Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Data Breaches and Data Misuse
Data Breaches
Data Misuse
Addressing Data Security Issues
Diseased Spleens and Data Privacy
Recommendations
Options for Finding a Duty
Data Injury Compensation and Research Fund
Conclusion
References
All Topics
Computer Science
Information Systems

Liability for Data Injuries

Profile image of Jay KesanJay Kesan

2018, University of Illinois Law Review

Abstract

Data insecurity affects the general public to a significant degree, and the law needs to step forward and cope with the challenges posed by data breaches, data misuse, and data injuries. The primary goal of this article is to provide a thorough analytical framework for data breach cases that specifically focuses on the evolutions needed in the areas of duty and injury in shaping the contours of liability for data injuries. This article represents the first comprehensive analysis of a duty to secure data within the modern context of data insecurity. While most of our focus is on data breaches, the principles explored in this article are broad enough to be applied helpfully in data misuse cases as well, including the recent controversy over Facebook’s permissive data use practices. We examine duty as a part of a negligence framework for data insecurity harms, and we argue that courts should recognize a legal duty to secure data. This duty is made necessary by pervasive cognitive biase...

Related papers

'Louder bark with no bite: Privacy protection through the regulation of mandatory data breach notification in Australia' (Future Generation Computer Systems, 2021) by Mamoun Alazab, Seung-Hun Hong & Jenny Ng
Dr Jenny Ng

Future Generation Computer Systems - Volume 116, Pages 22-29, March, 2021

The disruptive shift of technologies in the Internet age poses the challenge of securing our digital asset and cyberspace from large-scale, sophisticatedly targeted offenses and cybercrimes. As a response, many governments have introduced mandatory notification schemes in which an entity bears an obligation to notify the regulator and affected individuals if personal data it holds is compromised. Focusing on Australia's Notifiable Data Breach (NDB) scheme introduced in 2018, this paper points out that the NDB scheme gives entities that should be responsible for data protection much leeway while holding individuals, only victims of a data breach, responsible for dealing with the consequences. This is problematic as redressing the grievances caused by a data breach is difficult in the Australian context. It is difficult for a victim of a breach of privacy to bring an action in court mainly because there is no established tort of privacy in Australia. Further, bringing a class action for data breaches is a difficult process. We suggest that the real effect of the NDB scheme requires an understanding in a broader context of Australian Privacy Principles (APPs). Regulated in a broader APPs context, the NDB scheme could become a part of a privacy protection regime that requires public agencies and businesses to have better accountability and responsibility mechanisms. 1. Introduction: Risk of personal information leakage The continued growth of the Internet since the 1990s has resulted in the increasing sophistication of tools and methods to conduct computer attacks and intrusions. Machine Learning and Artificial Intelligence, Robotics, Internet of Things (IoT), Surveillance and Drones, Crypto-currencies, and Darknet represent the disruptive shift of technologies in the Internet age. This shift poses the challenge of securing our digital asset and cyberspace from large-scale, sophisticatedly targeted offenses and organized crimes, as highlighted by the widely-respected criminologists Roderic Broadhurst and Peter Grabosky [1-3]. Trends in malicious binaries or computer code designed for financial fraud show increasing complexity around new opportunities arising from automated financial activities. The Internet has become the preferred platform for sending phishing spam emails [4] and deploying malware attacks by exploiting vulnerabilities in software systems and critical applications to disrupt intentionally or to subvert them. These malicious codes are used to install computer programs that purport to steal sensitive information (to ______

View PDFchevron_right
Post Data Breach Use of Protective Technologies: An Examination of Users’ Dilemma
Francis Andoh-Baidoo

Proceedings of the 53rd Hawaii International Conference on System Sciences, 2020

This preliminary research addresses the technology use uncertainties that arise when users are presented with protective technologies following a data breach or privacy violation announcement. Prior studies have provided understanding of determinants of technology use through several perspectives. The study complements prior research by arguing that, beyond individual dispositions or technology features, data breach announcements bring users' focus on the actions of the breaching organization. Fair process and information practices provide avenue for organizations to alleviate users' concerns and increase service usage. We draw on organizational justice theory to develop a model that explicates the effect of organizational fairness process and use of technologies. We test this model using data from 200 Facebook users recruited from Amazon MTurk. We found that procedural and informational justice have differential effect on users' desire to use protective technologies. Our findings have both theoretical and practical implications.

View PDFchevron_right
Data Breach Disclosure
Melissa Dark

Concepts, Methodologies, Tools and Applications

As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how p...

View PDFchevron_right
More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws
Fabio Bisogni

Journal of Information Policy, 2020

This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows that the correlation is driven by the size of a state. Enacting a DBNL still slightly reduces rates of identity theft; while publishing breaches notifications by Attorney Generals helps the broader security community learning about them. We conclude with an in-depth discussion on what the European Union can learn from the US experience.

View PDFchevron_right
Empirical analysis of data breach litigation
alessandro acquisti

Journal of Empirical Legal Studies, 2014

Abstract: Legal privacy scholarship typically emphasizes the various ways that plaintiffs fail when bringing legal actions against entities when their personal information is lost or stolen. However this scholarship often considers only a small set of published judicial opinions from large-scale data breaches. And so, little is actually known about the characteristics and disposition of a representative set of data breach lawsuits.

View PDFchevron_right
The Right to Data Privacy: US Privacy Case Law and the Facebook–Cambridge Analytica Data Scandal
Dorka Berecz

This thesis paper maps the milestones of data privacy case law and the evolution of legal doctrines established in the opinions as well as the novel legal and constitutional challenges that large-scale data breaches in the digital age present. This paper also attempts to explore how the Cambridge-Analytica data harvest scandal features against US constitutional protections of privacy and specifically against the said case law of privacy protection.

View PDFchevron_right
Unto the (Data) Breach
Charlotte A Tschider

University of Richmond Law Review (forthcoming), 2024

Since the early 2000s, U.S. courts have begun hearing "data breach" liability cases, the inevitable result of a growing internet-connected technology infrastructure. The relatively recent development of case law signals a body of law in development, stunted by significant limiting factors that prevent the coalescence of legal principles. To date, no holistic empirical exploration of data breach cases has offered sufficient detail to explore these factors. This descriptive empirical study analyzes, in detail, 225 data breach cases from 2005-2022, reviewing these cases over a three-year period to descriptively identify key trends and changes within a case's life on the docket. This study identifies the type of plaintiff, settlement amounts, type and disposition of information compromised, claims, common motions, and key strategies most likely to result in a favorable plaintiff outcome. It also explores broad trends in data breach litigation, including acceptance of claims by courts, the status of future harms in 12(b)(1) and 12(b)(6) standing challenges, and the degree to which courts are willing to let cases proceed beyond preliminary motions. These results will provide crucial information for litigating parties, their counsel, judges, and policy makers. 1 Charlotte Tschider is an Associate Professor of Law at the Loyola University Chicago School of Law. I would like to thank Matthew Sag, Justin (Gus) Hurwitz, David Thaw, Steven Bellovin, and the Law and Technology Workshop participants for their comments on an earlier version of this article. A special thanks to Jay Edelson and Aaron Charfoos for their perspectives on data breach litigation and for offering their expertise with my classes on this topic. I would especially like to thank Annalisa Kolb for her exceptional research skills generating and validating cases in this study.

View PDFchevron_right
Prevention and Mitigation of Breaches of Personal Information Databases: A Theoretical Framework
Susan Sproule, Francine Vachon

It seems that everything—from our cars to the search engines we use—collects information about us and our activities. Breaches compromising personal information are an unfortunate by-product of our modern information- intensive society. In this paper, we examine previous research on this problem from diverse perspectives. We then develop an interdisciplinary framework that examines parties involved, benefits derived by each party, losses from a breach, and the ability of each party to mitigate losses. Within this framework, appropriate economic theories are extended to other types of breaches and frauds.

View PDFchevron_right
Bytes Bite: Why Corporate Data Breaches Should Give Standing to Affected Individuals
Caden Hayes

Washington and Lee Journal of Civil Rights and Social Justice, 2019

equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros (explaining the fact that it was too late to fix the vulnerability in the Equifax system once hacked) (on file with the Washington & Lee Journal of Civil Rights & Social Justice). 14. See id. ("[A]s the attack escalated over the following months, that first group-known as an entry crew-handed off to a more sophisticated team of hackers."). 15. Id. 16. See Smith, supra note 1, at 5 ("On September 7, 2017, Equifax publicly announced the breach through a nationwide press release.").

View PDFchevron_right
Data Protection Law in the United States.docx
elvo elmarado

The primary subject of both litigation and legislation in the United States (U.S.) and the European Union (EU) for the past four decades has so far remained the issue of data protection laws-how to ensure personal data privacy. In particular, the serious and acrimonious debate about data privacy is attributed to the interests of various constituencies, including government agencies, national security services, individuals, law enforcement, and commercial organizations. As a result, this paper employs a holistic approach to comprehensively examine the US’ data privacy legislation as one of the major ongoing balancing acts in the world. In the examination, it takes into consideration both the security and individual interests.

View PDFchevron_right

References (241)

  1. Dec. 20, 2017, 10:40 AM), https://earther.com/the-amazing-earth-science-behind-the-last-jedis-new-min-1821 429894; THE LAST JEDI (Lucasfilm 2017).
  2. Michael D. Simpson, All Your Data Are Belong to Us: Consumer Data Breach Rights and Remedies in an Electronic Exchange Economy, 87 U. COLO. L. REV. 669, 674 (2016).
  3. Michael L. Rustad & Thomas H. Koenig, The Tort of Negligent Enablement of Cybercrime, 20
  4. BERKELEY TECH. L.J. 1553, 1611 (2005) [hereinafter Rustad & Koenig, Cybercrime].
  5. Ukraine Power Distributor Plans Cyber Defense System For $20 Million, REUTERS (Feb. 6, 2018, 6:58 AM), https://www.reuters.com/article/us-ukraine-cyber-ukrenergo/ukraine-power-distributor-plans-cyber- defense-system-for-20-million-idUSKBN1FQ1TD.
  6. Bruce Schneier, Lessons from the Dyn DDoS Attack, Schneier on Security (Nov. 8, 2016, 6:25 AM), https://www.schneier.com/blog/archives/2016/11/lessons_from_th_5.html.
  7. Rick Noack, The Dutch Were a Secret Ally in War Against Russian Hackers, Local Media Reveal, WASH. POST (Jan. 26, 2018), https://www.washingtonpost.com/news/worldviews/wp/2018/01/26/dutch-media- reveal-country-to-be-secret-u-s-ally-in-war-against-russian-hackers/?utm_term=.c20fc2ddda51. Thanks to AIVD, the Dutch intelligence service, the U.S. intelligence community had access to information about the ac- tivities of the Russian hacking group Cozy Bear, which is alleged to have ties to the Russian government. Id.
  8. Sarah N. Lynch, U.S. Shuts Down Cyber Crime Ring Launched By Ukrainian, REUTERS (Feb. 7, 2018, 11:15 AM), https://www.reuters.com/article/us-usa-cybercrime/u-s-shuts-down-cyber-crime-ring-launched-by- ukrainian-idUSKBN1FR2M7.
  9. Id.
  10. Simpson, supra note 3, at 671.
  11. Jimmy H. Koo, 2017: The Year of the Data Breach, BLOOMBERG BNA (Dec. 19, 2017), https:// www.bna.com/2017-year-data-b73014473359/.
  12. Tony Martin-Vegue, Will the Real "Year of the Data Breach" Please Stand Up?, HACKERNOON (Jan.
  13. Thomas Martecchini, Note, A Day in Court for Data Breach Plaintiffs: Preserving Standing Based on Increased Risk of Identity Theft After Clapper v. Amnesty International USA, 114 MICH. L. REV. 1471, 1473 (2016).
  14. Rucker, supra note 13. 22. See id.
  15. See id.; U.S. CENSUS BUREAU, QUICKFACTS, https://www.census.gov/quickfacts/fact/table/US/PST 045217 (last visited Nov. 2, 2018).
  16. Economic Growth, Regulatory Relief, and Consumer Protection Act, Pub. L. No. 115-174, 132 Stat. 1296 (2018). 25. See id.
  17. E.g., IDAHO CODE § 28-52-106 (2018) (only requiring credit freezes to be provided at no cost to con- sumers who are victims of identity theft);
  18. N.C. GEN. STAT. § 75-63(o) (2017) (prohibiting fees for credit freezes when the request is made electronically).
  19. Cooney v. Chi. Pub. Sch., 943 N.E.2d 23, 27 (Ill. App. Ct. 2010).
  20. Hard Drive Containing Personal Hospital Records Sold Online, NEWS12 N.J. (Dec. 19, 2017), http:// newjersey.news12.com/story/37103529/hard-drive-containing-personal-hospital-records-sold-online. 41. Id. 42. Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 115 A.3d 458, 459 (Conn. 2015).
  21. Id.
  22. In re Science Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 19 (D.D.C. 2014).
  23. Id. 46. Riedy & Hanus, supra note 28, at 13.
  24. NAT'L RESEARCH COUNCIL OF THE NAT'L ACADS., TECH., POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES 41 (William A. Owens et al. eds., 2009).
  25. Colin J.A. Oldberg, Note, Organizational Doxing: Disaster on the Doorstep, 15 COLO. TECH. L.J. 181, 183 (2016).
  26. See Lauren E. Willis, Why Not Privacy by Default?, 29 BERKELEY TECH. L.J. 61, 66-67 (2014).
  27. See Paul M. Schwartz, Property, Privacy, And Personal Data, 117 HARV. L. REV. 2055, 2100 (2004).
  28. Meredith, supra note 67.
  29. Id.
  30. Issie Lapowsky, Cambridge Analytica Could Have Also Accessed Private Facebook Messages, WIRED (Apr. 10, 2018), https://www.wired.com/story/cambridge-analytica-private-facebook-messages/.
  31. Id.; Meredith, supra note 67.
  32. See Meredith, supra note 67. 81. See id.
  33. Id.; Lapowsky, supra note 78.
  34. See Meredith, supra note 67.
  35. Bloomberg Gov't, Transcript of Mark Zuckerberg's Senate Hearing, WASH. POST (Apr. 10, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/04/10/transcript-of-mark-zuckerbergs-senate-hear- ing/?utm_term=.a39f8b2eb57e.
  36. Id.
  37. Privacy Act of 1974, 5 U.S.C. § 552a(e)(10) (2018).
  38. Gramm-Leach-Bliley Act, 15 U.S.C. § 6801(b)(2) (2018).
  39. See generally Malcolm M. MacIntyre, The Rationale of Last Clear Chance, 53 HARV. L. REV. 1225 (1940).
  40. Patricia Cave, Giving Consumers a Leg to Stand On: Finding Plaintiffs a Legislative Solution to the Barrier from Federal Courts in Data Security Breach Suits, 62 CATH. U. L. Rev. 765, 789 (2013);
  41. Romanosky, Hoffman & Acquisti, supra note 30, at 100; Evan M. Wooten, The State of Data Breach Litigation and Enforce- ment: Before the 2013 Mega Breaches and Beyond, 24 J. ANTITRUST & UNFAIR COMPETITION L. SEC. ST. B. CAL. 229, 239 (2015).
  42. Cave, supra note 113, at 787; Simpson, supra note 3, at 691-92; Wooten, supra note 113, at 239. 115. Martecchini, supra note 20, at 1494-95.
  43. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 1013-14
  44. S.D. Cal. 2014); In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1092-95 (N.D. Cal. 2013); see also Wooten, supra note 113, at 243-44.
  45. Johnson, supra note 141, at 29.
  46. Rabin, Data, supra note 129, at 323. 161. Id. at 324-26.
  47. Cave, supra note 113, at 778.
  48. Pinson, supra note 142, at 48.
  49. Rabin, Data, supra note 129, at 328.
  50. See Ludington, supra note 62, at 171; Oldberg, supra note 48, at 199. Product liability law itself, though, may not be a good fit. See Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. CAL. L. REV. 241, 243 (2007);
  51. Rustad & Koenig, Cyber- crime, supra note 4, at 1580.
  52. See Rustad & Koenig, Cybercrime, supra note 4, at 1575. 190. Id. at 694.
  53. Rustad & Koenig, Tort Monster, supra note 100, at 41. 192. Id. at 43.
  54. Palsgraf v. Long Island R.R. Co., 162 N.E. 99, 99 (N.Y. 1928).
  55. Id. at 100 ("One who jostles one's neighbor in a crowd does not invade the rights of others standing at the outer fringe when the unintended contact casts a bomb upon the ground.").
  56. See, e.g., McDonald, supra note 170, at 385 (citing W. Jonathan Cardi, The Hidden Legacy of Palsgraf: Modern Duty Law in Microcosm, 91 B.U. L. REV. 1873, 1884 (2011)) ("Forseeability is 'often cited as the most important factor in duty,' and the use of foreseeability in deciding matters of negligence is 'nearly ubiquitous.'").
  57. Rustad & Koenig, Tort Monster, supra note 100, at 41.
  58. Pinson, supra note 142, at 49.
  59. McDonald, supra note 170, at 376.
  60. Pinson, supra note 142, at 49.
  61. Rustad & Koenig, Tort Monster, supra note 100, at 45.
  62. Fox & Stein, supra note 27, at 988.
  63. McDonald, supra note 170, at 367.
  64. Rustad & Koenig, Cybercrime, supra note 4, at 1587.
  65. Rustad & Koenig, Tort Monster, supra note 100, at 45.
  66. See Kline v. 1500 Mass. Ave. Apartment Corp., 439 F.2d 477, 487 (D.C. Cir. 1970);
  67. Johnson, supra note 141, at 23; Rustad & Koenig, Cybercrime, supra note 4, at 1608.
  68. See supra note 68 and accompanying text.
  69. Rustad & Koenig, Tort Monster, supra note 100, at 97-98.
  70. Id. at 104 ("Immunity is breeding irresponsibility because websites have no incentive or duty to protect their visitors and the general public."). This aspect of the CDA was amended slightly in 2018 to remove immunity for websites that knowingly assist, facilitate, or support sex trafficking. Pub. L. 115-164, H.R. 1865 (2018);
  71. Emily Stewart, The Next Big Battle Over Internet Freedom Is Here, VOX (Apr. 23, 2018, 12:20 PM), https://www. vox.com/policy-and-politics/2018/4/23/17237640/fosta-sesta-section-230-internet-freedom.
  72. Rustad & Koenig, Tort Monster, supra note 100, at 42; McDonald, supra note 170, at 369.
  73. Rabin, Enabling Torts, supra note 182, at 444.
  74. Rustad & Koenig, Cybercrime, supra note 4, at 1581. 239. Id. at 1581-82.
  75. Rabin, Data, supra note 129, at 331. 241. 439 F.2d 477, 488 (D.C. Cir. 1970);
  76. Rustad & Koenig, Cybercrime, supra note 4, at 1584. 242. 18 U.S.C. § 1839(3)(A) (2018);
  77. Rowe, supra note 1, at 8.
  78. Rowe, supra note 1, at 3.
  79. Johnson, supra note 141, at 22.
  80. E.g., CAL. CIVIL CODE § 1798.29(a) (West 2017).
  81. E.g., id. § 1798.29(e).
  82. E.g., 815 ILL. COMP. STAT. 530/20 (2006) ("A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.").
  83. Johnson, supra note 141, at 22.
  84. Cooney v. Chi. Pub. Schs., 943 N.E.2d 23, 28 (Ill. App. Ct. 2010).
  85. Rustad & Koenig, Tort Monster, supra note 100, at 101-02; see also Waers, supra note 88, at 51 (discussing a data breach of medical records where the data was not misused).
  86. Johnson, supra note 141, at 26.
  87. Sara Malm, Two Suicides Are Linked to Ashley Madison Leak, DAILYMAIL (Aug. 24, 2015, 9:59 AM), http://www.dailymail.co.uk/news/article-3208907/The-Ashley-Madison-suicide-Texas-police-chief-takes-life- just-days-email-leaked-cheating-website-hack.html.
  88. Oldberg, supra note 48, at 186.
  89. Id.
  90. See Riedy & Hanus, supra note 28, at 10 ("The term 'information security' comprises three interrelated components: confidentiality, integrity, and availability of data.").
  91. Ludington, supra note 62, at 146.
  92. Kenneth Einar Himma, Privacy Versus Security: Why Privacy Is Not an Absolute Value or Right, 44
  93. SAN DIEGO L. REV. 857, 891-92 (2007).
  94. Stephen M. Griffin, Reconstructing Rawls's [sic] Theory of Justice: Developing a Public Values Phi- losophy of the Constitution, 62 N.Y.U. L. REV. 715, 734 (1987).
  95. Id.
  96. ROBERT MEYER & HOWARD KUNREUTHER, THE OSTRICH PARADOX: WHY WE UNDER PREPARE FOR DISASTERS 12 (2017).
  97. Motorcycles (2016), INS. INST. FOR HIGHWAY SAFETY AND THE HIGHWAY LOSS DATA INST. (Dec. 2017), http://www.iihs.org/iihs/topics/t/motorcycles/fatalityfacts/motorcycles. 285. Goldberg, supra note 137, at 819. 286. Id. at 824.
  98. Rustad & Koenig, Cybercrime, supra note 4, at 1603.
  99. JOHN LOCKE, TWO TREATISES OF GOVERNMENT 129 (Edward J. Harpham ed., Univ. Press of Kan. 1992) (1960) ("God gave the world to men in common for their use. Men own themselves, and by extension they own their own labor. They create property by mixing their own labor, which is unconditionally their property, with unowned common resources, thereby creating something new, which becomes their property as well (ST: no. 27).").
  100. James Madison, Property, THE FOUNDERS' CONSTITUTION (1792), http://press-pubs.uchicago. edu/founders/documents/v1ch16s23.html.
  101. Id. Of course, Madison's theories of property are inherently flawed, as he supported chattel slavery, making this quote very suspect in hindsight. 291. Solove & Citron, supra note 27, at 747.
  102. Adam Benforado, The Body of the Mind: Embodied Cognition, Law, and Justice, 54 ST. LOUIS U. L.J. 1185, 1205 (2010).
  103. Goldberg, supra note 137, at 809.
  104. Fox & Stein, supra note 27, at 991; Solove & Citron, supra note 27, at 767 (noting that emotional distress claims are criticized as being too easy to fake).
  105. Amanda C. Pustilnik, Pain as Fact and Heuristic: How Pain Neuroimaging Illuminates Moral Dimen- sions of Law, 97 CORNELL L. REV. 801, 803 (2012). Pustilnik also observes that because of the way that the brain processes nociception transmissions, "without consciousness, there is no pain." Id. at 808.
  106. Govind Persad, Law, Science, and the Injured Mind, 67 ALA. L. REV. 1179, 1181 (2016).
  107. Id. at 1183. 298. Id. at 1184-85.
  108. Mary Emily O'Hara, Kurt Eichenwald Case: Texas Grand Jury Says a GIF Is a 'Deadly Weapon', NBC NEWS (Mar. 21, 2017, 2:38 PM), https://www.nbcnews.com/news/us-news/kurt-eichenwald-case-texas- grand-jury-says-gif-deadly-weapon-n736316.
  109. Joshua Rhett Miller, Vet Accused of Sending Reporter Seizure-Causing Tweet Catches Small Break, N.Y. POST (Nov. 28, 2017, 12:58 PM), https://nypost.com/2017/11/28/vet-accused-of-sending-reporter-seizure- causing-tweet-catches-small-break/.
  110. O'Hara, supra note 299.
  111. Id. 303. Persad, supra note 296, at 1192. 304. 938 F.2d 1033, 1034 (9th Cir. 1991).
  112. Id. 306. Id. at 1036. 307. O'Hara, supra note 299.
  113. Jon D. Elhai & Brian J. Hall, Anxiety About Internet Hacking: Results from a Community Sample, 54
  114. COMPUTERS IN HUM. BEHAV. 180, 183 (2016) (reporting results of a survey measuring self-reported anxiety levels about various data breach related topics and finding "data breach" anxiety to have greater severity than resting anxiety);
  115. Sushma Sanga & Ali Eydgahi, Factors Affecting Identity Theft Anxiety Level in College Students (Am. Soc. for Engineering Educ. 2017, Paper No. 19812), https://www.asee.org/public/conferences/78/pa- pers/19812/view (studying the factors influencing the anxiety caused by fear of identity theft among students in Michigan).
  116. See generally Karen Reilly & Gráinne Kirwan, Online Identity Theft, An Investigation of the Differ- ences Between Victims and Non-victims with Regard to Anxiety, Precautions and Uses of the Internet, in CYBERPSYCHOLOGY AND NEW MEDIA: A THEMATIC READER ACCOUNT (Andrew Power & Gráinne Kirwan ed., 2014) (studying the after-effects of being a victim of online identity theft and showing victims of online identity theft experience higher levels of anxiety compared to nonvictims);
  117. Jon D. Elhai et al., Cross-cultural and Gender Associations with Anxiety about Electronic Data Hacking, 70 COMPUTERS IN HUM. BEHAV. 161 (2017) (studying the impact of data hacking on clinical anxiety and worry among American and Korean men and women);
  118. Tracy Sharp et al., Exploring the Psychological and Somatic Impact of Identity Theft, 49 J. OF FORENSIC SCI. 1 (2004) (showing an increase in maladaptive psychological and somatic symptoms post-victimization among victims of identity theft).
  119. Solove & Citron, supra note 27, at 753.
  120. See generally Miller, supra note 300; O'Hara, supra note 299. 323. O'Hara, supra note 299.
  121. See Chen & Potenza, supra, note 16.
  122. Oldberg, supra note 48, at 204.
  123. Id.
  124. Ludington, supra note 62, at 147.
  125. Rustad & Koenig, Cybercrime, supra note 4, at 1603; Solove & Citron, supra note 27, at 747.
  126. Cave, supra note 113, at 769; Johnson, supra note 141, at 29; Martecchini, supra note 20, at 1491-92;
  127. Rabin, Data, supra note 129, at 333-34;
  128. Solove & Citron, supra note 27, at 761-62.
  129. Rabin, Data, supra note 129, at 333-34; Fox & Stein, supra note 27, at 985. 331. Solove & Citron, supra note 27, at 774. 332. Id. at 772.
  130. Rabin, Data, supra note 129, at 334.
  131. 254 F. App'x 664, 665 (9th Cir. 2007); see also Martecchini, supra note 20, at 1491-92; Pinson, supra note 142, at 46-47 (discussing the district court decision in Stollenwerk). 335. 580 F. Supp. 2d 273, 281 (S.D.N.Y. 2008).
  132. Id. at 282; see also Martecchini, supra note 20, at 1493.
  133. Solove & Citron, supra note 27, at 754. 338. Id. at 755.
  134. Richards & Solove, supra note 145, at 1922.
  135. E.g., Martecchini, supra note 20, at 1475. 341. Id. at 1491.
  136. Solove & Citron, supra note 27, at 739.
  137. Cave, supra note 113, at 770-71; Martecchini, supra note 20, at 1475-76.
  138. Clapper v. Amnesty Int'l, 568 U.S. 398, 409 (2013); Cave, supra note 113, at 772, 787.
  139. Martecchini, supra note 20, at 1475.
  140. Martecchini, supra note 20, at 1480.
  141. Wooten, supra note 113, at 233-34.
  142. E.g., In re Science Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014).
  143. See Wikimedia Found. v. Nat'l Sec. Agency, 857 F.3d 193, 210 (4th Cir. 2017) ("Because details about the collection process remain classified, Wikimedia can't precisely describe the technical means that the NSA employs.");
  144. Solove & Citron, supra note 27, at 740 n.19. 354. Cave, supra note 113, at 774. 355. 848 F.3d 262 (4th Cir. 2017).
  145. See generally Peters v. St. Joseph Serv. Corp., 74 F. Supp. 3d 847 (S.D. Tex. 2015); In re SAIC, 45 F. Supp. 3d 14 (D.D.C. 2014). 360. 672 F.3d 64, 69 (1st Cir. 2012).
  146. Katz, 672 F.3d at 80 (citing Anderson v. Hannaford Bros., 659 F.3d 151, 164-65 (1st Cir. 2011)).
  147. Id.
  148. Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011) (finding no standing in case where claims alleged violations of the New Jersey Identity Theft Protection Act and the New Jersey Consumer Fraud Act);
  149. Complaint at 10, Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (No. 2:10-cv-05142), 2010 WL 11199509. 365. 663 F. App'x 384, 388 (6th Cir. 2016).
  150. Galaria, 663 F. App'x at 386. 370. Id. at 387.
  151. In re SuperValu Inc., 870 F.3d at 767; Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 965 (7th Cir. 2016).
  152. Galaria¸ 663 F. App'x at 391; See Lewert, 819 F.3d at 966-67; In re SuperValu Inc., 870 F.3d at 769, 774. 374. Lewert, 819 F.3d at 967; Remijas, 794 F.3d at 694 ("In addition to the alleged future injuries, the plaintiffs assert that they have already lost time and money protecting themselves against future identity theft and fraudulent charges.").
  153. E.g., Martecchini, supra note 20, at 1483-86 (noting different interpretations by courts).
  154. Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273, 282 (S.D.N.Y. 2008);
  155. Cave, supra note 113, at 769; Martecchini, supra note 20, at 1491.
  156. Wooten, supra note 113, at 240.
  157. Martecchini, supra note 20, at 1493.
  158. Solove & Citron, supra note 27, at 743.
  159. Id. (quoting In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 272-74 (3d Cir. 2016)).
  160. Solove & Citron, supra note 27, at 750.
  161. Cave, supra note 113, at 785-86; Johnson, supra note 141, at 26; Martecchini, supra note 20, at 1491;
  162. Rustad & Koenig, Cybercrime, supra note 4, at 1580; Simpson, supra note 3, at 686; Wooten, supra note 113, at 232. 393. 273 P.3d 106, 110 (Or. 2012).
  163. Id.
  164. William L. Prosser, Privacy, 48 CALIF. L. REV. 383, 385 (1960); see also Ludington, supra note 62, at 162-63 (noting the decline of the public disclosure of private facts tort due to its conflict with the First Amend- ment when communications when there is a public interest in that information being known);
  165. Richards & Solove, supra note 145, at 1892. Prosser also expressed concern that the false light and disclosure of private facts torts involved an examination of reputation, overlapping with defamation law. Prosser, supra, at 398. 406. Richards & Solove, supra note 145, at 1902.
  166. Time Inc. v. Hill, 385 U.S. 374 (1967).
  167. Richards & Solove, supra note 145, at 1923.
  168. Id. (arguing that database cases raise fewer First Amendment issues than tort actions about emotional injuries caused by actions of the press).
  169. Rabin, Data, supra note 129, at 317.
  170. Taylor Hatmaker, Facebook's Latest Privacy Debacle Stirs Up More Regulatory Interest from Law- makers, TECHCRUNCH (Mar. 17, 2018, 8:40 PM), https://techcrunch.com/2018/03/17/facebook-cambridge-ana- lytica-regulation-klobuchar-warner/.
  171. F.S.C. Northrop, Law, Language and Morals, 71 YALE L.J. 1017, 1023-24 (1962).
  172. S.E. 68, 70 (Ga. 1905);
  173. Jonathan Kahn, Biotechnology and the Legal Constitution of the Self: Man- aging Identity in Science, the Market, and Society, 51 HASTINGS L.J. 909, 915 (2000).
  174. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 193 (1890).
  175. Oldberg, supra note 48, at 197-98.
  176. Gasser, supra note 144, at 62.
  177. E.g., Pavesich, 50 S.E. at 69 (concerning an advertisement with customer testimonial next to plaintiff's likeness, where statement was not made by plaintiff and plaintiff had not consented to the use of his image).
  178. Brian Feldman, Facebook Reaches Settlement in Sponsored Stories Lawsuit, ATLANTIC (Aug. 27, 2013), https://www.theatlantic.com/technology/archive/2013/08/facebook-reaches-settlement-sponsored-sto- ries/311753/.
  179. Prosser, supra note 405.
  180. Oldberg, supra note 48, at 198.
  181. Prosser, supra note 405, at 389.
  182. Danielle Keates Citron, Mainstreaming Privacy Torts, 98 CALIF. L. REV. 1805, 1807 (2010);
  183. Richards & Solove, supra note 145, at 1887.
  184. Richards & Solove, supra note 145, at 1890.
  185. Prosser, supra note 405, at 422.
  186. Ludington, supra note 62, at 159.
  187. Richards & Solove, supra note 145, at 1889.
  188. Wooten, supra note 113, at 231-32. It should be noted, however, that the Fourth Circuit recently found that the exposure of patient files was a publication for purposes of insurance coverage for a data breach. See Travelers Indem. Co. of Am. v. Portal Healthcare Sol., LLC, 644 F. App'x 245, 247-48 (4th Cir. 2016).
  189. Ludington, supra note 62, at 160. 432. Id. at 166.
  190. Oldberg, supra note 48, at 203.
  191. Meghan Boone, The Autonomy Hierarchy, 22 TEX. J. ON C.L. & C.R. 1, 15 (2016) (discussing the ways that courts treat spiritual autonomy and physical autonomy). 435. Id. at 16.
  192. Ludington, supra note 62, at 147.
  193. ALAN F. WESTIN, PRIVACY AND FREEDOM 7 (1970).
  194. Gasser, supra note 144, at 63. 439. Id. at 67.
  195. Cadwalladr & Graham-Harrison, supra note 68.
  196. Sara Salinas, Facebook Stock Slides After FTC Launches Probe of Data Scandal, CNBC (Mar. 26, 2018), https://www.cnbc.com/2018/03/26/ftc-confirms-facebook-data-breach-investigation.html. 444. Gasser, supra note 144, at 64.
  197. Id.
  198. Id.; Ludington, supra note 62, at 184.
  199. Ludington, supra note 62, at 185. 448. 793 P.2d 479, 496 (Cal. 1990).
  200. Id. at 497 (Arabian, J., concurring) (emphasis in original).
  201. Id. at 508-09 (Mosk, J., dissenting);
  202. Kahn, supra note 416, at 933-34. 455. 71 P.3d 296, 311 (Cal. 2003).
  203. Id. at 325-26 (Mosk, J., dissenting).
  204. 159 F. Supp. 3d 1101 (N.D. Cal. 2016).
  205. Id. at 1107.
  206. Id.
  207. See, e.g., Self Driving, XKCD, https://xkcd.com/1897/ (last visited Nov. 2, 2018).
  208. Kahn, supra note 416, at 916.
  209. Kahn, supra note 416, at 935, 938 ("Granting legal recognition to the constitutive elements of identity is a logical corollary of recognizing its outward manifestations in names or images."). 465. Id. at 951.
  210. Id. at 910 (arguing that ensuring informed consent does not protect personal identity).
  211. Richards & Solove, supra note 145, at 1919. 468. Id. at 1918.
  212. Ludington, supra note 62, at 161.
  213. Prosser, supra note 405, at 389. 471. 9 N.W. 146, 146 (Mich. 1881).
  214. Id. at 165-66. It should be noted that Prosser's conclusion in Privacy lacked some internal consistency. Prosser wrote that "by the use of a single word supplied by Warren and Brandeis, the courts have created an independent basis of liability, which is a complex of four distinct and only loosely related torts . . . ." Prosser, supra note 405, at 422. The 1881 case of De May v. Roberts, however, explicitly referred to the plaintiff's "legal right to the privacy of her apartment." 9 N.W. 146, 149 (1881). The court could not have been referring to a constitutional right of privacy, because neither Dr. De May nor Mr. Scattergood were government actors. Prosser does not address how this dignitary harm fits into his proprietary model. 476. Cadwalladr & Graham-Harrison, supra note 68.
  215. Kahn, supra note 416, at 915.
  216. Id. at 917; Ludington, supra note 62, at 167.
  217. Kahn, supra note 416, at 914. 480. Id. at 950.
  218. Richards & Solove, supra note 145, at 1916.
  219. Solove & Citron, supra note 27, at 768-69.
  220. Kahn, supra note 416, at 922.
  221. Ludington, supra note 62, at 162.
  222. Richards & Solove, supra note 145, at 1919.
  223. Id. 491. Fox & Stein, supra note 27, at 990-91; Goldberg, supra note 137, at 820-21.
  224. Solove & Citron, supra note 27, at 29.
  225. Rustad & Koenig, Tort Monster, supra note 100, at 57 (quoting MARSHAL S. SHAPO, THE DUTY TO ACT: TORT LAW, POWER AND PUBLIC POLICY xiii (1977)).
  226. Rustad & Koenig, Tort Monster, supra note 100, at 62.
  227. Rustad & Koenig, Cybercrime, supra note 4, at 1583.
  228. Johnson, supra note 141, at 22.
  229. Id. at 29-30 (noting also that "a damages cap should not apply to cases involving egregious conduct").
  230. Ludington, supra note 62, at 186.
  231. Riedy & Hanus, supra note 28, at 37.
  232. Rabin, Data, supra note 129, at 335.
  233. Andrew S. Pollis, Busting Up the Pretrial Industry, 85 FORDHAM L. REV. 2097, 2099-2100 (2017).
  234. Rabin, Enabling Torts, supra note 182, at 450; Broin, TOBACCO ON TRIAL, http://www.tobaccoon trial.org/?page_id=592 (last visited Nov. 2, 2018).
  235. Riedy & Hanus, supra note 28, at 38.
  236. Maya Kosoff, Zuckerberg Hits Users With the Hard Truth: You Agreed to This, VANITY FAIR (Mar. 26, 2018, 11:01 AM), https://www.vanityfair.com/news/2018/03/zuckerberg-hits-users-with-the-hard-truth-you- agreed-to-this.
  237. See Exec. Order, supra note 133; NIST, supra note 133.
  238. Rabin, Data, supra note 129, at 315.
  239. Riedy & Hanus, supra note 28, at 23.
  240. Rabin, Enabling Torts, supra note 182, at 450; Broin, supra note 504.
  241. U.S. GOV'T ACCOUNTABILITY OFFICE, Federal Fees, Fines, and Penalties 10, (Dec. 1, 2016), https://www.gao.gov/assets/690/681352.pdf.

Related papers

Negligence in Information Security Law
strini perumal

The advent of modern computing and the need for humans to interact with each other, coupled with the need to use technology to make our lives easier has resulted in valuable information being collated and stored digitally. Consequently users' personal information has become the attractive subject of information security attacks. Most notably in the case of LinkedIn security breaches lead to the disclosure of over six million passwords. In fact, it was found that LinkedIn used outdated encryption methods and as a consequence a class action has been brought against LinkedIn in the District Court of California for failure to protect information. In lieu of this scenario this article seeks to highlight the legal liability at a statutory level and at common law tortuous action for negligence in respect of failure to protect against a security breach and liability for notification of a breach thereof.

View PDFchevron_right
The New Vulnerability: Data Security and Personal Information
Daniel J . Solove

2011

The author would like to thank Jake Barnes for his help in the tort law discussions of this chapter. To the extent my knowledge of tort law is accurate, I accept full responsibility. As for the errors, blame Jake. Chris Hoofnagle, Ted Janger, and Paul Schwartz provided helpful comments on the manuscript. This book chapter was originally written in 2004. Subsequent to the redrafting of this chapter, in 2005, a litany of organizations announced that they had suffered massive data security breaches. I have updated this chapter slightly to discuss the 2005 data security breaches, but I am unable to add more to discuss the legal developments in the aftermath of the breaches. By and large, these developments have unfolded as I predicted back in 2004 when writing this chapter. Data security is quickly becoming one of the major concerns of the Information Age. Computer networks are vulnerable to siege from hackers, viruses, intercepted communications, and electronic surveillance. 1 Much of the data residing in these computer networks pertains to our personal lives. Increasingly, extensive digital dossiers about us are being constructed, as businesses and the government gather pieces of personal data and assemble them in data bases. Hundreds-perhaps thousands-of entities may have our personal information. 2 Our dossiers play a profound role in our lives. They are used to assess our reputation and credibility. They are examined to determine whether we receive a loan, a job, or a license-and even whether we are detained or arrested by the police. Because so many critical decisions are based on our dossiers, ensuring that they are accurate and protected from tampering is of paramount importance.

View PDFchevron_right
Towards a Model for Data Breaches: An Universal Problem for the Public
Robert Holtfreter

International Journal of Public Information Systems, 2014

The topic of data breaches, protection of information and data security salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world. This article analyzes the trends in data breaches in the United States and classifies them into five general industry sectors and eighteen sub-sectors using a new model recently developed by the authors and also provides basic recommendations for information and security personnel in every industry throughout the world to use to improve data protection and thus help protect public information for consumers and all types of organizations. The 2,280 data breaches tracked by the Privacy Rights Clearinghouse from 2005 through 2010 were used in the study. The findings indicate that the trends for the annual number of data breaches for the five general industries and their sub-sectors have increased, although inconsistently, over the six-year period. The analysis and classification of data breaches by general and sub-sector industries with the use of this new data breach model provides an awareness of the data breach problem for information managers and security personnel in public and private sector organizations throughout the world and also provides a workable methodological framework to help them develop innovative and useful policies for safeguarding personal information of consumers, clients, employees and other entities. The topic of data breaches and information management remains salient to business and criminal justice researchers, practitioners in all profit and nonprofit organizations, consumer advocate groups and legislators throughout the world.

View PDFchevron_right
Risk and Anxiety: A Theory of Data Breach Harms
Daniel J . Solove

SSRN Electronic Journal, 2016

for their research assistance. We are grateful to the editors of the Texas Law Review for their superb assistance.

View PDFchevron_right
Ethical Access Control in the Era of Data Breaches
Fatma Mohammed

2019

The worldwide interconnected objects, called Internet of Things (IoTs), have been increasingly growing in the last several years. Different social media platforms and devices are continuously generating data about individuals and facilitate the technological and the social convergence of their Internet-based data and services with globalized users. These social and device-related IoTs create rooms for data breaches as such platforms provide ability to collect private and sensitive data. We assert that data breaches are fundamentally failures of access control - most users are too busy or technically ill-equipped to understand access control policy expressions and decisions. We argue that this is symptomatic of globalised societies structured by the conditions of algorithmic modernity; an era in which our data is increasingly interdependent on, and enmeshed with, ever more complex systems and processes that are vulnerable to attack. Ethically managing data breaches is now too complex...

View PDFchevron_right

Related topics

  • Business
  • Information Systems
  • Information Science
  • Information Retrieval
  • Information Technology
  • Management Information Systems
  • Information Security
  • Information Management
  • Information Communication Techno...
  • Information Security and Privacy
  • Data Privacy
  • Information Security Management
  • Information Technology and Security
  • Information Techology
  • Information Technology and Syste...
  • Computer Information Systems
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved