1 / 12

Information Disclosure as a light-weight regulatory mechanism DIMACS

Information Disclosure as a light-weight regulatory mechanism DIMACS. Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical Professor of Law Boalt Hall School of Law Information School University of California. If you build it they will come….

johnkgreen
Télécharger la présentation

Information Disclosure as a light-weight regulatory mechanism DIMACS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Disclosure as a light-weight regulatory mechanismDIMACS Deirdre K. Mulligan Director, Samuelson Law, Technology & Public Policy Clinic Clinical Professor of Law Boalt Hall School of Law Information School University of California

  2. If you build it they will come… or maybe not… The existence of technology solutions on their own does not improve security or privacy. Creating incentives for security

  3. Security failures • FTC Federal Advisory Committee on Online Access and Security (2000) • Underinvestment in security • Numerous breaches every year • Consumers/regulators largely unaware • Relatively non-existent security market • Missing data points • 4 options • 2 preferred • Maintain a security program • “appropriate under the circumstances” duty of care • Problem: How to create a flexible duty of care • Legislation/regulation, industry self-reg, courts, tort, media • Limitations on all…

  4. Creating a flexible duty of care • Findings from Emergency Planning and Community Right-to-Know Act (EPCRA) • Huge drops in releases (EPA estimated 40%, but likely less) • Operational changes within companies • Remarkable changes from lighter, less costly approach • Why? • Incentives • Enabled • benchmarking, rationalizing of investment • Democratic participation • Collaborative decision making • Risk assessment (insurance/investment) • Provoked a race to the top • Avoided one size fits all, top-down, hard to adapt standards • Provided incentive structure to develop internal processes to manage risk, improved tools available to management

  5. Creating a flexible duty of care • Traditional Regulation • Information Disclosure • Emergency Planning and Community Right-to-Know Act (EPCRA) • Gets government out of the middle • Widely copied model • Sunlight as disinfectant • FOIA, FACA… • Rhetoric • Private action • Reality • Drive performance through transparency and public oversight • Wide range of players able to use information for various purposes

  6. California • What happens if we apply this to security • Privacy as pollution • Industrial society  information society • History of Security Breach Disclosure • SB 1386 (Simitian/Peace) • Effect July 2003 • Eye opening • 32+ other states follow • Federal legislation on 2007 Congressional agenda (Feinstein)

  7. Role of policy in creating incentives • Effects of Security Breach laws • More information • Absent legal requirement only 20% of firms will report serious breaches (FBI/CSI 2005) • Broad reach -- electronic data • Privacy laws highly fragmented, sectoral, difficult to adjust • Security process focused  lacking performance metrics • We have no proof that process produces good outcomes • Don’t know how to measure security, but this introduces at least one measure of failure which…. • Put a price tag on failure • Average cost $182 per person (Ponemon 2006) • $75 per notice • Remedial services (credit monitoring etc.) • Heightened churn rates • Public relations, unwanted attention from AGs, FTC, trial lawyers • Effects stock prices to some extent (Acquisti et. al.) • Influences insurance, ratings etc. (possibly)

  8. Role of policy in creating incentives • Effects of Security Breach laws con’t • Altered assessments of investment • “encryption of data done in advance of a breach may now be cost effective…” -- L. Sotto • Altered attention within institutions? anecdotal • Security audits • Elimination of non-necessary personal information • Bifurcated databases • Tighter access control • Attention to risks of portable devices and media • Individual activity • Potentially greater use of • credit monitoring • Opt-out lists • Privacy hygiene

  9. Predictions? • Success of EPCRA • structured information • Widely available • NGOs repackaging and recontextualizing • Regulatory agencies with substantive responsibility for issue • Result -- wide range of uses • Individual empowerment • Policy reforms • Self regulatory efforts • Internal reforms • Does it translate?

  10. Predictions? • Limitations of Security Breach Legislation • No standard information • Severity of breaches sometimes unclear • Rarely centralized reporting (notice to individuals) • NGOs not activated around this data • push for federal legislation was silly, no need for it • No one is leveraging the data • No regulatory agency(ies) with substantive responsibility • Predict -- more limited effect • Individual empowerment-- some, but limits on shopping with feet • Lots of third-party leaks which consumers can’t shop for • Policy reforms -- maybe, little reflection on effects, benefits, arguing over harm to consumers rather than focusing on benefits to computer security within firms • Self regulatory efforts -- uncertain • Internal reforms -- yes, but not well documented

  11. Research • Notices • 110 analyzing for breach type, relationship to consumer, remedial measures, disclosure practices • What are the causes of breaches • Identify strategic measures to address • Policy, technical, procedural, educational • Qualitative interviews • Organizational behavior literature • CSOs on SB 1386 • Related to current project on CPOs • What policies yield what changes in organizations • Investment, staffing, process and procedure, technology acquisition, product development, priority in organization etc. • Compliance v. compliance plus • Which produce race to the top in context of security?

  12. Research Team Deirdre K. Mulligan, Clinical Professor Chris Jay Hoofnagle, Senior Fellow and Senior Attorney Olive Huang ph.d / j.d. Drew Lewis undergraduate

More Related