Law Commons^™

Understanding Cyber Risk: Unpacking And Responding To Cyber Threats Facing The Public And Private Sectors, Lawrence J. Trautman, Scott Shackelford, Brian Elzweig, Peter Ormerod

University of Miami Law Review

Cyberattacks, data breaches, and ransomware continue to pose major threats to businesses, governments, and health and educational institutions worldwide. Ongoing successful instances of cybercrime involve sophisticated attacks from diverse sources such as organized crime syndicates, actors engaged in industrial espionage, nation-states, and even lone wolf actors having relatively few resources. Technological innovation continues to outpace the ability of U.S. law to keep pace, though other jurisdictions including the European Union have been more proactive. Nation-state and international criminal group ransomware attacks continue; Sony’s systems were hacked by a ransomware group; MGM Resorts disclosed that recovery from their September 2023 hack …

National Security And Federalizing Data Privacy Infrastructure For Ai Governance, Margaret Hu, Eliott Behar, Davi Ottenheimer

Faculty Publications

This Essay contends that data infrastructure, when implemented on a national scale, can transform the way we conceptualize artificial intelligence (AI) governance. AI governance is often viewed as necessary for a wide range of strategic goals, including national security. It is widely understood that allowing AI and generative AI to remain self-regulated by the U.S. AI industry poses significant national security risks. Data infrastructure and AI oversight can assist in multiple goals, including: maintaining data privacy and data integrity; increasing cybersecurity; and guarding against information warfare threats. This Essay concludes that conceptualizing data infrastructure as a form of critical infrastructure …

The Future Of China's U.S.-Listed Firms: Legal And Political Perspectives On Possible Decoupling, Rebecca Parry, Qingxiu Bu

William & Mary Business Law Review

There is a long history of Chinese firms raising capital on leading U.S. exchanges. These shares have proved attractive and are estimated at $1 trillion value, in spite of deep mismatches between Chinese internal approaches to corporate governance and those taken under U.S. securities regulations. Chinese listings of nonstate firms, particularly in the technology sector, had depended on a largely laissez-faire initial approach to the expansion through foreign listings, including tolerance of the opaque Variable Interest Entity (VIE) structures adopted as a means to bypass Chinese restrictions on foreign ownership. Concerns regarding data security had, however, prevented compliance by Chinese …

Comments Of The Cordell Institute For Policy In Medicine & Law At Washington University In St. Louis, Neil Richards, Woodrow Hartzog, Jordan Francis

Faculty Scholarship

The Federal Trade Commission—with its broad, independent grant of authority and statutory mandate to identify and prevent unfair and deceptive trade practices—is uniquely situated to prevent and remedy unfair and deceptive data privacy and data security practices. In an increasingly digitized world, data collection, processing, and transfer have become integral to market interactions. Our personal and commercial experiences are now mediated by powerful, information-intensive firms who hold the power to shape what consumers see, how they interact, which options are available to them, and how they make decisions. That power imbalance exposes consumers and leaves them all vulnerable. We all …

It Outsourcing And Global Sourcing: A Comparative Approach From The Indian, U.K. And German Legal Perspectives, Ulrich Baumer, Mark Webber

Indian Journal of Law and Technology

Businesses today have been able to take advantage of technology in order to use models such as offshoring in order to reduce their costs without a corresponding decline in quality. However, concerns such as data confidentiality and security issues have emphasised the need for businesses to take considerable care when dealing with crossborder transactions, especially since some knowledge of the needs of different jurisdictions is necessary. This article examines the outsourcing model in the context of the information technology industry and looks at the most important clauses and legal issues in such contracts in the light of Indian, English and …

Menstrual And Fertility Tracking Apps And The Post Roe V. Wade Era, Samantha T. Campanella

Undergraduate Student Research Internships Conference

In the first section of the paper, I will place current conversations about data privacy within the broader context of restrictions that have been placed on reproductive rights by examining historical trajectories. Emphasis will be placed on the historical trajectory of how past policies and ideologies have worked against Roe v. Wade, and how this trajectory contributes to a decrease in access to abortions. In addition, recent news stories have documented the overturning of Roe v. Wade in several jurisdictions within the United States, which confirms the criminalization of abortion. In light of this, experts have raised awareness about the …

Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove

Shorter Faculty Works

In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.

Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil …

The Three Laws: The Chinese Communist Party Throws Down The Data Regulation Gauntlet, William Chaskes

Washington and Lee Law Review

Criticism of the Chinese Communist Party (CCP) runs a wide gamut. Accusations of human rights abuses, intellectual property theft, authoritarian domestic policies, disrespecting sovereign borders, and propaganda campaigns all have one common factor: the CCP’s desire to control information. Controlling information means controlling data. Lurking beneath the People’s Republic of China’s (PRC) tumultuous relationship with the rest of the world is the fight between nations to control their citizens’ data while also keeping it out of the hands of adversaries. The CCP’s Three Laws are its newest weapon in this data war.

One byproduct of the CCP’s emphasis on controlling …

Gauging The Acceptance Of Contact Tracing Technology: An Empirical Study Of Singapore Residents’ Concerns With Sharing Their Information And Willingness To Trust, Ee-Ing Ong, Wee Ling Loo

Research Collection Yong Pung How School Of Law

In response to the COVID-19 pandemic, governments began implementing various forms of contact tracing technology. Singapore’s implementation of its contact tracing technology, TraceTogether, however, was met with significant concern by its population, with regard to privacy and data security. This concern did not fit with the general perception that Singaporeans have a high level of trust in its government. We explore this disconnect, using responses to our survey (conducted pre-COVID-19) in which we asked participants about their level of concern with the government and business collecting certain categories of personal data. The results show that respondents had less concern with …

Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa

The Scholar: St. Mary's Law Review on Race and Social Justice

Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …

Breached!: Why Data Security Law Fails And How To Improve It, Woodrow Hartzog, Daniel Solove

Books

Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.

Drawing insights from many fascinating stories about data breaches, Solove and …

An Overview Of Privacy Law In 2022, Daniel J. Solove, Paul M. Schwartz

GW Law Faculty Publications & Other Works

Chapter 1 of PRIVACY LAW FUNDAMENTALS (6th edition, IAPP 2022) provides an overview of information privacy law circa 2022. The chapter summarizes the common themes in privacy laws and discusses the various types of laws (federal, constitutional, state, international). It contains a list and brief summary of the most significant U.S. federal privacy laws. The heart of the chapter is an historical timeline of major developments in the law of privacy and data security, including key cases, enactments of laws, major regulatory developments, influential publications, and other significant events. The chapter also contains a curated list of important treatises and …

Data Vu: Why Breaches Involve The Same Stories Again And Again, Daniel J. Solove

GW Law Faculty Publications & Other Works

This short essay discusses why data security law fails to effectively combat data breaches, which continue to increase. With a few exceptions, current laws about data security do not look too far beyond the blast radius of the most data breaches. Only so much marginal benefit can be had by increasing fines to breached entities. Instead, the law should target a broader set of risky actors, such as producers of insecure software and ad networks that facilitate the distribution of malware. Organizations that have breaches almost always could have done better, but there’s only so much marginal benefit from beating …

Breached! Why Data Security Law Fails And How To Improve It (Chapter 1), Daniel J. Solove, Woodrow Hartzog

GW Law Faculty Publications & Other Works

Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.

Drawing insights from many fascinating stories about data breaches, Solove and …

Individuals As Gatekeepers Against Data Misuse, Ying Hu

Michigan Technology Law Review

This article makes a case for treating individual data subjects as gatekeepers against misuse of personal data. Imposing gatekeeper responsibility on individuals is most useful where (a) the primary wrongdoers engage in data misuse intentionally or recklessly; (b) misuse of personal data is likely to lead to serious harm; and (c) one or more individuals are able to detect and prevent data misuse at a reasonable cost.

As gatekeepers, individuals should have a legal duty to take reasonable measures to prevent data misuse where they are aware of facts indicating that the person seeking personal data from them is highly …

“Smart” Lawyering: Integrating Technology Competence Into The Legal Practice Curriculum, Dyane L. O'Leary

The University of New Hampshire Law Review

Technology has changed modern law practice. Ethics rules obligate lawyers to understand whether, when, and how to use it to deliver services. But most law schools do not incorporate the so-called “Duty of Technology Competence” into the required curriculum. Despite broad calls for legal education to make students more practice-ready, there is no clear path forward for how to weave this valuable professional skill into coursework for all students. This Article supplies one.

The legal practice course should pair technology competence with traditional legal writing and research work. Lawyers do not draft memos or perform legal research or manage caseloads …

Smart Cities And Sustainability: A New Challenge To Accountability?, Iria Giuffrida

William & Mary Environmental Law and Policy Review

From 1800 to today, the global population has shifted from only three percent living in an urban environment to well over fifty percent in 2020. As a result of urbanization, cities around the world struggle to manage traffic and waste, efficiently distribute utilities, and lower pollution to slow the progression of global warming. Smart city technologies have emerged as a tool to process cities’ various forms of data collected through networks of precisely placed sensors and map solutions to many of the environmental and social issues created by urbanization. For swelling metropolitan areas in the United States, China, and Europe …

Protection Of Data In Armed Conflict, Robin Geiss, Henning Lahmann

International Law Studies

This article presents a novel way to conceptualize the protection of data in situations of armed conflict. Although the question of the targeting of data through adversarial military cyber operations and its implications for the qualification of such conduct under International Humanitarian Law has been on scholars’ and states’ radar for the last few years, there remain a number of misunderstandings as to how to think about the notion of “data.” Based on a number of fictional scenarios, the article clarifies the pertinent terminology and makes some expedient distinctions between various types of data. It then analyzes how existing international …

Hipaa-Phobia Hampers Efforts To Track And Contain Covid-19, Lee Hiromoto M.D., J.D.

SLU Law Journal Online

The Health Insurance Portability and Accountability Act (HIPAA), enacted by the US Congress 1996, laudably protects medical privacy in healthcare settings. However, this federal law has created a culture of fear that limits current efforts to address the COVID-19 pandemic. Healthcare providers, who are covered by HIPAA, may be reluctant to disclose information about outbreak clusters for fear of violating the law. Healthcare organizations, who are also covered by the law, still rely on fax machines to avoid violating HIPAA’s data security requirements. And the scrupulous rule-following in healthcare has given independent life to a HIPAA boogeyman. Thus, officials who …

Exploring Lawful Hacking As A Possible Answer To The "Going Dark" Debate, Carlos Liguori

Michigan Technology Law Review

The debate on government access to encrypted data, popularly known as the “going dark” debate, has intensified over the years. On the one hand, law enforcement authorities have been pushing for mandatory exceptional access mechanisms on encryption systems in order to enable criminal investigations of both data in transit and at rest. On the other hand, both technical and industry experts argue that this solution compromises the security of encrypted systems and, thus, the privacy of their users. Some claim that other means of investigation could provide the information authorities seek without weakening encryption, with lawful hacking being one of …

Healthy Data Protection, Lothar Determann

Michigan Technology Law Review

Modern medicine is evolving at a tremendous speed. On a daily basis, we learn about new treatments, drugs, medical devices, and diagnoses. Both established technology companies and start-ups focus on health-related products and services in competition with traditional healthcare businesses. Telemedicine and electronic health records have the potential to improve the effectiveness of treatments significantly. Progress in the medical field depends above all on data, specifically health information. Physicians, researchers, and developers need health information to help patients by improving diagnoses, customizing treatments and finding new cures.

Yet law and policymakers are currently more focused on the fact that health …

Protecting The States From Electoral Invasions, Drew Marvel

William & Mary Bill of Rights Journal

Since the 2016 U.S. presidential election, the threat of foreign interference in U.S. elections has loomed large in the minds of the American public. During the 2016 campaign season, Russian government-backed hackers infiltrated the networks and computers of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and various campaign officials, harvesting private information and installing spyware and malware for ongoing intelligence purposes. U.S. intelligence officials have indicated that, using similar tactics, the Russian hackers also targeted election systems and officials in all fifty states, successfully breaching at least two of those states’ election systems, Illinois and Florida. …

Trimming The Fat: The Gdpr As A Model For Cleaning Up Our Data Usage, Kassandra Polanco

Touro Law Review

No abstract provided.

A New Frontier Facing Attorneys And Paralegals: The Promise & Challenges Of Artificial Intelligence As Applied To Law & Legal Decision-Making, Marissa Moran

Publications and Research

Artificial Intelligence/AI invisibly navigates and informs our lives today and may also be used to determine a client’s legal fate. Through executive order, statements by a U.S. Supreme Court justice and a Congressional Commission on AI, all three branches of the United States government have addressed the use of AI to resolve societal and legal matters. Pursuant to the American Bar Association Model Rules of Professional Conduct[i] and New York Rules of Professional Conduct (NYRPC), [ii] the legal profession recognizes the need for competency in technology which requires both substantive knowledge of law and competent use of technology for …

Breaches Within Breaches: The Crossroads Of Erisa Fiduciary Responsibilities And Data Security, Gregg Moran

University of Miami Law Review

Although the drafters of the Employee Retirement Income Security Act of 1974 (“ERISA”) likely could not have anticipated the data security issues of the twenty-first century, ERISA’s duty of prudence almost certainly requires employee benefit plan fiduciaries to protect sensitive participant data in at least some manner. This Article suggests the Department of Labor should issue a regulation clarifying fiduciaries’ data security obligations. Given that fiduciaries are in the best positions to recognize their plans’ individual security needs and capabilities, the regulation should not attempt to micromanage fiduciaries’ substantive data security policies; rather, it should focus on the procedures by …

A Skeptical View Of Information Fiduciaries, Lina M. Khan, David E. Pozen

Faculty Scholarship

The concept of “information fiduciaries” has surged to the forefront of debates on online-platform regulation. Developed by Professor Jack Balkin, the concept is meant to rebalance the relationship between ordinary individuals and the digital companies that accumulate, analyze, and sell their personal data for profit. Just as the law imposes special duties of care, confidentiality, and loyalty on doctors, lawyers, and accountants vis-à-vis their patients and clients, Balkin argues, so too should it impose special duties on corporations such as Facebook, Google, and Twitter vis-à-vis their end users. Over the past several years, this argument has garnered remarkably broad support …

Who Are The Real Cyberbullies: Hackers Or The Ftc? The Fairness Of The Ftc’S Authority In The Data Security Context, Jaclyn K. Haughom

Catholic University Law Review

As technology continues to be an integral part of daily life, there lies an ever-increasing threat of the personally identifiable information of consumers being lost, stolen, or accessed without authorization. The Federal Trade Commission (FTC) is the U.S. government’s primary consumer protection agency and the country’s lead enforcer against companies subject to data breaches. Although the FTC lacks explicit statutory authority to enforce against data breaches, the Commission has successfully relied on Section 5 of the FTC Act (FTCA) to exercise its consumer protection power in the data security context. However, as the FTC continues to take action against businesses …

Standing After Snowden: Lessons On Privacy Harm From National Security Surveillance Litigation, Margot E. Kaminski

Publications

Article III standing is difficult to achieve in the context of data security and data privacy claims. Injury in fact must be "concrete," "particularized," and "actual or imminent"--all characteristics that are challenging to meet with information harms. This Article suggests looking to an unusual source for clarification on privacy and standing: recent national security surveillance litigation. There we can find significant discussions of what rises to the level of Article III injury in fact. The answers may be surprising: the interception of sensitive information; the seizure of less sensitive information and housing of it in a database for analysis; and …

Health Information Equity, Craig Konnoth

Publications

In the last few years, numerous Americans’ health information has been collected and used for follow-on, secondary research. This research studies correlations between medical conditions, genetic or behavioral profiles, and treatments, to customize medical care to specific individuals. Recent federal legislation and regulations make it easier to collect and use the data of the low-income, unwell, and elderly for this purpose. This would impose disproportionate security and autonomy burdens on these individuals. Those who are well-off and pay out of pocket could effectively exempt their data from the publicly available information pot. This presents a problem which modern research ethics …

Disruptive Platforms, Margot Kaminski

Publications

No abstract provided.