Open Access. Powered by Scholars. Published by Universities.®

Law Commons

Open Access. Powered by Scholars. Published by Universities.®

Data security

Series

Discipline
Institution
Publication Year
Publication

Articles 1 - 30 of 32

Full-Text Articles in Law

The President’S Foreign Affairs Power Over Personal Data, Anupam Chander, Paul M. Schwartz Jul 2024

The President’S Foreign Affairs Power Over Personal Data, Anupam Chander, Paul M. Schwartz

Georgetown Law Faculty Publications and Other Works

This Article reveals a surprising expansion of presidential authority to control goods and services available in the United States because of the information flows that they entail. Such authority is grounded in laws focused on protecting national security, here with respect to foreign surveillance and propaganda. But broad executive powers over our information infrastructure raises significant concerns with respect to core American values of free expression and due process. Worries about unfettered foreign access to data should be coupled with worries about unfettered executive control over our information services and technologies.


The Great Scrape: The Clash Between Scraping And Privacy, Daniel J. Solove, Woodrow Hartzog Jan 2024

The Great Scrape: The Clash Between Scraping And Privacy, Daniel J. Solove, Woodrow Hartzog

Faculty Scholarship

Artificial intelligence (AI) systems depend on massive quantities of data, often gathered by “scraping” – the automated extraction of large amounts of data from the internet. A great deal of scraped data is about people. This personal data provides the grist for AI tools such as facial recognition, deep fakes, and generative AI. Although scraping enables web searching, archival, and meaningful scientific research, scraping for AI can also be objectionable or even harmful to individuals and society.

Organizations are scraping at an escalating pace and scale, even though many privacy laws are seemingly incongruous with the practice. In this Article, …


National Security And Federalizing Data Privacy Infrastructure For Ai Governance, Margaret Hu, Eliott Behar, Davi Ottenheimer Jan 2024

National Security And Federalizing Data Privacy Infrastructure For Ai Governance, Margaret Hu, Eliott Behar, Davi Ottenheimer

Faculty Publications

This Essay contends that data infrastructure, when implemented on a national scale, can transform the way we conceptualize artificial intelligence (AI) governance. AI governance is often viewed as necessary for a wide range of strategic goals, including national security. It is widely understood that allowing AI and generative AI to remain self-regulated by the U.S. AI industry poses significant national security risks. Data infrastructure and AI oversight can assist in multiple goals, including: maintaining data privacy and data integrity; increasing cybersecurity; and guarding against information warfare threats. This Essay concludes that conceptualizing data infrastructure as a form of critical infrastructure …


Comments Of The Cordell Institute For Policy In Medicine & Law At Washington University In St. Louis, Neil Richards, Woodrow Hartzog, Jordan Francis Nov 2022

Comments Of The Cordell Institute For Policy In Medicine & Law At Washington University In St. Louis, Neil Richards, Woodrow Hartzog, Jordan Francis

Faculty Scholarship

The Federal Trade Commission—with its broad, independent grant of authority and statutory mandate to identify and prevent unfair and deceptive trade practices—is uniquely situated to prevent and remedy unfair and deceptive data privacy and data security practices. In an increasingly digitized world, data collection, processing, and transfer have become integral to market interactions. Our personal and commercial experiences are now mediated by powerful, information-intensive firms who hold the power to shape what consumers see, how they interact, which options are available to them, and how they make decisions. That power imbalance exposes consumers and leaves them all vulnerable. We all …


Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove Jul 2022

Data Vu: Why Breaches Involve The Same Stories Again And Again, Woodrow Hartzog, Daniel Solove

Shorter Faculty Works

In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.

Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil …


Gauging The Acceptance Of Contact Tracing Technology: An Empirical Study Of Singapore Residents’ Concerns With Sharing Their Information And Willingness To Trust, Ee-Ing Ong, Wee Ling Loo Jun 2022

Gauging The Acceptance Of Contact Tracing Technology: An Empirical Study Of Singapore Residents’ Concerns With Sharing Their Information And Willingness To Trust, Ee-Ing Ong, Wee Ling Loo

Research Collection Yong Pung How School Of Law

In response to the COVID-19 pandemic, governments began implementing various forms of contact tracing technology. Singapore’s implementation of its contact tracing technology, TraceTogether, however, was met with significant concern by its population, with regard to privacy and data security. This concern did not fit with the general perception that Singaporeans have a high level of trust in its government. We explore this disconnect, using responses to our survey (conducted pre-COVID-19) in which we asked participants about their level of concern with the government and business collecting certain categories of personal data. The results show that respondents had less concern with …


Breached! Why Data Security Law Fails And How To Improve It (Chapter 1), Daniel J. Solove, Woodrow Hartzog Jan 2022

Breached! Why Data Security Law Fails And How To Improve It (Chapter 1), Daniel J. Solove, Woodrow Hartzog

GW Law Faculty Publications & Other Works

Digital connections permeate our lives—and so do data breaches. Given that we must be online for basic communication, finance, healthcare, and more, it is remarkable how difficult it is to secure our personal information. Despite the passage of many data security laws, data breaches are increasing at a record pace. In their book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022), Professors Daniel Solove and Woodrow Hartzog argue that the law fails because, ironically, it focuses too much on the breach itself.

Drawing insights from many fascinating stories about data breaches, Solove and …


The Failure Of Data Security Law, Daniel J. Solove, Woodrow Hartzog Jan 2022

The Failure Of Data Security Law, Daniel J. Solove, Woodrow Hartzog

GW Law Faculty Publications & Other Works

In this book chapter, we survey the law and policy of data security and analyze its strengths and weaknesses. Broadly speaking, there are three types of data security laws: (1) breach notification laws; (2) security safeguards laws that require substantive measures to protect security; and (3) private litigation under various causes of action. We argue that despite some small successes, the law is generally failing to combat the data security threats we face.

Breach notification laws merely require organizations to provide transparency about data breaches, but the laws don’t provide prevention or a cure. Security safeguards laws are often enforced …


An Overview Of Privacy Law In 2022, Daniel J. Solove, Paul M. Schwartz Jan 2022

An Overview Of Privacy Law In 2022, Daniel J. Solove, Paul M. Schwartz

GW Law Faculty Publications & Other Works

Chapter 1 of PRIVACY LAW FUNDAMENTALS (6th edition, IAPP 2022) provides an overview of information privacy law circa 2022. The chapter summarizes the common themes in privacy laws and discusses the various types of laws (federal, constitutional, state, international). It contains a list and brief summary of the most significant U.S. federal privacy laws. The heart of the chapter is an historical timeline of major developments in the law of privacy and data security, including key cases, enactments of laws, major regulatory developments, influential publications, and other significant events. The chapter also contains a curated list of important treatises and …


Data Vu: Why Breaches Involve The Same Stories Again And Again, Daniel J. Solove Jan 2022

Data Vu: Why Breaches Involve The Same Stories Again And Again, Daniel J. Solove

GW Law Faculty Publications & Other Works

This short essay discusses why data security law fails to effectively combat data breaches, which continue to increase. With a few exceptions, current laws about data security do not look too far beyond the blast radius of the most data breaches. Only so much marginal benefit can be had by increasing fines to breached entities. Instead, the law should target a broader set of risky actors, such as producers of insecure software and ad networks that facilitate the distribution of malware. Organizations that have breaches almost always could have done better, but there’s only so much marginal benefit from beating …


A New Frontier Facing Attorneys And Paralegals: The Promise & Challenges Of Artificial Intelligence As Applied To Law & Legal Decision-Making, Marissa Moran Jan 2020

A New Frontier Facing Attorneys And Paralegals: The Promise & Challenges Of Artificial Intelligence As Applied To Law & Legal Decision-Making, Marissa Moran

Publications and Research

Artificial Intelligence/AI invisibly navigates and informs our lives today and may also be used to determine a client’s legal fate. Through executive order, statements by a U.S. Supreme Court justice and a Congressional Commission on AI, all three branches of the United States government have addressed the use of AI to resolve societal and legal matters. Pursuant to the American Bar Association Model Rules of Professional Conduct[i] and New York Rules of Professional Conduct (NYRPC), [ii] the legal profession recognizes the need for competency in technology which requires both substantive knowledge of law and competent use of technology for …


A Skeptical View Of Information Fiduciaries, Lina M. Khan, David E. Pozen Jan 2019

A Skeptical View Of Information Fiduciaries, Lina M. Khan, David E. Pozen

Faculty Scholarship

The concept of “information fiduciaries” has surged to the forefront of debates on online-platform regulation. Developed by Professor Jack Balkin, the concept is meant to rebalance the relationship between ordinary individuals and the digital companies that accumulate, analyze, and sell their personal data for profit. Just as the law imposes special duties of care, confidentiality, and loyalty on doctors, lawyers, and accountants vis-à-vis their patients and clients, Balkin argues, so too should it impose special duties on corporations such as Facebook, Google, and Twitter vis-à-vis their end users. Over the past several years, this argument has garnered remarkably broad support …


Starting From The End: What To Do When Restricted Data Is Released, Marta Teperek, Rhys Morgan, Michelle Ellefson, Danny Kingsley Mar 2017

Starting From The End: What To Do When Restricted Data Is Released, Marta Teperek, Rhys Morgan, Michelle Ellefson, Danny Kingsley

Copyright, Fair Use, Scholarly Communication, etc.

Repository managers can never be one hundred percent sure of the security of hosted research data. Even assuming that human errors and technical faults will never happen, repositories can be subject to hacking attacks. Therefore, repositories accepting personal/sensitive data (or other forms of restricted data) should have workflows in place with defined procedures to be followed should things go wrong and restricted data is inappropriately released. In this paper we will report on our considerations and procedures when restricted data from our institution was inappropriately released.


Health Information Equity, Craig Konnoth Jan 2017

Health Information Equity, Craig Konnoth

Publications

In the last few years, numerous Americans’ health information has been collected and used for follow-on, secondary research. This research studies correlations between medical conditions, genetic or behavioral profiles, and treatments, to customize medical care to specific individuals. Recent federal legislation and regulations make it easier to collect and use the data of the low-income, unwell, and elderly for this purpose. This would impose disproportionate security and autonomy burdens on these individuals. Those who are well-off and pay out of pocket could effectively exempt their data from the publicly available information pot. This presents a problem which modern research ethics …


Information Privacy Litigation As Bellwether For Institutional Change, Julie E. Cohen Jan 2017

Information Privacy Litigation As Bellwether For Institutional Change, Julie E. Cohen

Georgetown Law Faculty Publications and Other Works

Information privacy litigation is controversial and headline-grabbing. New class complaints are filed seemingly every few weeks. Legal scholars vie with one another to articulate more comprehensive theories of harm that such lawsuits might vindicate. Large information businesses and defense counsel bemoan the threats that information privacy litigation poses to corporate bottom lines and to “innovation” more generally. For all that, though, the track record of litigation achievements on the information privacy front is stunningly poor. This essay examines emerging conventions for disposing of information privacy claims, including denial of standing, enforcement of boilerplate waivers, denial of class certification, and the …


Cybersecurity Stovepiping, David Thaw Jan 2017

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …


Disruptive Platforms, Margot Kaminski Jan 2017

Disruptive Platforms, Margot Kaminski

Publications

No abstract provided.


Standing After Snowden: Lessons On Privacy Harm From National Security Surveillance Litigation, Margot E. Kaminski Jan 2017

Standing After Snowden: Lessons On Privacy Harm From National Security Surveillance Litigation, Margot E. Kaminski

Publications

Article III standing is difficult to achieve in the context of data security and data privacy claims. Injury in fact must be "concrete," "particularized," and "actual or imminent"--all characteristics that are challenging to meet with information harms. This Article suggests looking to an unusual source for clarification on privacy and standing: recent national security surveillance litigation. There we can find significant discussions of what rises to the level of Article III injury in fact. The answers may be surprising: the interception of sensitive information; the seizure of less sensitive information and housing of it in a database for analysis; and …


The Privacy Policymaking Of State Attorneys General, Danielle K. Citron Dec 2016

The Privacy Policymaking Of State Attorneys General, Danielle K. Citron

Faculty Scholarship

Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been ignored: the state attorneys general. This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources — first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.

Much as Justice Louis Brandeis imagined states as laboratories of the law, offices …


Anonymization And Risk, Ira S. Rubinstein, Woodrow Hartzog Jan 2016

Anonymization And Risk, Ira S. Rubinstein, Woodrow Hartzog

Faculty Scholarship

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of …


Taking Trust Seriously In Privacy Law, Neil Richards, Woodrow Hartzog Jan 2016

Taking Trust Seriously In Privacy Law, Neil Richards, Woodrow Hartzog

Faculty Scholarship

Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and virtually every other activity that involves other people. It allows us to build things, and it allows us to grow. Trust is everywhere, but particularly at the core of the information relationships that have come to characterize our modern, digital lives. Relationships between people and their ISPs, social networks, and hired professionals are typically understood in terms of privacy. But the way we have talked about privacy has a pessimism problem – privacy is conceptualized in negative terms, …


Unfair And Deceptive Robots, Woodrow Hartzog Jan 2015

Unfair And Deceptive Robots, Woodrow Hartzog

Faculty Scholarship

Robots, like household helpers, personal digital assistants, automated cars, and personal drones are or will soon be available to consumers. These robots raise common consumer protection issues, such as fraud, privacy, data security, and risks to health, physical safety and finances. Robots also raise new consumer protection issues, or at least call into question how existing consumer protection regimes might be applied to such emerging technologies. Yet it is unclear which legal regimes should govern these robots and what consumer protection rules for robots should look like.

The thesis of the Article is that the FTC’s grant of authority and …


The Scope And Potential Of Ftc Data Protection, Woodrow Hartzog, Daniel J. Solove Jan 2015

The Scope And Potential Of Ftc Data Protection, Woodrow Hartzog, Daniel J. Solove

Faculty Scholarship

For more than fifteen years, the FTC has regulated privacy and data security through its authority to police deceptive and unfair trade practices as well as through powers conferred by specific statutes and international agreements. Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corp. and LabMD. These recent cases raise a fundamental issue, and one that has surprisingly not been well explored: How broad are the FTC’s privacy and data security regulatory powers? How broad should they be?

In this Article, we address the issue of the scope of FTC authority in the areas of …


Should The Ftc Kill The Password? The Case For Better Authentication, Daniel J. Solove, Woodrow Hartzog Jan 2015

Should The Ftc Kill The Password? The Case For Better Authentication, Daniel J. Solove, Woodrow Hartzog

GW Law Faculty Publications & Other Works

Data security breaches are occurring at an alarming frequency, and one of the main causes involves problems authenticating the identity of account holders. The most common approach to authentication is the use of passwords, but passwords are a severely flawed means of authentication. People are being asked to do a nearly impossible task – create unique, long, and complex passwords for each of the numerous accounts they hold, change them frequently, and remember them all. People do very poorly in following these practices, and even if they manage to do so, hackers and phishers can readily trick people into revealing …


Data Breach (Regulatory) Effects, David Thaw Jan 2015

Data Breach (Regulatory) Effects, David Thaw

Articles

No abstract provided.


An Overview Of Privacy Law, Daniel J. Solove, Paul M. Schwartz Jan 2015

An Overview Of Privacy Law, Daniel J. Solove, Paul M. Schwartz

GW Law Faculty Publications & Other Works

Chapter 2 of PRIVACY LAW FUNDAMENTALS provides a brief overview of information privacy law – the scope and types of law. The chapter contains an historical timeline of major developments in the law of privacy and data security.

PRIVACY LAW FUNDAMENTALS is a distilled guide to the essential elements of U.S. data privacy law. In an easily-digestible format, the book covers core concepts, key laws, and leading cases.

Professors Daniel Solove and Paul Schwartz clearly and concisely distill all relevant information about privacy law into this short volume. PRIVACY LAW FUNDAMENTALS is designed to be like Strunk and White’s Elements …


The Ftc And The New Common Law Of Privacy, Daniel J. Solove, Woodrow Hartzog Jan 2014

The Ftc And The New Common Law Of Privacy, Daniel J. Solove, Woodrow Hartzog

Faculty Scholarship

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become …


The Ftc And Privacy And Security Duties For The Cloud, Daniel J. Solove Jan 2014

The Ftc And Privacy And Security Duties For The Cloud, Daniel J. Solove

Faculty Scholarship

Third-party data service providers, especially providers of cloud computing services, present unique and difficult privacy and data security challenges. While many companies that directly collect data from consumers are bound by the promises they make to individuals in their privacy policies, cloud service providers are usually not a part of this arrangement. It is not entirely clear what, if any, obligations cloud service providers have to protect the data of individuals with whom they have no contractual relationship. This problem is especially acute because many institutions sharing personal data with cloud service providers fail to include significant privacy and security …


Known And Unknown, Property And Contract: Comments On Hoofnagle And Moringiello, James Grimmelmann Oct 2010

Known And Unknown, Property And Contract: Comments On Hoofnagle And Moringiello, James Grimmelmann

Cornell Law Faculty Publications

In addition to gerund-noun-noun titles and a concern with the misaligned incentives of businesses that handle consumers' financial data, Chris Hoofnagle's Internalizing Identity Theft and Juliet Moringiello's Warranting Data Security share something else: hidden themes. Hoofnagle's paper is officially about an empirical study of identity theft, but behind the scenes it's also an exploration of where we draw the line between public information shared freely and secret information used to authenticate individuals. Moringiello's paper is officially a proposal for a new warranty of secure handling of payment information, but under the surface, it invites us to think about the relationship …


Payments Data Security Breaches And Oil Spills: What Lessons Can Payments Security Learn From The Laws Governing Remediation Of The Exxon Valdez, Deepwater Horizon, And Other Oil Spills?, Sarah Jane Hughes Jan 2010

Payments Data Security Breaches And Oil Spills: What Lessons Can Payments Security Learn From The Laws Governing Remediation Of The Exxon Valdez, Deepwater Horizon, And Other Oil Spills?, Sarah Jane Hughes

Articles by Maurer Faculty

No abstract provided.