Open Access. Powered by Scholars. Published by Universities.®
- Institution
-
- Chicago-Kent College of Law (8)
- University of Michigan Law School (4)
- Boston University School of Law (2)
- Maurer School of Law: Indiana University (2)
- Selected Works (2)
-
- University of Pittsburgh School of Law (2)
- Vanderbilt University Law School (2)
- Cleveland State University (1)
- Columbia Law School (1)
- Embry-Riddle Aeronautical University (1)
- Fordham Law School (1)
- St. Mary's University (1)
- The Catholic University of America, Columbus School of Law (1)
- Touro University Jacob D. Fuchsberg Law Center (1)
- University of Miami Law School (1)
- Washington and Lee University School of Law (1)
- Publication Year
- Publication
-
- Chicago-Kent Law Review (8)
- Articles (2)
- Articles by Maurer Faculty (2)
- Michigan Telecommunications & Technology Law Review (2)
- Vanderbilt Journal of Entertainment & Technology Law (2)
-
- Books (1)
- Catholic University Journal of Law and Technology (1)
- Faculty Scholarship (1)
- Fordham Law Review (1)
- Jared A. Harshbarger (1)
- Journal of Digital Forensics, Security and Law (1)
- Journal of Law and Health (1)
- Michigan Law Review (1)
- Michigan Technology Law Review (1)
- Shorter Faculty Works (1)
- T. Noble Foster (1)
- The Scholar: St. Mary's Law Review on Race and Social Justice (1)
- Touro Law Review (1)
- University of Miami Law Review (1)
- Washington and Lee Law Review (1)
- Publication Type
Articles 1 - 30 of 31
Full-Text Articles in Law
Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove
Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove
Shorter Faculty Works
In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.
Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil …
The Three Laws: The Chinese Communist Party Throws Down The Data Regulation Gauntlet, William Chaskes
The Three Laws: The Chinese Communist Party Throws Down The Data Regulation Gauntlet, William Chaskes
Washington and Lee Law Review
Criticism of the Chinese Communist Party (CCP) runs a wide gamut. Accusations of human rights abuses, intellectual property theft, authoritarian domestic policies, disrespecting sovereign borders, and propaganda campaigns all have one common factor: the CCP’s desire to control information. Controlling information means controlling data. Lurking beneath the People’s Republic of China’s (PRC) tumultuous relationship with the rest of the world is the fight between nations to control their citizens’ data while also keeping it out of the hands of adversaries. The CCP’s Three Laws are its newest weapon in this data war.
One byproduct of the CCP’s emphasis on controlling …
Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa
Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa
The Scholar: St. Mary's Law Review on Race and Social Justice
Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …
Breached!: Why Data Security Law Fails And How To Improve It, Woodrow Hartzog, Daniel Solove
Breached!: Why Data Security Law Fails And How To Improve It, Woodrow Hartzog, Daniel Solove
Books
Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.
Drawing insights from many fascinating stories about data breaches, Solove and …
Exploring Lawful Hacking As A Possible Answer To The "Going Dark" Debate, Carlos Liguori
Exploring Lawful Hacking As A Possible Answer To The "Going Dark" Debate, Carlos Liguori
Michigan Technology Law Review
The debate on government access to encrypted data, popularly known as the “going dark” debate, has intensified over the years. On the one hand, law enforcement authorities have been pushing for mandatory exceptional access mechanisms on encryption systems in order to enable criminal investigations of both data in transit and at rest. On the other hand, both technical and industry experts argue that this solution compromises the security of encrypted systems and, thus, the privacy of their users. Some claim that other means of investigation could provide the information authorities seek without weakening encryption, with lawful hacking being one of …
Trimming The Fat: The Gdpr As A Model For Cleaning Up Our Data Usage, Kassandra Polanco
Trimming The Fat: The Gdpr As A Model For Cleaning Up Our Data Usage, Kassandra Polanco
Touro Law Review
No abstract provided.
Breaches Within Breaches: The Crossroads Of Erisa Fiduciary Responsibilities And Data Security, Gregg Moran
Breaches Within Breaches: The Crossroads Of Erisa Fiduciary Responsibilities And Data Security, Gregg Moran
University of Miami Law Review
Although the drafters of the Employee Retirement Income Security Act of 1974 (“ERISA”) likely could not have anticipated the data security issues of the twenty-first century, ERISA’s duty of prudence almost certainly requires employee benefit plan fiduciaries to protect sensitive participant data in at least some manner. This Article suggests the Department of Labor should issue a regulation clarifying fiduciaries’ data security obligations. Given that fiduciaries are in the best positions to recognize their plans’ individual security needs and capabilities, the regulation should not attempt to micromanage fiduciaries’ substantive data security policies; rather, it should focus on the procedures by …
A Skeptical View Of Information Fiduciaries, Lina M. Khan, David E. Pozen
A Skeptical View Of Information Fiduciaries, Lina M. Khan, David E. Pozen
Faculty Scholarship
The concept of “information fiduciaries” has surged to the forefront of debates on online-platform regulation. Developed by Professor Jack Balkin, the concept is meant to rebalance the relationship between ordinary individuals and the digital companies that accumulate, analyze, and sell their personal data for profit. Just as the law imposes special duties of care, confidentiality, and loyalty on doctors, lawyers, and accountants vis-à-vis their patients and clients, Balkin argues, so too should it impose special duties on corporations such as Facebook, Google, and Twitter vis-à-vis their end users. Over the past several years, this argument has garnered remarkably broad support …
Cybersecurity Stovepiping, David Thaw
Cybersecurity Stovepiping, David Thaw
Articles
Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.
This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …
Moving Beyond “Reasonable”: Clarifying The Ftc’S Use Of Its Unfairness Authority In Data Security Enforcement Actions, Timothy E. Deal
Moving Beyond “Reasonable”: Clarifying The Ftc’S Use Of Its Unfairness Authority In Data Security Enforcement Actions, Timothy E. Deal
Fordham Law Review
Data security breaches, which compromise private consumer information, seem to be an ever-increasing threat. To stem this tide, the Federal Trade Commission (FTC) has relied upon its authority to enforce the prohibition against unfair business practices under section 5 of the Federal Trade Commission Act (“section 5”) to hold companies accountable when they fail to employ data security measures that could prevent breaches. Specifically, the FTC brings enforcement actions when it finds that companies have failed to implement “reasonable” data security measures. However, companies and scholars argue that the FTC has not provided adequate notice of which data security practices …
Just What The Doctor Ordered: Protecting Privacy Without Impeding Development Of Digital Pills, Amelia R. Montgomery
Just What The Doctor Ordered: Protecting Privacy Without Impeding Development Of Digital Pills, Amelia R. Montgomery
Vanderbilt Journal of Entertainment & Technology Law
Using technology, humans are receiving more and more information about the world around them via the Internet of Things, and the next area of connection will be the inside of the human body. Several forms of "digital pills" that send information from places like the human digestive tract or bloodstream are being developed, with a few already in use. These pills could stand to provide information that could drastically improve the lives of many people, but they also have privacy and data security implications that could put consumers at great risk. This Note analyzes these risks and suggests that short-term …
Implications For The Future Of Global Data Security And Privacy: The Territorial Application Of The Stored Communications Act And The Microsoft Case, Russell Hsiao
Catholic University Journal of Law and Technology
No abstract provided.
Data Breach (Regulatory) Effects, David Thaw
Hacking Health Care: Authentication Security In The Age Of Meaningful Use , Gordon Gantt Jr.
Hacking Health Care: Authentication Security In The Age Of Meaningful Use , Gordon Gantt Jr.
Journal of Law and Health
The rapid adoption of EHRs (Electronic Health Records), to store and communicate highly personal data, raises serious concerns in terms of privacy, security, and civil and criminal liability. This note will examine the current statutory framework for addressing electronic breaches in the health care context, examine the vulnerabilities of EHRs, and look to the established world of online banking for possible legislative and practical solutions to the challenge of keeping private health information private. Finally, this note will propose key amendments to the Health Insurance Portability and Accountability Act (HIPAA) regulations to enhance authentication security.
Navigating Through The Fog Of Cloud Computing Contracts, T. Noble Foster
Navigating Through The Fog Of Cloud Computing Contracts, T. Noble Foster
T. Noble Foster
This paper explores legal issues associated with cloud computing, provides analysis and commentary on typical clauses found in contracts offered by well-known cloud service providers, and identifies strategies to mitigate the risk of exposure to cloud-based legal claims in the critical areas of data security, privacy, and confidentiality. While current research offers numerous case studies, viewpoints, and technical descriptions of cloud processes, our research provides a close examination of the language used in cloud contract terms. Analysis of these contract terms supports the finding that most standard cloud computing contracts are unevenly balanced in favor of the cloud service provider. …
Cloud Computing Providers And Data Security Law: Building Trust With United States Companies, Jared A. Harshbarger Esq.
Cloud Computing Providers And Data Security Law: Building Trust With United States Companies, Jared A. Harshbarger Esq.
Jared A. Harshbarger
Cloud computing and software-as-a-service (SaaS) models are revolutionizing the information technology industry. As these services become more prevalent, data security and privacy concerns will also rise among consumers and the companies who consider using them. Cloud computing providers must establish a sufficient level of trust with their potential customers in order to ease initial fears - and ensure certain compliance obligations will be met - at least to the extent that any such inquiring customer will feel comfortable enough to ultimately take the irreversible step of releasing their sensitive data and personal information into the cloud.
Best Practices And The State Of Information Security, Kevin Cronin
Best Practices And The State Of Information Security, Kevin Cronin
Chicago-Kent Law Review
The forces of globalization, together with widely available industry standards and best practices, and heightened state legislative activity, are driving the U.S. towards a more unified approach to data security. But the success of this unified approach requires more than free market efficiency and innovation. In order to maintain a state of evolutionary equilibrium in the global information economy, the U.S. must move from a fragmented approach towards data security and privacy standards, towards a more comprehensive set of standards with new penalties and effective enforcement, to better reflect the inherent value of personal data in today's global marketplace.
Patenting Cryptographic Technology, Greg Vetter
Patenting Cryptographic Technology, Greg Vetter
Chicago-Kent Law Review
The policy concerns intersecting patent law and cryptographic technology relate to the technology's beneficial uses in securing information in a commercial and social fabric that increasingly relies on computing and electronic communications for its makeup. The presence of patenting in a technology can impact diffusion of interoperable technology. Standardized embeddable cryptography facilitates its supply. Patent law for several decades has waxed and waned in its embrace of software implemented inventions rooted in abstract ideas such as the mathematics and mathematical algorithms underlying modern cryptography. This article documents the growth of cryptographic patenting. Then, in light of this growth and patent …
Data Collection And Leakage, Philip Howard, Kris Erickson
Data Collection And Leakage, Philip Howard, Kris Erickson
Chicago-Kent Law Review
Every year millions of digital records containing personally identifiable information are exposed. When are malicious hackers to blame, and when is it organizational malfeasance? Which kinds of organizations—private firms, government agencies, or educational institutions—lose the most data? With over 1.9 billion records lost (on average that's 9 records per U.S. adult), a surprising number of breaches can be attributed to organizational practices.
Trade Secrets, Data Security And Employees, Elizabeth Rowe
Trade Secrets, Data Security And Employees, Elizabeth Rowe
Chicago-Kent Law Review
This essay argues that data security is important to the protection of trade secret information, and that trusted employees on the inside pose the biggest threat to the protection of trade secrets. While investments in technical measures such as firewalls and encryption are important, it is also necessary for companies to consider the internal threats from employees when creating corporate security programs. Ultimately, a more comprehensive approach that includes technical and human elements, as well as consideration of inside and outside threats is likely to be more effective in the battle to secure data.
Returning To A Principled Basis For Data Protection, Gus Hosein
Returning To A Principled Basis For Data Protection, Gus Hosein
Chicago-Kent Law Review
Society must remain conscious of both pragmatic and principle-based rationales for information security rules. The identity card debate in the United Kingdom provides an example of exactly why a governmental information security approach that is sensitive to civil liberties would be the best approach to data protection. In contrast, we should be cautious of a balancing test that places security in parity with civil liberties and, therefore, erroneously allows pragmatism to triumph over principle.
Optimal Hackback, Jay P. Kesan, Ruperto Majuca
Optimal Hackback, Jay P. Kesan, Ruperto Majuca
Chicago-Kent Law Review
Professor Jay Kesan from the University of Illinois College of Law, in joint work with Ruperto Majuca of the University of Illinois Department of Economics, argue in favor of legal rules that allow "hacking [data] back" in certain business circumstances. They analyze the strategic interaction between the hacker and the attacked company or individual and conclude that neither total prohibition nor unrestrained permission of hack-back is optimal. Instead, they argue that when other alternatives such as criminal enforcement and litigation are ineffective, self-defense is the best response to cybercrime because there is a high likelihood of correctly attacking the criminal, …
Information Security, Contract And Liability, Jennifer Chandler
Information Security, Contract And Liability, Jennifer Chandler
Chicago-Kent Law Review
Various common provisions in software end user license agreements undermine cyber security. These include anti-benchmarking provisions and broad exclusions of liability. These short comments suggest that courts and legislatures should take steps to limit the enforceability of contractual provisions that undermine cyber security.
Reasons Why We Should Amend The Constitution To Protect Privacy, Deborah Pierce
Reasons Why We Should Amend The Constitution To Protect Privacy, Deborah Pierce
Chicago-Kent Law Review
Threats to consumer privacy are many, and varied. Some threats come from corporate entities such as data aggregators and social networking sites; while others come from panoptics government surveillance systems such as Secure Flight. Not only can the data be compromised, but consumers may be adversely affected by incorrect information in their files. The time may be right to explicitly protect privacy via a constitutional amendment to the U.S. Constitution.
Dos And Don'ts Of Data Breach And Information Security Policy, Fred H. Cate, Martin E. Abrams, Paula J. Bruening, Orson Swindle
Dos And Don'ts Of Data Breach And Information Security Policy, Fred H. Cate, Martin E. Abrams, Paula J. Bruening, Orson Swindle
Articles by Maurer Faculty
No abstract provided.
Opinionated Software, Meiring De Villiers
Opinionated Software, Meiring De Villiers
Vanderbilt Journal of Entertainment & Technology Law
Information security is an important and urgent priority in the computer systems of corporations, governments, and private users. Malevolent software, such as computer viruses and worms, constantly threatens the confidentiality, integrity, and availability of digital information. Virus detection software announces the presence of a virus in a program by issuing a virus alert. A virus alert presents two conflicting legal issues. A virus alert, as a statement on an issue of great public concern, merits protection under the First Amendment. The reputational interest of a plaintiff disparaged by a virus alert, on the other hand, merits protection under the law …
Information Security Breaches: Looking Back & Thinking Ahead, Fred H. Cate
Information Security Breaches: Looking Back & Thinking Ahead, Fred H. Cate
Articles by Maurer Faculty
No abstract provided.
Information Governance: A Model For Security In Medical Practice, Patricia A. Williams
Information Governance: A Model For Security In Medical Practice, Patricia A. Williams
Journal of Digital Forensics, Security and Law
Information governance is becoming an important aspect of organisational accountability. In consideration that information is an integral asset of most organisations, the protection of this asset will increasingly rely on organisational capabilities in security. In the medical arena this information is primarily sensitive patient-based information. Previous research has shown that application of security measures is a low priority for primary care medical practice and that awareness of the risks are seriously underestimated. Consequently, information security governance will be a key issue for medical practice in the future. Information security governance is a relatively new term and there is little existing …
'Code' And The Slow Erosion Of Privacy, Bert-Jaap Koops, Ronald Leenes
'Code' And The Slow Erosion Of Privacy, Bert-Jaap Koops, Ronald Leenes
Michigan Telecommunications & Technology Law Review
The notion of software code replacing legal code as a mechanism to control human behavior--"code as law"--is often illustrated with examples in intellectual property and freedom of speech. This Article examines the neglected issue of the impact of "code as law" on privacy. To what extent is privacy-related "code" being used, either to undermine or to enhance privacy? On the basis of cases in the domains of law enforcement, national security, E-government, and commerce, it is concluded that technology rarely incorporates specific privacy-related norms. At the same time, however, technology very often does have clear effects on privacy, as it …
Snake-Oil Security Claims The Systematic Misrepresentation Of Product Security In The E-Commerce Arena, John R. Michener, Steven D. Mohan, James B. Astrachan, David R. Hale
Snake-Oil Security Claims The Systematic Misrepresentation Of Product Security In The E-Commerce Arena, John R. Michener, Steven D. Mohan, James B. Astrachan, David R. Hale
Michigan Telecommunications & Technology Law Review
The modern commercial systems and software industry in the United States have grown up in a snake-oil salesman's paradise. The largest sector of this industry by far is composed of standard commercial systems that are marketed to provide specified functionality (e.g. Internet web server, firewall, router, etc.) Such products are generally provided with a blanket disclaimer stating that the purchaser must evaluate the suitability of the product for use, and that the user assumes all liability for product behavior. In general, users cannot evaluate and cannot be expected to evaluate the security claims of a product. The ability to analyze …