LSTD517 AMU Legal And Ethical Issues Of Cybersecurity And Civil Law In a minimum of 550 words, predict how present day legal and ethical concerns associated with cybersecurity may apply to possible insurance claims within the foreseeable future. As you do so, please be sure to apply facts, relevant procedures (legal, ethical and/or technical), as well as the concepts that you believe link all of these concepts together.
References
Car, J., Tan, W. S., Huang, Z., Sloot, P., & Franklin, B. D. (2017, April 5). eHealth in the Future of Medications Management: Personalisation, Monitoring and Aherence. BMC Medicine, 15(73). doi:10.1186/s12916-017-0838-0
CXOTALK (Producer). (2017). AI & Privacy Engineering with Michelle Dennedy (Cisco) and David Bray (FCC) (#229) [Motion Picture]. Retrieved April 14, 2019, from
Holstein, T., Dodig-Crnkovic, G., & Pelliccione, P. (2018, February 5). Ethical and Social Aspects of Self-Driving Cars. Computers and Society. Retrieved April 14, 2019, from https://arxiv.org/abs/1802.04103
Nojeim, G. T. (2010, August 13). Cybersecurity and Freedom on the Internet. Journal of National Security Law & Policy, 4(119), 119-137. Retrieved April 14, 2019, from http://jnslp.com/wp-content/uploads/2010/08/09_Noj…
Solow-Niederman, A. (2018, January 11). Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches. The Yale Law Journal, 127, 614-636. Retrieved April 14, 2019, from https://www.yalelawjournal.org/forum/beyond-the-pr…
Spidor, J. C., Ward, B. T., & Volonino, L. (2014, July 1). Privacy Concerns Associated with Smartphone Use. Journal of Internet Commerce, 13, 177-193. doi:10.1080/15332861.2014.947902
Zureich, D., & Graebe, W. (2015, April). Cybersecurity: The Continuing Evolution of Insurance and Ethics. Defense Counsel Journal, 82(2), 192-198. Retrieved April 14, 2019, from https://search-proquest-com.ezproxy1.apus.edu/docv… THE YALE LAW JOURNAL FORUM
JANUARY 11, 2018
Beyond the Privacy Torts: Reinvigorating a Common
Law Approach for Data Breaches*
Alicia Solow-Niederman
abstract. Data breaches continue to roil the headlines, yet regulation and legislation are
unlikely to provide a timely solution to protect consumers. Meanwhile, individuals are le?, at
best, in a state of data insecurity and, at worst, in a compromised economic situation. State
common law provides a path forward. Rather than rely on statutory claims or the privacy torts to
protect consumer data, this Essay suggests that courts should recognize how contemporary
transactions implicate ?duciary-like relationships of trust. By designating what this Essay terms
data con?dants as a limited form of information ?duciary, courts can reinvigorate the tort of
breach of con?dence as a remedy for aggrieved consumers.
We have a data breach problem. The recent breach of the credit-monitoring
agency Equifax implicated the social security numbers, birth dates, and personal information of more than 140 million Americans.1 Given the richness and
sensitivity of this intensely personal data, this breach may be among [the]
*
1.
614
This Essay re?ects developments through December 2017, when it was substantively ?nalized for publication.
Tara Siegel Bernard et al., Equifax Says Cyberattack May Have A?ected 143 Million in the
U.S., N.Y. TIMES (Sept. 7, 2017), http://www.nytimes.com/2017/09/07/business/equifax
-cyberattack.html [http://perma.cc/3U5J-8FMX]; Tara Siegel Bernard & Stacey Cowley,
Equifax Breach Caused by Lone Employees Error, Former C.E.O. Says, N.Y. TIMES (Oct. 3,
2017), http://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html
[http://perma.cc/FG89-LWAX] (estimating that 146 million Americans were a?ected and
reporting that the ex-CEO of Equifax attributed the breach to a lone employees failure to
implement necessary so?ware updates).
beyond the privacy torts: reinvigorating a common law approach for
data breaches
wors[t] ever.2 The incidence of breaches and number of people a?ected continues to climb. The ?rst half of 2017 witnessed a twenty-nine percent increase
in breaches as compared to the same period the year before.3 And in October
2017, the media reported that three billion users of Yahoo! email accounts were
a?ected by a 2013 breach.4
This state of a?airs should concern policymakers and consumers alike.
Congress has failed to enact legislative reform for years.5 Proposals generally
2.
3.
4.
5.
Seth Berman, Richness of Exposed Data Makes Equifax Breach Among Worse Ever, INFO.
MGMT. (Sept. 12, 2017, 6:30 AM), http://www.information-management.com/opinion
/richness-of-exposed-data-makes-equifax-breach-among-worse-ever [http://perma.cc
/BL8Z-7JA7].
At Mid-Year, U.S. Data Breaches Increase at Record Pace, IDENTITY THEFT RESOURCE CTR.
(July 18, 2017), http://www.idthe?center.org/Press-Releases/2017-mid-year-data-breach
-report-press-release [http://perma.cc/V7VG-B3AC].
See Brian Fung, Actually, Every Single Yahoo Account Got Hacked in 2013, WASH. POST (Oct.
3, 2017), http://www.washingtonpost.com/news/the-switch/wp/2017/10/03/yahoos-2013
-data-breach-a?ected-all-3-billion-accounts-tripling-its-previous-estimate [http://perma.cc
/8CRS-9V34].
Nor are these breaches the only notable incidents in late 2017. In November 2017, the
ride-sharing service Uber revealed that, for nearly a year, it had concealed the the? of sensitive data a?ecting 57 million riders and drivers. See Selena Larson, Ubers Massive
Hack: What We Know, CNN (Nov. 23, 2017, 4:47 AM), http://money.cnn.com/2017
/11/22/technology/uber-hack-consequences-cover-up/index.html [http://perma.cc/NU88
-ZJCN]. Uber not only failed to disclose the the? to users and regulators, but also paid the
hackers a $100,000 ransom to delete the informationthough there is no guarantee that the
information was in fact secured.
See, e.g., Christin McMeley, Federal Data Breach Legislation Introduced, But Will It Go Anywhere?, PRIVACY & SECURITY L. BLOG (June 23, 2013) http://www.privsecblog.com/2013/06
/articles/dataprotection/federal-data-breach-legislation-introduced-but-will-it-go
-anywhere [http://perma.cc/7Y2B-D49Z] (expressing skepticism that a 2013 bill would be
enacted, in part due to the partisan split and inability to move legislation generally); Brian
Thompson & Sean B. Hoar, 2015 Data Breach Legislation Six Month Review: Many Proposals,
Few Changes, PRIVACY & SECURITY L. BLOG (July 8, 2015), http://www.privsecblog.com/2015
/07/articles/policy-regulatory-positioning/2015-data-breach-legislation-six-month-review
-many-proposals-few-changes [http://perma.cc/YC88-BET8] (documenting the stall in
Congress regarding data breach-related legislation, despite what appeared to be ample bipartisan support); Martha Wrangham et al., Calls for Federal Breach Noti?cation Law Continue A?er Yahoo Data Breach, GLOBAL IP & TECH. L. BLOG (Oct. 6, 2016) (discussing
stalled past e?orts at federal data breach legislation), http://www.iptechblog.com/2016/10
/calls-for-federal-breach-noti?cation-law-continue-a?er-yahoo-data-breach [http://perma
.cc/FVT5-L33V]; Shawn Zeller, Despite Massive OPM Hack, Congress Continues To Stall on
Data Breach Bill, ROLL CALL (July 22, 2015, 6:30 AM), http://www.rollcall.com/news
/despite_massive_opm_hack_congress_continues_to_stall_on_data_breach_bill-242949
-1.html [http://perma.cc/8UEJ-KQ75] (describing Congresss failure to move forward on a
2015 bill despite years of preparation by members of Congress and seeming agreement
that action was in order); Press Release, Blumenthal Introduces Data Breach and Security
615
the yale law journal forum
January 11, 2018
rise, then stall, within a familiar cycle of (1) major breach; (2) introduction of
one or more data security bills; and (3) legislative inaction. Following the 2015
Target and Home Depot breaches, for instance, there were three bills proposed
by Senate Democrats in the ?rst four months of 2015 alone.6 And once the 2016
Yahoo! breach became public knowledge, at least three dra? proposals were introduced in the Senate, each backed by di?erent partisan combinations and interest group blocs.7 Since the 2017 Equifax breach, there has been renewed legislative attention in the form of congressional hearings,8 and bills have again
been introduced.9 But the history of inaction seems unlikely to change given
6.
7.
8.
9.
616
Legislation To Protect Consumers (Sept. 12, 2011), http://www.blumenthal.senate.gov
/newsroom/press/release/blumenthal-introduces-data-breach-and-security-legislation-to
-protect-consumers [http://perma.cc/3GKC-SNQM] (introducing data breach legislation
during the 20112012 congressional term).
See Cory Bennett, Dem Preps Senates Third Data Breach Bill, HILL (Apr. 27, 2015, 11:45 AM),
[http://perma.cc/4QT5-PU68].
See Claude Bar?eld, The Ongoing Saga of Yahoos Stolen Data, NATL REV. (Oct. 6, 2016, 11:16
AM), http://www.nationalreview.com/article/440796/yahoos-hacked-accounts-no-answers
-no-solutions-yet [http://perma.cc/KQ3P-4ZQ3] (noting, in the Senate alone, at least three
dra? proposals backed by di?erent partisan combinations and interest group blocs).
See, e.g., An Examination of the Equifax Breach: Hearing Before the S. Comm. on Banking,
Hous., & Urban A?airs, 115th Cong. (2017), http://www.banking.senate.gov/public/index
.cfm/hearings?ID=B61BB78D-CF34-4D54-B7F2-F7F982D77D6F#RelatedFiles [http://
perma.cc/68AW-QD7Z] (statement of Richard F. Smith, Adviser to the Interim CEO and
Former Chairman and CEO, Equifax); Examining the Equifax Data Breach: Hearing Before the
H. Comm. on Fin. Servs., 115th Cong. (2017), http://?nancialservices.house.gov/calendar
/eventsingle.aspx?EventID=402360 [http://perma.cc/8XL3-8DHL] (same); Oversight of the
Equifax Data Breach: Answers for Consumers: Hearing Before the Subcomm. on Dig. Commerce &
Consumer Prot. of the H. Comm. on Energy & Com., 115th Cong. (2017), http://
energycommerce.house.gov/hearings/oversight-equifax-data-breach-answers-consumers
[http://perma.cc/CNL6-D23D] (same).
See, e.g., Derek B. Johnson, House Dem Revives Data Breach Bill A?er Equifax Hack, FCW
(Sept. 18, 2017), http://fcw.com/articles/2017/09/18/langevin-equifax-breach-bill.aspx
[http://perma.cc/S3SQ-QLPN] (recounting House Democrats e?orts to revive a data
breach bill that was originally introduced in 2015); Marianne Kolbasuk McGee, Congress
Grills Equifax Ex-CEO on Breach, DATA BREACH TODAY (Oct. 3, 2017), http://www
.databreachtoday.com/congress-grills-equifax-ex-ceo-on-breach-a-10354 [http://perma.cc
/Y2KL-P396] (listing seven di?erent emerging bills introduced or reintroduced a?er the
Equifax breach); Press Release, In Wake of Equifax Data Breach, Blumenthal, Colleagues
Introduce Legislation To Hold Data Broker Industry Accountable (Sept. 14, 2017), http://
www.blumenthal.senate.gov/newsroom/press/release/in-wake-of-equifax-data-breach
-blumenthal-colleagues-introduce-legislation-to-hold-data-broker-industry-accountable
[http://perma.cc/V3KP-MPV8].
beyond the privacy torts: reinvigorating a common law approach for
data breaches
the current political climate.10 More likely, once the uproar fades, the status quo
will return until the next big data breach spurs renewed calls for change.11
Timely statutory reform also seems unlikely because it is not clear what the
ambitions of such a statute should be.12 Should reform focus, for instance, on
improving consumer noti?cations a?er a breach, specifying security standards
to try to prevent a breach in the ?rst instance, or some hybrid of the two? Further, these proposals have their own challenges. First, the ex post strategy of
noti?cation alone might fail to meaningfully empower consumers because it
would not necessarily alter overall security standards or a?ect corporate incentives to invest in security. Yet if notice alone is not enough and the objective is
to promulgate some form of overarching security standard ex ante (either alone
or in a hybrid model), then determining what technical requirements to apply
across di?erent industries is no easy matter. There are also policy obstacles insofar as the American sector-by-sector approach to the treatment of private information largely rejects holistic regulation with regard to the collection, use,
and disclosure of information.13 Prospects for quick, overarching, top-down
legislative reform are thus slim.14
10.
Todays Congress is extremely polarized. See Parties Overall, VOTE VIEW, http://voteview
.com/parties/all [http://perma.cc/GBF9-XDH2] (depicting the ideological gap between
liberal and conservative members of Congress); see also Philip Bump, Farewell to the Most Polarized Congress in More Than 100 Years!, WASH. POST (Dec. 21, 2016), http://www
.washingtonpost.com/news/the-?x/wp/2016/12/21/farewell-to-the-most-polarized
-congress-in-over-100-years [http://perma.cc/FWG9-VVGF] (discussing the data on historic levels of polarization in the 114th Congress). To make what may be obvious explicit,
this degree of polarization challenges the ability to move legislation through Congress, leading scholars to suggest that the 114th Congress, which was the last completed session for
which data was available as of this writing, was the worst ever in terms of productivity.
Norm Ornstein, Is This the Worst Congress Ever?, ATLANTIC, (May 17, 2016), http://www
.theatlantic.com/politics/archive/2016/05/is-this-the-worst-congress-ever/483075 [http://
perma.cc/CG3G-NNEQ].
11. Many participants in the political system share this view. See Cory Bennett & Martin Matishak, Equifax Breach: Turning Point or More of the Same?, POLITICO (Sept. 12, 2017, 6:13
PM), http://www.politico.com/story/2017/09/12/equifax-security-breach-hackers-242623
[http://perma.cc/74KF-L547].
12. Di?erent policy proposals o?er a range of solutions, along with distinctions within each category. See, e.g., Alissa M. Dolan, CONG. RES. SERV., R44326, Data Security and Breach Noti?cation Legislation: Selected Legal Issues 2-3 (2015) (discussing eight bills in the 114th Congress
alone and noting disparate approaches to both data security and noti?cation, and concluding that [t]he details of each bill di?er and close inspection of each provision and de?nition
is required to determine its speci?c e?ect); Bar?eld, supra note 7 (detailing divergence in
recent congressional proposals).
13. With the exception of the Freedom of Information Act of 1966 (FOIA), 5 U.S.C.
§ 552(a)(3)(A) (2012), and regulation of government actors via the Privacy Act of 1974, 5
U.S.C. § 552a (2012), sectoral regulation of sensitive information is the norm. The core ele-
617
the yale law journal forum
January 11, 2018
Yet the issue of data breaches will not simply resolve itself. A world without
breaches is improbable,15 and consumers are limited in how they can address
the issue on their own.16 The status quo can thus result in signi?cant individual
economic and emotional harm.17 This Essay moves past this impasse by arguing that common law courts can and should provide a legal remedy by recognizing the tort of breach of con?dentiality as a cause of action available to individuals a?ected by data breaches. Part I assesses why the leading common law
solution, the privacy torts, represents an unsatisfying response to the harms
caused by data breaches. Part II situates the tort of breach of con?dentiality as a
superior alternative. Part III sketches the components of the tort and suggests
how a court can update the common law and apply this cause of action in the
digital economy.
14.
15.
16.
17.
618
ments are regulation of personal health information (controlled by the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936
(codi?ed as amended in scattered sections of 18, 26, 29, and 42 U.S.C.), and associated privacy rules, 45 C.F.R. § 164.508(a) (2007)), credit reporting and ?nancial data (addressed by
the Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. § 1681 (2012), and Title V of
Gramm-Leach-Bliley Act (GLBA), Pub. L. No. 106-102, 113 Stat. 1338 (codi?ed at 15 U.S.C.
§§ 6801-09 (2012))), and educational data (covered by the Family Educational Rights and
Privacy Act of 1974 (FERPA), Pub. L. No. 93-380, 88 Stat. 484 (codi?ed at 20 U.S.C. § 1232g
(2012)).
Cf. Danielle DOnfro, The Best Way to Hold Equifax Accountable, WASH. POST
(Sept. 14, 2017), http://www.washingtonpost.com/opinions/equifax-doesnt-owe-anyone
-anything-but-it-doesnt-have-to-be-this-way/2017/09/14/517c2ef6-98c7-11e7-b569
-3360011663b4_story.html [http://perma.cc/A4E9-M5ER] (arguing that courts, not regulators, should tackle the modern data breach problem).
Eliminating all breaches is neither technologically feasible nor socially desirable. Technological limitations mean that breach-proof security measures are impractical. See, e.g., Tsion
Gonen, Data Breach Prevention is Dead, HILL (Feb. 9, 2015, 2:00 PM), http://thehill.com
/blogs/congress-blog/technology/232041-data-breach-prevention-is-dead [http://perma.cc
/UA7M-DAER] (discussing technological limitations). Moreover, economic and policy realities mean that companies are unlikely to invest in unlimited security measures. From the
corporate perspective, it may be more economically e?cient to bear the cost of a breach ex
post than to invest in the security required to prevent the breach ex ante. See Rahul Telang,
Policy Framework for Data Breaches, 13 IEEE SECURITY & PRIVACY 77, 79 (2015) (explaining
corporate economic incentives). Companies unwilling to bear such risk may also choose not
to engage in the activity at all, which would be an unfortunate outcome both for business
development and for consumers le? unable to enjoy such products and services.
See infra text accompanying notes 38-42.
The New York Times recent interviews with data breach victims viscerally captured the terror and years of di?culty that many experience a?er their data is stolen. Ti?any Hsu, Data
Breach Victims Talk of Initial Terror, Then Vigilance, N.Y. TIMES (Sept. 9, 2017), http://www
.nytimes.com/2017/09/09/business/equifax-data-breach-identity-the?-victims.html
[http://perma.cc/76QH-FLXX]; see also infra Part I (discussing the nature of the harm
caused by data breaches in greater depth).
beyond the privacy torts: reinvigorating a common law approach for
data breaches
i. the limitations of the privacy torts
Given legislative inertia and uncertainty regarding how legislative and
regulatory action should address data breaches, a return to common law roots
in state court18 can provide an alternative remedy for aggrieved individuals.
Since a breach results in the disclosure of private data, a privacy tort, such as
intrusion upon seclusion,19 public disclosure of embarrassing private facts,20
false light,21 or appropriation,22 would appear the most obvious remedy. Yet,
however obvious it may seem, the limitations of the privacy torts counsel in favor of a new model.
First, the privacy torts raise constitutional concerns. There has been a
growing sense in recent decades that a robust instantiation of the privacy torts
risks infringing on the First Amendment right to freedom of speech and
press.23 Consider, for example, the tort of disclosure of private data: since this
18.
19.
20.
21.
22.
23.
This analysis focuses on state courts both because a common law approach is an intrinsic ?t
with data breaches and for instrumental reasons. Even assuming that a statute provides a
federal right of action for a data breach victim, a robust literature has documented the uphill
battle to achieve standing in cases involving informational injuries in general and data
breach suits in particular. See Arthur R. Vorbrodt, Note, Clapper Dethroned: Imminent Injury
and Standing for Data Breach Lawsuits in Light of Ashley Madison, 73 WASH. & LEE L. REV.
ONLINE 61, 87-91 (2016), http://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?article
=1046&context=wlulr-online [http://perma.cc/R4LZ-EQM6] (summarizing district courts
tendency, post ACLU v. Clapper, 785 F.3d 787 (2015), to ?nd injury-in-fact too speculative to
confer standing in data breach suits); see also Courtney M. Cox, Comment, Risky Standing:
Deciding on Injury, 8 NE. U. L.J. 75, 85-92 (2016) (discussing standing challenges in data
breach suits); Seth F. Kreimer, Spooky Action at a Distance: Intangible Injury in the Information Age, 18 U. PA. J. CONST. L. 745, 756-83 (2015) (providing a general overview of challenges surrounding alleged informational injuries, both in national security and consumer
contexts); Angelo A. Stio III et al., Standing and the Emerging Law of Data Breach Class Actions, 2015 N.J. LAWYER 49 (discussing the standing hurdle). For a recent overview of how
courts tend to ?nd inadequate injury-in-fact to support standing in federal data breach
claims, see Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data
Breach Harms, 96 TEX. L. REV. (forthcoming 2018), http://papers.ssrn.com/abstract_id
=2885638 [http://perma.cc/H8NY-GVYJ].
See RESTATEMENT (SECOND) OF TORTS § 652B (AM. LAW INST. 1977).
See id. at § 652D.
See id. at § 652E.
See id. at § 652C. See generally William L. Prosser, Privacy, 48 CALIF. L. REV. 383 (1960) (taxonomizing the privacy torts).
Since the late twentieth century, many scholars have recognized this growing tension between privacy tort law and the First Amendment, and breach of con?dence has been suggested as an alternative solution. See Susan M. Gilles, Promises Betrayed: Breach of Con?dence
as a Remedy for Invasions of Privacy, 43 BUFF. L. REV. 1, 6-9 & 9 n.41 (1995) (discussing …
Purchase answer to see full
attachment
Consider the following information, and answer the question below. China and England are international trade…
The CPA is involved in many aspects of accounting and business. Let's discuss some other…
For your initial post, share your earliest memory of a laser. Compare and contrast your…
2. The Ajax Co. just decided to save $1,500 a month for the next five…
How to make an insertion sort to sort an array of c strings using the…
Assume the following Keynesian income-expenditure two-sector model: AD = Cp + Ip Cp = Co…