Search Results

This chapter provides a broad overview of privacy, data protection and security issues raised by DTC services. This includes discussion of the EU’s General Data Protection Regulation (GDPR), the UK’s Data Protection Legislation, and a brief discussion of US and Canadian Privacy Law. It also covers secondary use of genetic databases, the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services, and Indigenous Peoples and Data Sovereignty.

This chapter presents an insider's view of how information about corporate information security breaches reaches the public. It says that “[d]espite the passage of state-level data security breach notification legislation in many states, journalists still often have to rely on sources other than the companies and organizations that experience a breach for information about a breach—either because the breach is not considered newsworthy or because the data that are stolen do not fall into the category of data covered by notification laws.” Journalists learn about breaches from a number of sources. Rarely, though, are companies or organizations that experienced the breach the first to reveal it. The chapter describes some of the practical limitations of data breach notification laws with regard to public disclosure of corporate security breaches. It argues that companies fear that disclosing such information would place them at a disadvantage with competitors and make them vulnerable to lawsuits from customers as well as to other potential intruders.

This chapter analyzes electronic health data security vulnerabilities and the legal framework that has been established to address them. It describes the wide-ranging threats to health information security and the harms that security breaches can produce. Some of the threats arise from sources that are internal to organizations, including irresponsible or malicious employees, while other threats are external, such as hackers and data miners. The harms associated with improper disclosure of private medical data can include medical identity theft, blackmail, public humiliation, medical mistakes, discrimination, and loss of financial, employment, and other opportunities. The chapter also discusses federal laws, state laws, and common-law causes of action that address patient privacy rights and health information security. Finally, it offers recommendations for improving safeguards for electronically processed health records.

This chapter discusses the challenges to information security from social networking websites and the new business models they represent. The success of this new generation of data-intensive virtual space enterprises raises heightened concerns about information security. It is already known that identity thieves are making extensive use of personal information disclosed in such virtual spaces to commit fraud, while unaccredited writers of subapplications for these spaces can also gain access and evade security around vast amounts of valuable data. It is argued that although the law may provide some data control protections, aspects of the code itself provide equally important means of achieving a delicate balance between users' expectations of data security and privacy and their desire to share information.

This chapter discusses the risks in cloud computing. Concerns are often raised about decreased customer control and increased provider control of data in clouds, particularly regarding data security (confidentiality, integrity, and availability), fuelled perhaps by the relative lack of information available to customers regarding details of providers' components, suppliers, and mechanics. Colocation risks may also exist. One concern is the leakage of data to others sharing the infrastructure. Another consideration is that if hardware thought to contain a third party's target data is seized by authorities, data of other tenants sharing that hardware may be exposed also. Ultimately, cloud services differ in the degree of control and flexibility afforded to customers (and accordingly in their responsibility for security), and the extent to which providers or sub-providers can access user data. Much depends on a service's type and design. Prospective cloud users may manage their cloud risks not just through technological or contractual means, but also through insurance.

This concluding chapter reiterates the four major themes of the preceding chapters: (i) a need to focus on the human elements in information security; (ii) a need to recognize the emergent nature of information security threats; (iii) a need to consider the multiple simultaneous contexts of information risk; and (iv) a need for immediate improvements in corporate self-governance. In the short term, companies must put in place rigorous codes of information security conduct and exercise vigilant enforcement. In the long term, companies must learn to build cultures of information security and develop a sense of collective corporate responsibility for information security, regardless of whether regulation requires them to do so. Meaningful improvements in information security require a commitment to security as an ongoing, collaborative process.

The question “What risk prevention measures can I use?” describes how to reduce the likelihood of a cyberattack on your organization. The chapter begins with a case study on the SolarWinds hack exemplifying how prevention measures on a specific system, network, or data cannot be effective on their own. The chapter describes why cyber risk management needs to be embedded across all facets of the organization, and how the Embedded Endurance strategy can help readers achieve that. It reviews system security prevention measures that include patch management and antivirus software. It explains network security prevention measures, including intrusion detection and intrusion prevention systems. The chapter also describes data risk prevention measures such as data governance, encryption, and data loss prevention technology, and highlights the importance of physical security for reducing cyber risk. The chapter concludes with Falco’s Embedded Endurance strategy insight on risk prevention gained at his industrial Internet-of-Things security company.

This chapter examines software contracting through the lens of cybersecurity in order to analyze terms and practices that arguably reduce the general level of cybersecurity. The inspiration for this approach is the growing recognition that the cybersecurity problem is not merely a technical one, but is also dependent upon social and economic factors, including the applicable law. The first part of the chapter considers a series of clauses that undermine cybersecurity by suppressing public knowledge about software security vulnerabilities. The next part considers a range of practices (rather than license terms) that undermine cybersecurity. The final section turns to the question of what should be done, if anything, about license terms that undermine cybersecurity. In particular, it suggests that there are reasons to believe that such terms are the product of various market failures rather than a reflection of the optimal software license terms.

For a long time neuroscience has focused on basic research, but now studies have begun to demonstrate how brain science can be put to use to solve practical real-world problems. Specifically, research in human neuroimaging has led to the development of techniques that allow to accurately read out a person's conscious experience based only on non-invasive EEG and fMRI measurements of their brain activity. Such ‘brain reading’ is possible because each thought is associated with a unique pattern of brain activity that can serve as a ‘fingerprint’ of this thought in the brain. By training a computer to recognize these fMRI patterns associated with each thought it is possible to read out what someone is currently thinking with high accuracy. Despite these promising findings, there are still many limitations that make it unlikely that a ‘universal thought reading machine’ will be developed in the near future. Nonetheless, the first simple applications have begun to emerge, including brain-computer-interfaces, more reliable lie detectors and approaches for predicting consumer decisions. These raise ethical concerns related to mental privacy, data security and quality control.

The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers, collecting names, birth dates, social security numbers, and beneficiaries. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.

This chapter discusses the basic principles of data privacy law. It presents the constituent elements of these principles, along with the similarities and differences in the way they are elaborated in the more influential international codes. These principles are: fair and lawful processing, proportionality, minimality, purpose limitation, data subject influence, data quality, data security, and sensitivity.

The right to privacy of communications is one of the most enduring and widely recognized of the constellation of rights known as privacy law. While privacy remains a notoriously elusive concept, our communications activities have been consistently recognized as a fundamental element of our private life, placed side-by-side with notions of family and home. While the terminology used in international instruments and national constitutions may have evolved over time to reflect changing technologies, from ‘correspondence’ to ‘communications’, the centrality of communications privacy to our private life remains undisputed.

This chapter focuses on EU initiatives on cloud standards, particularly the work of the European Telecommunications Standards Institute (ETSI), the European Union Agency for Network and Information Security (ENISA), and the working groups set up by the European Commission; while acknowledging that cloud standardisation is obviously also a global issue. It addresses three questions. First, it considers why standards play a role in cloud computing and examines the standards most cited as important for cloud computing: data protection, data security, interoperability, data portability, reversibility, and Service Level Agreements (SLAs). Second, it assesses whether there is a problem with cloud standards and, in particular, the debate around the proliferation of cloud computing standards. Finally, the chapter studies how the adoption of cloud standards can be granted, or acquire, legal and regulatory effects under both public and private law regimes, which impact on both providers and users of cloud services. While technical standards for cloud appear to be developing as expected, informational and evaluative standards will inevitably take longer to emerge and may require greater stability within the legal frameworks in which they are intended to operate.

This chapter tackles the topic of online research. It argues that social psychologists increasingly use the Internet to facilitate their studies and goes on to examine the prevalence of Internet-based research in top-tier social psychological journals and provides an overview of the growing body of research on best practices for Internet-based research. The chapter assesses general presentation guidelines for online questionnaires, how question response formats affect scale reliability, and strategies to improve the quality of responses from online participants. It includes a discussion of the considerations involved in populating online studies and general guidelines for ensuring the security of Internet-based data.

This epilogue presents a few closing thoughts about the impact of mobile technology on society at large. It argues that the future of mobile advertising depends on a bargain that consumers and firms need to strike with each other. Both sides will have to make some investments and offer some trust for this give-and-take relationship to prosper. Consumers will need to find better ways to strike a personal balance between their lives and mobile technology. They will need to make the choice about how much they let technology intrude and inform their lives. They will hold the key to how open or private they want to be with their data. But this does not relieve businesses of their responsibilities. They need to pay attention and take their roles very seriously in this ecosystem. They should surprise and impress consumers while helping them with their needs the way a butler or a concierge would. More importantly, they need to take data security and privacy issues seriously.

This chapter provides a summary of the major regulatory changes to the Common Rule proposed in the June 2011 Advance Notice of Proposed Rulemaking (ANPRM), places those changes in historical context, and critically examines two proposed changes. The chapter begins with a review of the milieu in which human subjects protections regulations were developed 40 years ago and of the ANPRM’s objective to create a research oversight system better adapted to twenty-first century research. In the second, critical portion of the chapter, the authors argue that the ANPRM’s proposals regarding informed consent do not go far enough to shift focus from protecting institutions to educating potential research subjects, and propose an alternative approach to designing informed consent materials. The authors also argue that, with respect to data security, the ANPRM’s proposal to incorporate HIPAA standards to enhance privacy protections in the context of research is flawed in that it focuses on the distribution of private information, rather than its collection.

This chapter carries out a layered empirical approach from survey results obtained in 2017 to describe how people in Taiwan increasingly view their identity as separate and different from that of the Chinese people living on the Mainland. It investigates individual characteristics and contextual conditions that influence identity in Taiwan in addition to the critical factors of democracy and the United States. The chapter also looks at how beliefs about cross-Strait relations influence an individual's ideational formation as exclusively Taiwanese. By doing so, the chapter unfolds a greater analytical clarity and insights into how and why a ‘Taiwanese only’ identity has evolved on the island. The chapter then jumps to describe the Taiwan National Security Survey Data and the variables developed to address these questions. It elaborates on Proportional Reduction of Error (PRE) to explore critical questions about factors influencing Taiwanese identity. The chapter shifts its focus on Taiwanese–Mainland relational issues, such as the 1992 Consensus, then determines how the model used to explain ideational issues operates with political issues such as the performance assessment of President Tsai Ing-wen.

This chapter argues for a multidisciplinary perspective in analyzing information security. Developing the best information security practices requires broadening the scope of current perspectives on information security. Although computer science is not traditionally viewed as a social science, problems in its domain are inherently social in nature, relating to people and their interactions. Applying social science perspectives to the field of computer security not only helps explain current limitations and highlights emerging trends, but also points the way toward a radical rethinking of how to make progress on this vital issue.