Search Results

This chapter provides a broad overview of privacy, data protection and security issues raised by DTC services. This includes discussion of the EU’s General Data Protection Regulation (GDPR), the UK’s Data Protection Legislation, and a brief discussion of US and Canadian Privacy Law. It also covers secondary use of genetic databases, the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services, and Indigenous Peoples and Data Sovereignty.

This chapter presents an insider's view of how information about corporate information security breaches reaches the public. It says that “[d]espite the passage of state-level data security breach notification legislation in many states, journalists still often have to rely on sources other than the companies and organizations that experience a breach for information about a breach—either because the breach is not considered newsworthy or because the data that are stolen do not fall into the category of data covered by notification laws.” Journalists learn about breaches from a number of sources. Rarely, though, are companies or organizations that experienced the breach the first to reveal it. The chapter describes some of the practical limitations of data breach notification laws with regard to public disclosure of corporate security breaches. It argues that companies fear that disclosing such information would place them at a disadvantage with competitors and make them vulnerable to lawsuits from customers as well as to other potential intruders.

This chapter discusses the challenges to information security from social networking websites and the new business models they represent. The success of this new generation of data-intensive virtual space enterprises raises heightened concerns about information security. It is already known that identity thieves are making extensive use of personal information disclosed in such virtual spaces to commit fraud, while unaccredited writers of subapplications for these spaces can also gain access and evade security around vast amounts of valuable data. It is argued that although the law may provide some data control protections, aspects of the code itself provide equally important means of achieving a delicate balance between users' expectations of data security and privacy and their desire to share information.

This chapter analyzes electronic health data security vulnerabilities and the legal framework that has been established to address them. It describes the wide-ranging threats to health information security and the harms that security breaches can produce. Some of the threats arise from sources that are internal to organizations, including irresponsible or malicious employees, while other threats are external, such as hackers and data miners. The harms associated with improper disclosure of private medical data can include medical identity theft, blackmail, public humiliation, medical mistakes, discrimination, and loss of financial, employment, and other opportunities. The chapter also discusses federal laws, state laws, and common-law causes of action that address patient privacy rights and health information security. Finally, it offers recommendations for improving safeguards for electronically processed health records.

This concluding chapter reiterates the four major themes of the preceding chapters: (i) a need to focus on the human elements in information security; (ii) a need to recognize the emergent nature of information security threats; (iii) a need to consider the multiple simultaneous contexts of information risk; and (iv) a need for immediate improvements in corporate self-governance. In the short term, companies must put in place rigorous codes of information security conduct and exercise vigilant enforcement. In the long term, companies must learn to build cultures of information security and develop a sense of collective corporate responsibility for information security, regardless of whether regulation requires them to do so. Meaningful improvements in information security require a commitment to security as an ongoing, collaborative process.

This chapter examines software contracting through the lens of cybersecurity in order to analyze terms and practices that arguably reduce the general level of cybersecurity. The inspiration for this approach is the growing recognition that the cybersecurity problem is not merely a technical one, but is also dependent upon social and economic factors, including the applicable law. The first part of the chapter considers a series of clauses that undermine cybersecurity by suppressing public knowledge about software security vulnerabilities. The next part considers a range of practices (rather than license terms) that undermine cybersecurity. The final section turns to the question of what should be done, if anything, about license terms that undermine cybersecurity. In particular, it suggests that there are reasons to believe that such terms are the product of various market failures rather than a reflection of the optimal software license terms.

The U.S. has no comprehensive national law governing cybersecurity and no uniform framework for measuring the effectiveness of protections, though retirement plan record keepers maintain the personally identifiable information on millions of workers, collecting names, birth dates, social security numbers, and beneficiaries. Plan sponsors frequently engage consultants and attorneys to help them secure sensitive data, but more work is necessary to engage a larger discussion around this issue. The SPARK Institute has outlined a flexible approach for an independent third-party reporting of cyber security capabilities with several key control objectives.

For a long time neuroscience has focused on basic research, but now studies have begun to demonstrate how brain science can be put to use to solve practical real-world problems. Specifically, research in human neuroimaging has led to the development of techniques that allow to accurately read out a person's conscious experience based only on non-invasive EEG and fMRI measurements of their brain activity. Such ‘brain reading’ is possible because each thought is associated with a unique pattern of brain activity that can serve as a ‘fingerprint’ of this thought in the brain. By training a computer to recognize these fMRI patterns associated with each thought it is possible to read out what someone is currently thinking with high accuracy. Despite these promising findings, there are still many limitations that make it unlikely that a ‘universal thought reading machine’ will be developed in the near future. Nonetheless, the first simple applications have begun to emerge, including brain-computer-interfaces, more reliable lie detectors and approaches for predicting consumer decisions. These raise ethical concerns related to mental privacy, data security and quality control.

This chapter discusses the basic principles of data privacy law. It presents the constituent elements of these principles, along with the similarities and differences in the way they are elaborated in the more influential international codes. These principles are: fair and lawful processing, proportionality, minimality, purpose limitation, data subject influence, data quality, data security, and sensitivity.

This chapter tackles the topic of online research. It argues that social psychologists increasingly use the Internet to facilitate their studies and goes on to examine the prevalence of Internet-based research in top-tier social psychological journals and provides an overview of the growing body of research on best practices for Internet-based research. The chapter assesses general presentation guidelines for online questionnaires, how question response formats affect scale reliability, and strategies to improve the quality of responses from online participants. It includes a discussion of the considerations involved in populating online studies and general guidelines for ensuring the security of Internet-based data.

This epilogue presents a few closing thoughts about the impact of mobile technology on society at large. It argues that the future of mobile advertising depends on a bargain that consumers and firms need to strike with each other. Both sides will have to make some investments and offer some trust for this give-and-take relationship to prosper. Consumers will need to find better ways to strike a personal balance between their lives and mobile technology. They will need to make the choice about how much they let technology intrude and inform their lives. They will hold the key to how open or private they want to be with their data. But this does not relieve businesses of their responsibilities. They need to pay attention and take their roles very seriously in this ecosystem. They should surprise and impress consumers while helping them with their needs the way a butler or a concierge would. More importantly, they need to take data security and privacy issues seriously.

This chapter provides a summary of the major regulatory changes to the Common Rule proposed in the June 2011 Advance Notice of Proposed Rulemaking (ANPRM), places those changes in historical context, and critically examines two proposed changes. The chapter begins with a review of the milieu in which human subjects protections regulations were developed 40 years ago and of the ANPRM’s objective to create a research oversight system better adapted to twenty-first century research. In the second, critical portion of the chapter, the authors argue that the ANPRM’s proposals regarding informed consent do not go far enough to shift focus from protecting institutions to educating potential research subjects, and propose an alternative approach to designing informed consent materials. The authors also argue that, with respect to data security, the ANPRM’s proposal to incorporate HIPAA standards to enhance privacy protections in the context of research is flawed in that it focuses on the distribution of private information, rather than its collection.

This chapter argues for a multidisciplinary perspective in analyzing information security. Developing the best information security practices requires broadening the scope of current perspectives on information security. Although computer science is not traditionally viewed as a social science, problems in its domain are inherently social in nature, relating to people and their interactions. Applying social science perspectives to the field of computer security not only helps explain current limitations and highlights emerging trends, but also points the way toward a radical rethinking of how to make progress on this vital issue.

This chapter discusses the evolution of child protection and information security online. It argues that successfully protecting children' s information online requires understanding the development of children through adolescence, and acknowledging the powerful role of cultural transmission in the emergence of their cognition, personalities, behaviors, and skills. The Children's Online Privacy Protection Act (COPPA) of 1998, which specifically addresses the collection of data about children, appears to be relatively ineffective legislation that is not adequately sensitive to developmental concerns. To ensure children's healthy development, future legislation should take into account children's developmental attributes more directly. In addition, a more successful law would empower parents in their attempts to protect their children's information, instead of diminishing parental control. Parents are naturally concerned about their children's online activity and exposure to information, but they often do not know how to protect them.

‘Smart infrastructure’, such as smart meters, are innovative, information-based energy technologies designed to promote systemic energy efficiency, cost savings, and to transition energy markets toward sustainable outcomes, including reducing climate change impacts. Smart meters promise innovation in electricity markets–as an enabler of demand-side services and a more distributed energy system. The chapter examines three case studies of legal reform for smart meter introduction in Australia and Germany. It concludes that the realization of the innovation promise of smart infrastructure requires the legal system to address consumer-oriented social and economic changes. While legal responses are growing in sophistication, significant questions around consumer protection remain, although Germany emphasizes consumer privacy more than Australian case studies. Finally, Germany most closely links innovation to climate change and electricity system transitions, whereas, increasingly, Australian policies emphasize the consumer benefits and innovation in the business models for electricity distribution.

Enterprise consumerization describes how technologies purchased by “enterprises” (i.e., organizations or companies) became consumer products. Mobile devices fall into this category because, as they became more affordable, individuals purchased them and brought them to work. As this trend proliferated, organizations had to protect their proprietary data, but their employees were clamoring for access to Wi-Fi. Their response: create bring-your-own-device-to-work (BYOD) policies. This chapter discusses human resources and global challenges surrounding BYOD policies. There are labor-law concerns at play, as well as national declarations that restrict mobile-device use outside of work hours. Furthermore, there’s still ongoing debate concerning who should be “allowed” to participate in BYOD. Readers are invited to consider that these policies have introduced a form of free control: individuals have flexibility in choosing their devices, but that freedom is also how people voluntarily participate in being controlled by organizations.

This chapter discusses the risks that rogue insiders present to corporate information security, particularly with regard to trade secrets. It argues that the biggest computer security threats and accompanying threats to a company's trade secrets originate with the company's own employees. Put in criminal law terms, employees often have the motive and the opportunity that outsiders lack. Employees usually have legal access to the trade secret information by virtue of their employment relationship and can use that access to misappropriate trade secrets. Recent statistics indicate that the large majority of computer crimes are committed by employees. The chapter provides background on trade secret law, examples of disclosures that have occurred using computers, and ends with some lessons for trade secret owners.

This chapter assesses the appropriate balance between strengthening tax revenue collection tools to ensure states have adequate resources to meet their human rights obligations, and protecting taxpayer rights to privacy and data security. On the one hand, the ability of rich residents of developing countries and multinational corporations operating in those countries to evade or avoid taxation is directly linked to violations of human rights in those countries, especially from the perspective of social and economic rights like health and education. Providing such countries with the means to fight back and collect adequate revenues is essential in advancing such rights. On the other hand, some of the techniques used to achieve adequate revenue collection, like automatic exchange of information (AEoI) and country-by-country reporting (CbCR), risk violating other human rights like privacy and the legitimate protection of trade secrets.