PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Should Privacy Law Regulate Technological Design? An Interview with Woodrow Hartzog

Blueprint Privacy 03

Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?

Continue Reading

Risk and Anxiety: A Theory of Data Breach Harms

Risk and Anxiety Theory of Data Breach Harms

My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms,  96 Texas Law Review 737 (2018). I co-authored the piece with Professor Danielle Keats Citron.  We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm.  There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.

Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.

When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.

We aim to provide greater coherence to this troubled body of law.   We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.

The article can be downloaded for free on SSRN.

Here’s the abstract:

Continue Reading

My Privacy and Security Scholarship in 2017

Scholarship about Privacy and Security

In this post, I provide a brief overview of my scholarship last year.

Risk and Anxiety: A Theory of Data Breach Harms 

I co-authored Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron.  The piece is forthcoming in Texas Law Review this year.  Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse.  Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?”  We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.

Download Risk and Anxiety: A Theory of Data Breach Harms for free

Continue Reading

Silencing #MeToo: How NDAs and Litigation Stifle Victims, Innovators, and Critics — An Interview with Orly Lobel

 

Countless women have been coming forward to say #MeToo and share their traumatic stories of sexual harassment and assault. But there are many stories we’re not hearing. These stories are being silenced by extremely broad nondisclosure agreements (NDAs), some made at the outset of employment and others when settling litigation over sexual harassment. They stop victims from talking. They also silence other employees who witness sexual harassment of co-workers. NDAs were a powerful device used by Harvey Weinstein to hush up what he was doing.

In her new book, You Don’t Own Me: How Mattel v. MGA Entertainment Exposed Barbie’s Dark Side, Professor Orly Lobel tells a fascinating story about the Barbie versus Bratz litigation, which went on for about a decade. Her book is a page turner — told as a story that could readily be a movie. The book succeeds brilliantly as a gripping tale. But it goes beyond great storytelling to explore many important issues related to business, employment, and intellectual property: the enormous power of corporate employers, the weaponized use of intellectual property to stifle innovation, the dismal failure of business ethics, the troubling use of nondisclosure agreements (NDAs) to maintain dominance and power, and the punishing litigation process.Continue Reading