

Sarbanes Oxley, General Data Protection Regulation, and the American Bar Association's Model Rules place significant professional and personal obligations on attorneys who represent organizations in regard to their organization's handling of production and personal data. There are significant areas of vulnerability to the production and personal data that are frequently overlooked or ignored which significantly increase the likelihood and damage from a data breach. This article will provide an overview of the obligations, recent data breaches, the foreseeability and material impacts of data breaches, and a methodology to drive improvement in an organization.

The Path To Standing: Asserting The Inherent Injury Of The Data Breach, Jennifer M. Joslin

Utah Law Review

Data breaches are on the rise as consumers continue to exchange personally identifiable information for goods and services in sectors from retail to healthcare. In the aftermath of a data breach, it has been difficult for victims of the breach to establish Article III standing to sue in federal courts. The primary hurdle for those seeking a remedy for the theft of their data has been showing that they have suffered an injury-in-fact. Plaintiffs typically assert an injury based on the increased risk of identity theft following a breach. However, courts have divided on whether such an injury satisfies the …

Protecting Personal Data: A Model Data Security And Breach Notifications Statute, Michael Bloom

St. John's Law Review

(Excerpt)

This Note argues that current law is inadequate to protect consumers in light of the prevalence and severity of data breaches in recent years, and that a unifying federal legislation combining portions of state law and the DSBNA should be enacted. Part I of this Note analyzes the DSBNA for notification requirements when data breaches occur, the requirements for the implementation of security policies, regulatory mechanisms for monitoring compliance with these requirements, and criminal penalties for failing to comply. Part II summarizes the various state laws that exist for notification of data breaches. Part III proposes a model federal …

Chambliss V. Carefirst, Inc., Sarah Fucci

NYLS Law Review

No abstract provided.

Consumer Protection—Exploring Private Causes Of Action For Victims Of Data Breaches, Justin H. Dion, Nicholas M. Smith

Faculty Scholarship

Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal …

Data Disparity: Tiered Pricing As An Alternative To Consumer Iot Data Privacy Regulations, Matthew Lostocco

Honors Theses and Capstones

In recent years, Internet of Things (IoT) devices have exploded on the consumer scene. These emerging products bring new technological capabilities into our everyday lives. IoT is projected to contribute anywhere from $4-11 trillion to the global economy and companies are investing billions of dollars into the technology. However, with the vast amount of data that IoT devices collect, consumers are burdening the risk of having their personal data breached or sold to third parties. This paper first identifies why consumers may be weary or willing towards providing their personal data and how unconscious biases in the purchasing process cause …

Face Off: An Examination Of State Biometric Privacy Statutes & Data Harm Remedies, Maya E. Rivera

Fordham Intellectual Property, Media and Entertainment Law Journal

As biometric authentication becomes an increasingly popular method of security among consumers, only three states currently have statutes detailing how such data may be collected, used, retained, and released. The Illinois Biometric Information Privacy Act is the only statute of the three that enshrines a private right of action for those who fail to properly handle biometric data. Both the Texas Capture or Use Biometric Identifier Act Information Act and the Washington Biometric Privacy Act allow for state Attorneys General to bring suit on behalf of aggrieved consumers. This Note examines these three statutes in the context of data security …

What's The Big Hurry? The Urgency Of Data Breach Notification, Ellen Cornelius

Homeland Security Publications

No abstract provided.

How Much Should We Spend To Protect Privacy?: Data Breaches And The Need For Information We Do Not Have, Richard Warner, Robert Sloan

All Faculty Scholarship

A cost/benefit approach to privacy confronts two tradeoff issues. One is making appropriate tradeoffs between privacy and many goals served by the collection, distribution, and use of information. The other is making tradeoffs between investments in preventing unauthorized access to information and the variety of other goals that also make money, time, and effort demands. Much has been written about the first tradeoff. We focus on the second. The issue is critical. Data breaches occur at the rate of over three a day, and the aggregate social cost is extremely high. The puzzle is that security experts have long explained …

That Was Close! Reward Reporting Of Cybersecurity “Near Misses”, Jonathan Bair, Steven M. Bellovin, Andrew Manley, Blake Reid, Adam Shostak

Publications

Building, deploying, and maintaining systems with sufficient cybersecurity is challenging. Faster improvement would be valuable to society as a whole. Are we doing as much as we can to improve? We examine robust and long-standing systems for learning from near misses in aviation, and propose the creation of a Cyber Safety Reporting System (CSRS).

To support this argument, we examine the liability concerns which inhibit learning, including both civil and regulatory liability. We look to the way in which cybersecurity engineering and science is done today, and propose that a small amount of ‘policy entrepreneurship’ could have substantial positive impact. …

Cancelled Credit Cards: Substantial Risk Of Future Injury As A Basis For Standing In Data Breach Cases, Jennifer Wilt

SMU Law Review

No abstract provided.

Who Are The Real Cyberbullies: Hackers Or The Ftc? The Fairness Of The Ftc’S Authority In The Data Security Context, Jaclyn K. Haughom

Catholic University Law Review

As technology continues to be an integral part of daily life, there lies an ever-increasing threat of the personally identifiable information of consumers being lost, stolen, or accessed without authorization. The Federal Trade Commission (FTC) is the U.S. government’s primary consumer protection agency and the country’s lead enforcer against companies subject to data breaches. Although the FTC lacks explicit statutory authority to enforce against data breaches, the Commission has successfully relied on Section 5 of the FTC Act (FTCA) to exercise its consumer protection power in the data security context. However, as the FTC continues to take action against businesses …

Health Information Equity, Craig Konnoth

Publications

In the last few years, numerous Americans’ health information has been collected and used for follow-on, secondary research. This research studies correlations between medical conditions, genetic or behavioral profiles, and treatments, to customize medical care to specific individuals. Recent federal legislation and regulations make it easier to collect and use the data of the low-income, unwell, and elderly for this purpose. This would impose disproportionate security and autonomy burdens on these individuals. Those who are well-off and pay out of pocket could effectively exempt their data from the publicly available information pot. This presents a problem which modern research ethics …

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …