Presentation is loading. Please wait.

Presentation is loading. Please wait.

Racing to the Top: Creating a Flexible Duty of Care to Secure Personal Information Deirdre K. Mulligan Clinical Professor Director, Samuelson Law, Technology.

Published byMagdalene Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "Racing to the Top: Creating a Flexible Duty of Care to Secure Personal Information Deirdre K. Mulligan Clinical Professor Director, Samuelson Law, Technology."— Presentation transcript:

1 Racing to the Top: Creating a Flexible Duty of Care to Secure Personal Information Deirdre K. Mulligan Clinical Professor Director, Samuelson Law, Technology & Public Policy Clinic Director, Center for Clinical Education Berkeley Law, UC Berkeley

2 If you build it they will come… or maybe not… Security in the market place is “remarkably below what “known best Practices” could provide.” The existence of technology solutions on their own does not improve security or privacy.

3 Q: What public policies create incentives for firms to effectively secure personal information? The problem The metaphor The intervention Current research Conclusions Reforms and future research

4 Problem Security of personal information –Inadequate incentives to protect Non-rivalrous Externalized harm Unknown harm from breach Difficult to establish causality –Requires dynamic evolutionary response Traditional legal responses ill-suited –Standards –Common law –Market

5 Metaphor Pollution is to Industrial society as Privacy Breaches are to Information society

6 Environmental Law: Information Disclosure Emergency Planning and Community Right-to-Know Act (EPCRA) –Huge drops in releases (EPA est. 40% likely less) –Operational changes within companies Remarkable changes from lighter, less costly approach

7 How it works Catalyst for market activity Catalyst for political activity Source of power/pressure internal actors

8 Breach as toxic release?

9 Intervention: Security Breach Laws Notice to individuals whose… “unencrypted personal information (first name or initial and last name + SSN; DL; CICN; Account number, credit or debit card number + PW) was, or is reasonably believed to have been, acquired by an unauthorized person”

10 Current Research: Effects of Security Breach Laws What information are they producing? Are they catalyzing –market activity? –political activity? –organizational behavior? What limits their effectiveness? –Informational limits –Subject matter limits

11 New Information and Harms Consumers and public aware of breaches Fuller picture of problem –Absent legal requirement only 20% of firms will report serious breaches (FBI/CSI 2005) Particular vulnerabilities identified –Laptops, third-party vendors, tapes and other data in transit Creation of new harm –Harm to business reputation and brand flowing from report of breach Price tag on problem –Average cost $182 per person (Ponemon 2006)

12 Market Activity Some Individuals and self protection 20% claim to have terminated relationship 0-7% actual churn rate Stock market fluctuations Limitations Notices uninformative Unable to compare risks Limited opportunities for exit (Relationship-less)

13 Political Activity Some Copycat laws –39 additional states and DC; proposals US, UK, forthcoming in EU Relation to other regulatory efforts Limited use by ngos Limitations Location-less Mile wide, inch deep Technocratic Weak and fragmented legal framework

14

15 Location-less Astroglide mashup: Christopher Soghoian & Sid Stamm, PhD candidates, Indiana University

16 Organizational Behavior “You manage what you measure” security and privacy bound to brand Heightened role of CPO Bridge between CPO/CSO/CISO drive information exchange among security professionals Altered paradigm–compliance to risk management

17 Conclusions Security Breach Laws are effecting markets, political activity and organizational behavior Push towards risk management is likely to drive ongoing improvements Some limitations Information and reporting requirements of current laws inherent in characteristics of breaches

18 Reforms and Future Research Reforms Standardized, electronic, centralized reporting Does NOT create publicly available database Future research Dual standard of notification? User based analysis of information –shifts in content, format and timing Metrics to determine risk, not just loss

Download ppt "Racing to the Top: Creating a Flexible Duty of Care to Secure Personal Information Deirdre K. Mulligan Clinical Professor Director, Samuelson Law, Technology."

Similar presentations

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.

Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.
INDIA.

INDIA.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Chapter 1 An Overview of Managerial Finance © 2005 Thomson/South-Western.

Chapter 1 An Overview of Managerial Finance © 2005 Thomson/South-Western.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Topic 2 The External Environment

Topic 2 The External Environment
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
Information Disclosure as a light-weight regulatory mechanism DIMACS Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical.

Information Disclosure as a light-weight regulatory mechanism DIMACS Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical.
An Overview of Financial and Multinational Financial Management Corporate Finance Dr. A. DeMaskey.

An Overview of Financial and Multinational Financial Management Corporate Finance Dr. A. DeMaskey.
MARKET STRUCTURES. What is a Market Structure? ▪ Market Structures, by book definition, is the nature and degree of competition among firms operating.

MARKET STRUCTURES. What is a Market Structure? ▪ Market Structures, by book definition, is the nature and degree of competition among firms operating.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
XML AND THE LEGAL FOUNDATIONS FOR ELECTRONIC COMMERCE: Making XML Pay: Revising Existing Electronic Payments Law to Accommodate Innovation Copyright (c)

XML AND THE LEGAL FOUNDATIONS FOR ELECTRONIC COMMERCE: Making XML Pay: Revising Existing Electronic Payments Law to Accommodate Innovation Copyright (c)
Privacy and Security Risks in Higher Education

Privacy and Security Risks in Higher Education
1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
Working towards responsible business practices in the oil and gas sector Rose Kimotho Programme Manager (East Africa) Institute for Human Rights and Business.

Working towards responsible business practices in the oil and gas sector Rose Kimotho Programme Manager (East Africa) Institute for Human Rights and Business.
Privacy on the Books and on the Ground Kenneth A. Bamberger & Deirdre K. Mulligan University of California, Berkeley School of Law and School of Information.

Privacy on the Books and on the Ground Kenneth A. Bamberger & Deirdre K. Mulligan University of California, Berkeley School of Law and School of Information.
Report from Breakout Session 1.2 Secure Consumerization: the Genuine Trustworthiness Revolution Chair: Craig Lee Rapporteur: Paolo Mazzetti.

Report from Breakout Session 1.2 Secure Consumerization: the Genuine Trustworthiness Revolution Chair: Craig Lee Rapporteur: Paolo Mazzetti.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Similar presentations

Ads by Google