chevron-down Created with Sketch Beta.
March 06, 2019 Message from the Chair

A Big Year in Data Privacy and Security

By William B. Baker

Welcome to the third issue this bar year of our outstanding flagship publication—The SciTech Lawyer.

This issue focuses on the current crisis in data privacy and security. Unless you spent 2018 like Rip Van Winkle, you could not have missed the substantial attention devoted to data privacy and security over the course of the year. The European Union’s General Data Protection Regulation took effect on May 25, an event that alone triggered an enormous amount of legal and information technology work over the course of the year. In June, the Supreme Court decided Carpenter v. United States, dramatically reshaping the law governing historical cell phone location data. At the state level, 2018 saw the enactment of the California Consumer Privacy Act, the first major legislation in the United States addressing consumer data privacy. That the California law differs in many respects from the GDPR only complicates the lives of lawyers and IT specialists in this area.

In this issue, Rick Aldrich explores the tension between new technology and longstanding legal doctrine and reviews the initial caselaw that Carpenter has spawned. He also discusses the legal rules that have developed regarding the use of Stingrays, cell tower “dumps,” security cameras, and collection techniques in foreign affairs or national security.

Two articles focus on the GDPR, which reflects its significance. Rick Borden addresses the implications for cybersecurity of the GDPR’s Article 6 necessity and proportionality provisions and whether balancing the legitimate interests of data controllers with the fundamental freedoms of the data subjects should allow threat information sharing.

Catherine Barrett explains how the GDPR and the California CPA are becoming the de facto global standards for data privacy and protection. She reviews the distinctly different approaches of the two laws to recognizing and vindicating (or not) certain individual rights.

How much data security is enough? Almudena Arcelus, Brian Ellman, and Randal Milch take an unconventional approach by looking at what data security is worth to a business. Applying a rule of reason analysis, they propose comparing the cost of incremental security to the probability of a breach and the cost of such a breach.

Finally, Robert Metzger discusses the complex rules surrounding “controlled unclassified information.” This large category of data needs protection, is public and often contract-related, and requires restrictions on handling, securing, and disseminating.

These topics are timely, as this issue will be arriving in your mailbox just in time for the RSA conference in early March—the largest security conference of the year. And data privacy and security will also be important topics at SciTech’s National Institute on the Internet of Things being held in Washington, D.C., on March 27 and 28. For more information and registration, please go to ambar.org/iot2019.

As you read this, baseball spring training is underway. Baseball delightfully blends teamwork with individual performance. We focus on the pitcher and batter, but, for both, their ultimate success largely depends on their teammates on the field or in the batting order.

So too it is with SciTech. Our successes depend on the combination of the initiative and leadership of individual Section members with the teamwork of talented and enthusiastic experts who contribute their knowledge and skills to an endeavor—whether a CLE program, a “brown bag” presentation, a book, an essay, or an article in The SciTech Lawyer. It is through these efforts that SciTech members from around the nation take the lead in shaping technology law for years to come.

Keep up the good work! 

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By William B. Baker