Here are some notable books on privacy and security from 2018. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer Privacy. This is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues. The book has a hefty price tag, but it is a terrific resource.
I have a blurb on the back of the book. This is what I wrote:
The Cambridge Handbook of Consumer Privacy is a magnificent collection of essays – each one short, engaging, and thought-provoking. The broad range of topics covers the most important and vital issues in consumer privacy, and these essays will be relevant for years to come. The authors are a superb assembly of the leading scholars and practitioners from diverse fields and perspectives. This book is a true feast of ideas.
Below is the table of contents. I found a few of these essays on SSRN, where they are available for free, and I am linking to the ones I found.Continue Reading
Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?
My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). I co-authored the piece with Professor Danielle Keats Citron. We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm. There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.
Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.
When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.
We aim to provide greater coherence to this troubled body of law. We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.
The article can be downloaded for free on SSRN.
Here’s the abstract:
In this post, I provide a brief overview of my scholarship last year.
I co-authored Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron. The piece is forthcoming in Texas Law Review this year. Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse. Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?” We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.
Download Risk and Anxiety: A Theory of Data Breach Harms for free.