Information Disclosure as a light-weight regulatory mechanism DIMACS Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical.

Slides:

Advertisements

Similar presentations

Group 1.3 Relationships between RECs in multi-centre, international studies –problems and solutions.

Advertisements

Innovations in Performance Management From Government Performance To Governance Performance Dongsung Kong Republic of Korea.

1Comprehensive Disaster Risk Management Framework National Disaster Management Systems 111 Institutional Arrangements and Organizational Structures Session.

NUDGING FOR BETTER HEALTH: IS THERE A ROLE FOR REGULATION? Associate Professor Anne-Maree Farrell Australian Research Council Future Fellow Faculty of.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Correlation Risk in the Post-Enron World Professional Liability ExecuSummit September 21, 2004 Chris Duca Chris Duca Navigators Pro Navigators Pro September.

1 Risk Management at Progressive Insurance How we got started Getting corporate support Capital Management Examples of deliverables The value risk management.

September 24, 2013 Nonprofit Essentials Institute for Public Engagement Governance: What Makes for Bad Board Governance.

Peace Through Commerce Partnerships As a New Paradigm Reflections From Pact Congo and USAID Working With the Mining Sector in the DRC Christian Roy, Pact.

IT Governance Navigating for Value Michael Vitale 6 May 2003 CIO Conference Steering the Enterprise Through Stormy Seas Image source: Access2000.

Past, Present, Future December 6, 2004 Past, Present, Future December 6, 2004 Physicians, Hospitals and the Evolution of Electronic Medical Records (EMR)

Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.

Institutional Challenges for Air Quality Management Better Air Quality 2002 Hong Kong, December, 2002 Charles M. Melhuish Cornie Huizenga Asian Development.

Building the Financial System of the 21st Century: An Agenda for the EU and the U.S.

SUSTAINABLE ENERGY REGULATION AND POLICY-MAKING FOR AFRICA Module 3 Energy Regulation Module 3: INTRODUCTION TO ENERGY REGULATION.

Corporate Ethics Compliance *

BIG DATA AND THE HEALTHCARE REVOLUTION FORD+SSPG 2014.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

The National Academies’ Board on Life Sciences Dr. Frances Sharples Director National Research Council National Research Council.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

Information Technology Audit

Health and Safety Executive Health and Safety Executive Discretion and Judgement: HSE’s approach Mike Cross 3 June 2014.

Privacy and Security of Personal Information Emily Hackett, Executive Director Voice: Cell:

Whilst the pharmaceutical industry plays a key role in developing and producing medicines, there is a tension between industry’s need to expand product.

Privacy on the Books and on the Ground Kenneth A. Bamberger & Deirdre K. Mulligan University of California, Berkeley School of Law and School of Information.

The Institutionalization of Business Ethics

1 IS 8950 Managing and Leading a Networked IT Organization.

Track II: Introduction and Overview of Financial Services and Information Technology Privacy Policy: Synthesizing Financial Services Industry Privacy David.

Green Chemistry in Commerce Council Drivers for Innovation & Marketing Safer Products Yve Torrie, MA Lowell Center for Sustainable Production

Colorado Springs Utilities Environmental Services Functional Assessment Presentation for the American Public Power Association’s 2001 Engineering & Operations.

Information Systems Security Risk Management. © G. Dhillon All Rights Reserved Alignment Glenmeade Vision To provide a personalized experience to our.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

Implementing and Auditing Ethics Programs

Knowledge Transfer - Policy Deirdre K. Mulligan School of Law School of Information University of California, Berkeley.

Fiscal and other Policies to Leverage Private Sector Finance.

GIS and Community Health. Some critiques of GIS emphasize the potentially harmful social consequences of the diffusion of GIS technology, including reinforcing.

The Role of Exchanges in Health Care Reform Linda J. Blumberg The Urban Institute.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Environmental Management System Definitions

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Racing to the Top: Creating a Flexible Duty of Care to Secure Personal Information Deirdre K. Mulligan Clinical Professor Director, Samuelson Law, Technology.

Bank of America “ We have, at our fingertips, an opportunity to redefine an industry – to create a benchmark in business quality, productivity and service.

Social Ecological Models

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Kathy Corbiere Service Delivery and Performance Commission

TOP 10 TECHNOLOGY INITIATIVES Robert G Parker July 12, 2013.

Privacy and Data Breach Issues Kirk Herath, VP, Chief Privacy Officer, Nationwide & Dino Tsibouris, Founding Principal, Tsibouris & Associates.

CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)

The Development of Environmental Protection in Information Age: Using Information as a Regulatory Tool and Its Perspective -- the Overview of US Experience.

Outcomes of the FMC review Vania Tomeva, PIFC consultant July 2013, Tbilisi 1.

ENERGY MARKET REFORMS, R&D & INNOVATION, AND CHALLENGES: TURKISH EXPERIENCE Selahattin Murat ŞİRİN Expert Energy Market Regulatory Authority TURKEY.

Overview of Child Welfare Reform in the U.S. Center for Advanced Studies in Child Welfare 2016 Spring Conference Crystal Collins-Camargo, MSW PhD Kent.

Performance Budgeting Global Network of Parliamentary Budget Officers (GN-PBO) Assembly Ivor Beazley, Washington DC, June 8 th,

CORE Discussion Forum: How to Keep Your Outsourcing Contract Current

Securing Critical Assets: Arizona’s Security & Privacy Initiatives

Originating the role of Information Governance Officer

CDRH 2010 Strategic Priorities

The FCA and its Competition Agenda

Cathy Hughes and Neil Crosby

Board of Directors Roles and Responsibilities

Public Sector Modernisation How do governments learn?

TRUST:Team for Research in Ubiquitous Secure Technologies

Governance and Audit Oversight for Capital Market

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Collaborative regulation in the digital economy

Presentation transcript:

Information Disclosure as a light-weight regulatory mechanism DIMACS Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical Professor of Law Boalt Hall School of Law Information School University of California

If you build it they will come… or maybe not… The existence of technology solutions on their own does not improve security or privacy. Creating incentives for security

Security failures FTC Federal Advisory Committee on Online Access and Security (2000) – Underinvestment in security Numerous breaches every year Consumers/regulators largely unaware – Relatively non-existent security market Missing data points – 4 options – 2 preferred Maintain a security program “appropriate under the circumstances” duty of care Problem: How to create a flexible duty of care – Legislation/regulation, industry self-reg, courts, tort, media – Limitations on all…

Creating a flexible duty of care Findings from Emergency Planning and Community Right-to-Know Act (EPCRA) – Huge drops in releases (EPA estimated 40%, but likely less) – Operational changes within companies – Remarkable changes from lighter, less costly approach Why? – Incentives – Enabled benchmarking, rationalizing of investment Democratic participation Collaborative decision making Risk assessment (insurance/investment) Provoked a race to the top – Avoided one size fits all, top-down, hard to adapt standards – Provided incentive structure to develop internal processes to manage risk, improved tools available to management

Creating a flexible duty of care Traditional Regulation Information Disclosure – Emergency Planning and Community Right-to-Know Act (EPCRA) Gets government out of the middle Widely copied model Sunlight as disinfectant – FOIA, FACA… – Rhetoric Private action – Reality Drive performance through transparency and public oversight – Wide range of players able to use information for various purposes

California What happens if we apply this to security Privacy as pollution – Industrial society  information society History of Security Breach Disclosure – SB 1386 (Simitian/Peace) – Effect July 2003 – Eye opening – 32+ other states follow – Federal legislation on 2007 Congressional agenda (Feinstein)

Role of policy in creating incentives Effects of Security Breach laws – More information Absent legal requirement only 20% of firms will report serious breaches (FBI/CSI 2005) – Broad reach -- electronic data – Privacy laws highly fragmented, sectoral, difficult to adjust – Security process focused  lacking performance metrics We have no proof that process produces good outcomes Don’t know how to measure security, but this introduces at least one measure of failure which…. – Put a price tag on failure Average cost $182 per person (Ponemon 2006) $75 per notice Remedial services (credit monitoring etc.) Heightened churn rates Public relations, unwanted attention from AGs, FTC, trial lawyers Effects stock prices to some extent (Acquisti et. al.) Influences insurance, ratings etc. (possibly)

Role of policy in creating incentives Effects of Security Breach laws con’t – Altered assessments of investment “encryption of data done in advance of a breach may now be cost effective…” -- L. Sotto – Altered attention within institutions? anecdotal Security audits Elimination of non-necessary personal information Bifurcated databases Tighter access control Attention to risks of portable devices and media – Individual activity Potentially greater use of – credit monitoring – Opt-out lists – Privacy hygiene

Predictions? Success of EPCRA – structured information – Widely available – NGOs repackaging and recontextualizing – Regulatory agencies with substantive responsibility for issue – Result -- wide range of uses Individual empowerment Policy reforms Self regulatory efforts Internal reforms Does it translate?

Predictions? Limitations of Security Breach Legislation – No standard information – Severity of breaches sometimes unclear – Rarely centralized reporting (notice to individuals) – NGOs not activated around this data push for federal legislation was silly, no need for it No one is leveraging the data – No regulatory agency(ies) with substantive responsibility – Predict -- more limited effect Individual empowerment-- some, but limits on shopping with feet – Lots of third-party leaks which consumers can’t shop for Policy reforms -- maybe, little reflection on effects, benefits, arguing over harm to consumers rather than focusing on benefits to computer security within firms Self regulatory efforts -- uncertain Internal reforms -- yes, but not well documented

Research Notices – 110 analyzing for breach type, relationship to consumer, remedial measures, disclosure practices – What are the causes of breaches Identify strategic measures to address – Policy, technical, procedural, educational Qualitative interviews – Organizational behavior literature – CSOs on SB 1386 Related to current project on CPOs – What policies yield what changes in organizations Investment, staffing, process and procedure, technology acquisition, product development, priority in organization etc. Compliance v. compliance plus Which produce race to the top in context of security?

Research Team Deirdre K. Mulligan, Clinical Professor Chris Jay Hoofnagle, Senior Fellow and Senior Attorney Olive Huang ph.d / j.d. Drew Lewis undergraduate