Vol. 84, Issue 3

Symposium on Data Devolution: Corporate Information Security, Consumers, and the Future of Regulation

Published: May 2009

Symposium Editor
Andrea M. Matwyshyn


Access official versions of these articles here.

Andrea M. Matwyshyn, Data Devolution: Corporate Information Security, Consumers, and the Future of Regulation, 84 Chi.-Kent L. Rev. 713 (2010).

Philip Howard and Kris Erickson, Data Collection and Leakage, 84 Chi.-Kent L. Rev. 737 (2010).

Every year millions of digital records containing personally identifiable information are exposed. When are malicious hackers to blame, and when is it organizational malfeasance? Which kinds of organizations—private firms, government agencies, or educational institutions—loose the most data? With over 1.9 billion records lost (on average that’s 9 records per U.S. adult), a surprising number of the breaches can be attributed to organizational practices.

Elizabeth Rowe, Trade Secrets, Data Security and Employees, 84 Chi.-Kent L. Rev. 749 (2010).

This essay argues that data security is important to the protection of trade secret information, and that trusted employees on the inside pose the biggest threat to the protection of trade secrets. While investments in technical measures such as firewalls and encryption are important, it is also necessary for companies to consider the internal threats from employees when creating corporate security programs. Ultimately, a more comprehensive approach that includes technical and human elements, as well as consideration of inside and outside threats is likely to be more effective in the battle to secure data.

Greg Vetter, Patenting Cryptographic Technology, 84 Chi.-Kent L. Rev. 757 (2010).

The policy concerns intersecting patent law and cryptographic technology relate to the technology’s beneficial uses in securing information in a commercial and social fabric that increasingly relies on computing and electronic communications for its makeup. The presence of patenting in a technology can impact diffusion of interoperable technology. Standardized embeddable cryptography facilitates its supply. Patent law for several decades has waxed and waned in its embrace of software implemented inventions rooted in abstract ideas such as the mathematics and mathematical algorithms underlying modern cryptography. This article documents the growth of cryptographic patenting. Then, in light of this growth and patent law’s resulting shadow on the technology, it discusses implications for data security. These implications include both collaborative and contentious responses by the technology providers and distributors furthering cryptography in the information technology ecology.

Peter K. Yu, The Political Economy of Data Protection, 84 Chi.-Kent L. Rev. 777 (2010).

Information is the lifeblood of a knowledge-based economy. The control of data and the ability to translate them into meaningful information is indispensable to businesspeople, policymakers, scientists, engineers, researchers, students, and consumers. Having useful, and at times exclusive, information improves productivity, advances education and training, and helps create a more informed citizenry. In the past two decades, those who collected or obtained access to a large amount of data began to explore ways to use the collected data as an income stream. Because the then-existing laws did not offer adequate protection for that particular purpose, they actively lobbied for stronger protection of their data assets.
This essay recounts the development of two new forms of data protection: sui generis database protection and data exclusivity. It also discusses the concerns raised by the undemocratic processes used to develop these protections. It explains why “policy laundering” and “backdoor lawmaking” are harmful to both the United States and the larger international community. The essay then offers suggestions on how to recalibrate the balance of the intellectual property system. It concludes with a plea for caution concerning the development of new intellectual property rights to protect data, drawing on the European Commission’s own evaluation of the EC Database Directive.

Gus Hosein, Returning to a Principled Basis for Data Protection, 84 Chi.-Kent L. Rev. 803 (2010).

Society must remain conscious of both pragmatic and principle-based rationales for information security rules. The identity card debate in the United Kingdom provides an example of exactly why a governmental information security approach that is sensitive to civil liberties would be the best approach to data protection. In contrast, we should be cautious of a balancing test that places security in parity with civil liberties and, therefore, erroneously allows pragmatism to triumph over principle.

Kevin Cronin, Best Practices and the State of Information Security, 84 Chi.-Kent L. Rev. 811 (2010).

The forces of globalization, together with widely available industry standards and best practices, and heightened state legislative activity, are driving the U.S. towards a more unified approach to data security. But the success of this unified approach requires more than free market efficiency and innovation. In order to maintain a state of evolutionary equilibrium in the global information economy, the U.S. must move from a fragmented approach towards data security and privacy standards, towards a more comprehensive set of standards with new penalties and effective enforcement, to better reflect the inherent value of personal data in today’s global marketplace.

Michael R. Siebecker, The Duty of Care and Data Control Systems in the Wake of Sarbanes-Oxley, 84 Chi.-Kent L. Rev. 821 (2010).

The essay examines the wisdom of exempting small public companies from Section 404 of the Sarbanes-Oxley Act of 2002 (SOX), which requires companies to provide management assessment and external auditing of a company’s internal control systems over financial data. In particular, the essay questions whether a fiduciary duty of care might require officers and directors to adopt internal control systems, perhaps substantially similar to those envisioned by SOX, even if small public companies were exempt from the ambit of the statute.

Jay. P. Kesan and Ruperto Majuca, Optimal Hackback, 84 Chi.-Kent L. Rev. 831 (2010).

Professor Jay Kesan from the University of Illinois College of Law, in joint work with Ruperto Majuca of the University of Illinois Department of Economics, argue in favor of legal rules that allow “hacking [data] back” in certain business circumstances. They analyze the strategic interaction between the hacker and the attacked company or individual and conclude that neither total prohibition nor unrestrained permission of hack-back is optimal. Instead, they argue that when other alternatives such as criminal enforcement and litigation are ineffective, self-defense is the best response to cybercrime because there is a high likelihood of correctly attacking the criminal, and the mitigation of damages to the hacked victim’s systems may outweigh the potential damages to third parties during the hack-back. In addition, the law should require that counterstrikers use only the requisite measures that are necessary to avoid damage to their own systems. Also, proper liability rules will induce counterstrikers to internalize the damages of third parties in their decision-making. Finally, better and ever-improving intrusion detection systems (IDS) and traceback technology improve the deterrent effect and efficacy of hack-back.

Jennifer Chandler, Information Security, Contract and Liability, 84 Chi.-Kent L. Rev. 841 (2010).

Various common provisions in software end user license agreements undermine cyber security. These include anti-benchmarking provisions and broad exclusions of liability. These short comments suggest that courts and legislatures should take steps to limit the enforceability of contractual provisions that undermine cyber security.

Deborah Pierce, Reasons Why We Should Amend the Constitution to Protect Privacy, 84 Chi.-Kent L. Rev. 851 (2010).

Threats to consumer privacy are many, and varied. Some threats come from corporate entities such as data aggregators and social networking sites: while others come from panoptic government surveillance systems such as Secure Flight. Not only can the data be compromised, but consumers may be adversely affected by incorrect information in their files. The time may be right to explicitly protect privacy via a constitutional amendment to the U.S. Constitution.

Lilian Edwards, Coding Privacy, 84 Chi.-Kent L. Rev. 861 (2010).

Lawrence Lessig famously and usefully argues that cyberspace is regulated not just by law but also by norms, markets and architecture or “code.” His insightful work might also lead the unwary to conclude, however, that code is inherently anti-privacy, and thus that an increasingly digital world must therefore also be increasingly devoid of privacy. This paper argues briefly that since technology is a neutral tool, code can be designed as much to fight for privacy as against it, and that what matters now is to look at what incentivizes the creation of pro- rather than anti-privacy code in the mainstream digital world. This paper also espouses the idea that privacy is better built in from scratch as a “feature” or default, rather than a “bug”—the idea of “privacy by design”—rather than as is more common at present, bolted on via after-the-fact “privacy-enhancing technologies” or PETS. Existing examples of privacy-invasive and privacy-supportive code, drawn from the worlds of social networking, spam and copyright protection, are used to show how privacy may be pushed as a “brand” or feature rather than a cost or bug.

Student Notes and Comments

Jessica H. Schultz, Development of Ectogenesis: How Will Artificial Wombs Affect the Legal Status of a Fetus or Embryo?, 84 Chi.-Kent L. Rev. 877 (2010).

Scientists are currently attempting to create an artificial womb which would allow fetal development to occur independent of a woman’s womb. This Note analyzes legal questions which would emerge with this new technology, including how artificial wombs would affect the interests of the father and the state in the fetus; whether contracts involving artificial wombs would be enforceable; and what type of liability issues would arise due to artificial womb use. Finally, the Note proposes answers for these questions and concludes that the development of artificial wombs will likely complicate rather than resolve issues surrounding reproductive rights and the legal status of an embryo or fetus.

Daniel J. Pylman, Res Ipsa Loquitur in the Restatement (Third) of Torts: Liability Based Upon Naked
Statistics Rather Than Real Evidence
, 84 Chi.-Kent L. Rev. 907 (2010).

Using the doctrine of res ipsa loquitur, courts have accounted for the fact that there may be instances where a plaintiff is unable to present any evidence of a specific negligent act or omission and yet where the injury to the plaintiff and the surrounding circumstances suggest that the defendant did in fact negligently cause the injury. Despite the fact that the doctrine of res ipsa has been well-accepted by American courts, the courts have struggled to appropriately formulate the doctrine so as to achieve its important purpose of allowing recovery in appropriate situations while not formulating it so broadly as to enable recovery where there is no evidence that the defendant acted negligently. The various formulations of the res ipsa loquitur doctrine found in the case law as well as in the Restatement (Second) of Torts and the Restatement (Third) of Torts illustrate the difficulty of formulating the doctrine appropriately. In this note, I argue that the Restatement Second successfully balanced the policy concerns underlying res ipsa loquitur with the real-life consideration that a plaintiff, although she may have suffered serious injuries, ought not be able to invoke the doctrine unless she has sufficiently implicated the relevant defendant as the party responsible for her injuries. I then take a critical look at the Restatement Third which has transformed the doctrine of res ipsa into a pure statistical probability test by eliminating portions of the doctrine that served as necessary safeguards for preventing liability where there is no evidence linking a defendant to the injury. As a result, I conclude that courts should not accept, adopt, or utilize the formulation of res ipsa found in the Restatement Third.

Matthew G. Minder, Peer-To-Peering Beyond the Horizon: Can a P2P Network Avoid Liability by Adapting its Technological Structure?, 84 Chi.-Kent L. Rev. 943 (2010).

Peer-to-peer networks are often used to infringe copyrights, but they also serve some legitimate purposes consistent with copyright law. In attempting to find a satisfactory solution, this comment develops and analyzes two models that future peer-to-peer networks could employ to attempt to avoid liability for copyright infringement. The comment then analyzes the law, applies the two models to the relevant legal tests, and analyzes whether a peer-to-peer network operating on each model could avoid liability for copyright infringement. It concludes that modifying their technological structure may help peer-to-peer networks avoid liability, but that some risks remain.

Randy R. Micheletti, Willful Patent Infringement After In Re Seagate: Just What is “Objectively Reckless” Infringement?, 84 Chi.-Kent L. Rev. 975 (2010).

Recently the United States Court of Appeals for the Federal Circuit dramatically changed the rules for proving willful patent infringement—and justifying enhanced damages—in In re Seagate Technology. A patentee alleging willful infringement must now first prove “by clear and convincing evidence that the infringer acted despite an objectively high likelihood that its actions constituted infringement of a valid patent.” He must then show that the objectively-defined risk was “either known or so obvious that it should have been known to the accused infringer.” The court expressly delegated substantive development of the new test to future cases. Because district courts have generally struggled to apply the new standard, and because a clearer standard will provide patentees and their competitors increased certainty in business planning, this article proposes a multi-factor test for applying In re Seagate Technology. To determine the objective risk of infringement of a valid patent, courts should at least consider (1) the similarity of the patented invention to the infringing conduct, (2) conclusions of infringement, invalidity, and unenforceability found in pre-litigation opinions of counsel, (3) characteristics of the infringer’s commercial market including patent saturation and the pace of innovation, and (4) legitimate defenses to infringement that were raised at trial. To determine whether the infringer knew or should have known of the objectively high risk of infringement, courts should at least consider (1) evidence that the patentee provided the infringer clear notice, (2) whether the infringer obtained an opinion of counsel that communicated a high risk of infringement, (3) whether the patentee and the infringer were in a special relationship, (4) the defendant’s level of skill compared to a person having ordinary skill in the art, (5) contemporary publicity of the patentee or its patent, (6) markings on the patented product, and (7) the length of time between patent issuance and commencement of the infringing activity.

Jill Bornstein, At a Cross-Road: Anti-Same-Sex Marriage Policies and Principles of Equity: The Effect of Same-Sex Cohabitation on Alimony Payments to an Ex-Spouse., 84 Chi.-Kent L. Rev. 1027 (2010).

In the wake of anti-gay marriage policies in the United States, courts and state legislatures alike are struggling to reconcile these policies with well-established principles of equity in the law. This Note examines states’ anti-same-sex marriage policies as they relate to the states’ respective policies regarding alimony termination. Generally, upon divorce, the dependent spouse from a dissolving marriage will receive alimony payments from the independent spouse until the death or remarriage of the dependent spouse. Many states have expanded the definition of “remarriage” to include a dependent spouse’s cohabitation with another individual in a financially interdependent, conjugal relationship. Terminating alimony payments upon the dependent spouse’s cohabitation with another individual preserves equity for the payor-spouse, as it prevents the recipient spouse from using alimony to support a third person. However, some states’ legal ban on same-sex marriage has effectively thwarted the courts’ ability to implement and maintain equitable alimony arrangements. Specifically, the payor-spouse would be required to support the recipient spouse, even where the recipient spouse entered into a cohabitating, interdependent, and conjugal relationship with another person of the same sex. This Note proposes that, to uphold principles of equity in alimony disputes, states must recognize cohabitating, interdependent same-sex relationships as potential triggers for terminating alimony payments to a recipient spouse.