chevron-down Created with Sketch Beta.

Data, Privacy, and Security, Spring 2019

Vol. 15 No. 3   March 2019

Message from the Chair

Features

Cybersecurity

How Much Is Data Security Worth?

In this era of big data and interconnectivity, critical information assets often are at the core of evolving business models, and the value of data is increasing daily. By the same token, growing volumes of personal and financial customer data are exposing their stewards to greater risk from increasingly sophisticated cyberattacks or larger, more harmful lapses in security. Determining the right level of investment in cybersecurity can be challenging, and the consequences of getting it wrong can be severe. This article proposes one method for assessing the value of investing in cybersecurity measures.

Cybersecurity

Privacy and CUI: Today’s Federal Efforts Are Not Adequate to Respect Citizen Interests

The U.S. federal government today does not use its regulatory power to require the general protection of citizen privacy. Only on a limited basis does it require holders of “Controlled Unclassified Information” (Privacy CUI) to have security measures to protect that information according to the CUI Rule, the Privacy Act of 1974, and federally required cyber safeguards. These protections do not apply to information that is collected, hosted, or processed by commercial or other non-federal entities but, rather, to narrowly defined CUIs on federal information systems accessible by federal employees, federal contractors, and other non-federal employee partners. The United States can learn much from the much broader privacy protections under the EU’s General Data Protection Rule, and efforts should be made to develop internationally accepted strategies and practices.

Cybersecurity

Are the EU GDPR and the California CCPA Becoming the De facto Global Standards for Data Privacy and Protection?

General Data Protection Rule (GDPR) is designed to protect the personal data of an estimated 508 million people in the EU. The GDPR imposes new requirements on organizations that process personal data and are established in the EU and, in some cases, organizations that are established exclusively outside the EU. The California Consumer Privacy Act (CCPA), set to go into effect January 1, 2020, is intended to protect 39.5 million California residents and is broadly applicable to American companies. The GDPR and CCPA are becoming the de facto global standards for data privacy and protection because of the sheer volume of citizens protected and the wide applicability of the laws to companies. This article addresses common elements between these two laws and the origins of data privacy that in an era of globalization are likely to drive common behaviors among organizations globally.

Cybersecurity

Threat Information Sharing Under GDPR

The EU’s GDPR is intended to protect the fundamental rights of EU data subjects. Yet, an ironic and unforeseen effect of GDPR has been to stifle the practice of threat information sharing, in turn increasing the threat of successful cyberattacks. As cyberattacks continue to increase in number and sophistication, threat information sharing may (and should) be employed by banks, brokers, insurance carriers, and other areas of critical infrastructure to identify vulnerabilities and prevent the spread of successful cyberattacks to other organizations. This article addresses threat information sharing and discusses why it is lawful under GDPR.

About the SciTech Lawyer

The SciTech Lawyer is published quarterly as a service to its members by the Section of Science & Technology Law of the American Bar Association. It endeavors to provide information about current developments in law, science, medicine, and technology that is of professional interest to the members of the ABA Section of Science & Technology Law.

The SciTech Lawyer Archive

Catch up on past issues of the SciTech Lawyer