The Press, National Security, and Civil Discourse: How a Federal Shield Law Could Reaffirm Media Credibility in an Era of “Fake News”

The Constitution expressly provides protection for the freedom of the press. Yet there is one area in which the press is not so free: the freedom to refuse disclosing confidential sources when subpoenaed by the federal government. Currently, there is no federal reporter’s privilege. The Supreme Court has held the First Amendment provides no such protection, and repeated congressional attempts to codify a reporter’s privilege in a federal shield law have failed. Arguments against a shield law include national security concerns and the struggle to precisely define “journalist.” Such concerns were evident in the most recently proposed shield law, the Free Flow of Information Act of 2017. This Comment advocates in favor of passing a federal shield law. Specifically, this Comment analyzes the Free Flow of Information Act of 2017 against the backdrop of a post-9/11 America where “fake news” runs rampant. Though far from perfect, the proposed law was a step toward balancing national security concerns with press freedom. Legislators can and should strike an effective balance between these two tensions by accurately defining terms like “national security” and “properly classified” to prevent government overreach. Finally, this Comment argues that a federal shield law is necessary to combat the recent national security concerns raised by “fake news” and thereby reaffirm media credibility

Identities Lost: Enacting Federal Law Mandating Disclosure & Notice After a Data Security Breach

Identity theft is real, it’s here, and consumers need protection. Over the past five years hackers have stolen billions of consumers’ sensitive information like social security numbers, addresses, and bank routing numbers from companies that have neglected their security measures. Most of the time these security breaches are easily preventable. Companies sometimes wait weeks, months, or even years to inform the customers whose information was stolen because there is no federal law that requires disclosure. As of 2018, all 50 states have adopted security breach notification laws that require companies to inform consumers that their information may have been stolen after an attack, but there is no federal law enforcing such a requirement

Inflation-Indexing Elements in Federal Entitlement Programs

[Excerpt] In recent years, various proposals have been discussed in the context of ways to reduce federal budget deficits. One of the proposals, for example, is the use of a different measure of consumer price change to index various provisions of federal programs, including cost-of-living adjustments (COLAs). For example, under current law, the Social Security COLA is based on the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W). Under the proposal, the Social Security COLA would be based instead on the Chained Consumer Price Index for All Urban Consumers (Chained CPI-U or C-CPI-U). Because the goal of the Chained CPI-U is to better reflect how consumers change their buying habits in response to changes in prices, supporters of the proposal argue that it is a more accurate measure for computing COLAs and making other automatic program adjustments. Opponents, however, view the proposal as a backdoor way of reducing benefits because the Chained CPI-U typically has risen more slowly than either the CPI-W or the traditional CPI-U. Some observers point out that the Chained CPI-U is published as a preliminary value that is subject to revision over a period of up to two years, and that it may not accurately reflect the cost of living for certain groups, such as the elderly population. The current discussion of a potential change in the way the Social Security COLA is computed raises questions about indexing in other federal entitlement programs. The purpose of this report is to identify key indexing elements in major federal entitlement programs under current law and present the information in a summary table. As shown here, indexing affects more than benefit levels paid to individuals through COLAs. Indexing also affects, for example, federal payments to providers and eligibility criteria for some programs. In addition, the report provides a brief description of the measures of consumer price change used to index various elements of these programs under current law, as well as the alternative measure of consumer price change (the Chained CPI-U) that has been proposed for computing Social Security COLAs and making inflation adjustments to other federal programs

The Data Breach Dilemma: Proactive Solutions for Protecting Consumers’ Personal Information

Data breaches are an increasingly common part of consumers’ lives. No institution is immune to the possibility of an attack. Each breach inevitably risks the release of consumers’ personally identifiable information and the strong possibility of identity theft. Unfortunately, current solutions for handling these incidents are woefully inadequate. Private litigation like consumer class actions and shareholder lawsuits each face substantive legal and procedural barriers. States have their own data security and breach notification laws, but there is currently no unifying piece of legislation or strong enforcement mechanism. This Note argues that proactive solutions are required. First, a national data security law—setting minimum data security standards, regulating the use and storage of personal information, and expanding the enforcement role of the Federal Trade Commission—is imperative to protect consumers’ data. Second, a proactive solution requires reconsidering how to minimize the problem by going to its source: the collection of personally identifiable information in the first place. This Note suggests regulating companies’ collection of Social Security numbers, and, eventually, using a system based on distributed ledger technology to replace the ubiquity of Social Security numbers

Is There a Judicial Remedy for Victims of Federal Data Breaches?

[Excerpt] The scope of information believed to have been compromised by a series of cyber-intrusions at the Office of Personnel Management (OPM) continues to grow. OPM recently announced that further investigation of the initial breach affecting 4.2 million current and former federal employees has led officials to conclude that sensitive information on 21.5 million individuals had been stolen from separate OPM databases used in connection with background investigations. In addition to the potential effects on domestic and foreign policy that may result from these breaches, which are discussed here, two recently filed lawsuits raise questions regarding what redress, if any, is due to affected individuals beyond the free credit monitoring that has been offered by OPM. The two suits, filed separately by the American Federation of Government Employees (AFGE) and the National Treasury Employees Union (NTEU) allege a number of legal theories under which the plaintiffs believe recovery may be available, including claims citing the Privacy Act, the Federal Information Security Management Act (FISMA), common law negligence, and the Due Process clause of the Constitution. While, procedural obstacles to such suits, such as whether the plaintiffs have suffered a sufficiently concrete injury to have a right to sue, are important and may end up being dispositive, this post focuses instead on the extent to which selected sources of statutory, common, and constitutional law may provide a judicially enforceable remedy for current and former federal employees whose personal information may have been exposed during the breach of a federal information technology system

Legislative responses to data breaches and information security failures

On July 23, 2008, the Payment Cards Center of the Federal Reserve Bank of Philadelphia hosted a workshop to discuss federal and state legislative responses to data breaches. The workshop addressed several laws and legislative initiatives designed to create greater safeguards for personal consumer information frequently targeted by data thieves and often subject to the failures of information security protocols. Diane Slifer, J.D., M.B.A., who has frequently presented at forums on data security and has represented clients in matters related to data breaches, led the workshop. Slifer examined several highly publicized data breaches and explained how various laws and regulations have been put in place in order to protect and inform consumers whose personal information has been compromised. Additionally, she discussed several legislative initiatives designed to potentially create a more structured and secure environment for private consumer data overall. This paper summarizes Slifer's presentation, the ensuing discussion, and additional Payment Cards Center research. In addition, it offers a brief overview of recent data breaches, a description of various ways that federal and state laws operate, and some thoughts on how effective these laws and regulations have been.Payment systems ; Identity theft ; Fraud ; Law and legislation

Privacy for Student-Patients: A Call to Action

Consider a law student who has a mental or reproductive health issue that the student wishes to keep private. If the student seeks care at an off-campus health clinic that is not affiliated with the student’s law school or university, the student typically has a number of federally enforceable privacy rights. For example, the federal HIPAA Privacy Rule will typically apply and prohibit the clinic from disclosing the student’s protected health information to professors, parents, and other third parties without the student’s prior written authorization. The law student also will have the right to receive a notice of privacy practices, the right to request further privacy restrictions, the right to obtain paper and electronic copies of medical records, the right to amend incorrect medical record entries, the right to receive an accounting of medical record disclosures, the right to ask privacy-related questions of an institutional privacy officer, and the right not to be intimidated, threatened, coerced, or discriminated against for exercising these rights. The HIPAA Security Rule also will typically apply, requiring the clinic to implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of the student’s electronic protected health information. Finally, if the off-campus clinic discovers a breach of the student’s unsecured protected health information, the HIPAA Breach Notification Rule will typically apply, requiring the clinic to report the breach to the student, the federal government and, in certain cases, prominent media outlets serving the jurisdiction. If the law student seeks care at a health center affiliated with the student’s university, however, the story will be completely different. This is because the medical records that result from the student’s encounter with the student health center—called student treatment records—are excepted from the definition of protected health information under the HIPAA Privacy, Security, and Breach Notification Rules. Student treatment records also are excepted from the definition of education records under the Family Educational Rights and Privacy Act of 1974 (FERPA), the major federal statute that requires federally funded academic institutions to protect the privacy of such records. These exceptions exist because Congress, in late 1974, expressed its intent that student treatment records be protected only by state law. Unfortunately, state law provides minimal protections for student treatment records. This Article responds to the need for greater privacy, security, and breach notification protections for student treatment records. After reviewing a number of privacy and security breaches involving colleges and universities and the patchwork of federal and state law that fails to adequately protect student treatment records, this Article shows that many student health centers provide students with confusing information (at best) and misleading or incorrect information (at worst) regarding their privacy, security, and breach notification protections. After providing several practical, political, and health policy justifications for amending federal law, this Article re-writes relevant statutory and regulatory provisions in FERPA and HIPAA. If the proposals set forth in this Article are implemented by the federal government, student treatment records will receive the maximum privacy, security, and breach notification protections available currently available under the law

Bus Operator Awareness Research and Development Training Program

This training is designed to enhance the abilities of bus operators to: Quickly and effectively evaluate suspicious and dangerous activities Take actions to protect yourself and your passengers, and Provide timely and accurate information to law enforcement through your control center This summary and the full instructor-led course were developed by the Transportation Security Administration (TSA) in cooperation with the National Transportation Security Center of Excellence (NTSCOE), managed through the Science and Technology Directorate of DHS. Through the intensive efforts of four universities and two federal agencies, the team conducted extensive research both nationally and abroad to identify appropriate countermeasures and related skill sets for bus operators relative to identifying suspicious and dangerous activity and reacting appropriately with a focus on life safety concerns

Compliance with California Privacy Laws: Federal Law Also Provides Guidance to Businesses Nationwide

Over the past several years, personal information has been lost or stolen as a result of a series of high profile security breaches. In January 2006, the U.S. Federal Trade Commission announced that ChoicePoint will be required to pay $15 million in fines and penalties for a high profile security breach that occurred in 2005. The ChoicePoint breach and similar events have spurred an explosion of state and federal privacy legislation. In particular, the State of California has taken the lead by enacting the strictest disclosure and security procedure requirements in the country. The implications of California’s new laws can be felt throughout the U.S. since they affect any business that collects personal information about California residents. This article will focus on a new California law, Assembly Bill 1950, which requires businesses to maintain “reasonable security standards” for personal information without further defining such standards. In particular, the article examines how businesses can comply with A.B. 1950 by performing a risk management analysis and borrowing security standards from the federal Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Acts