It Is Just Unfair Using Trade Laws to “Out” Security Software Vulnerabilities

In 2015, hackers gained access to hundreds of millions of consumer data records housed in the databases and systems of American businesses, and the number of records stolen climbed even higher the following year. Though businesses spend billions of dollars each year on security software and systems to protect data from unauthorized disclosure, those systems often fail because of vulnerabilities in the software that hackers exploit. All but the simplest software contains some vulnerabilities, including coding errors. Pursuant to the observations of previous legal scholarship, one of the reasons “bad code” (i.e., code vulnerable to hacking) persists in the consumer market is that software vendors insulate themselves from accountability using contractual disclaimers of warranties and limitations on liability. One might expect, by way of contrast, that in the commercial market for software and, in particular, for security software, companies would demand that the vendor share responsibility in the event of a data breach. But this Article’s empirical analysis of end-user license agreements (i.e., agreements between the software vendor or developer and the software user) for such security products demonstrates a similar liability shield in the contractual terms. Therefore, companies cannot, or perhaps just will not, hold security software vendors accountable. The result is an unacceptable risk to consumers; therefore, this Article proposes that regulators should reduce the risk by using unfair trade laws. Specifically, this Article recommends that if a security software vendor knows of a vulnerability in its code and fails to notify its licensees of that vulnerability, it should be charged with committing an unfair trade practice

At-Will Fiduciaries? The Anomalies of a “Duty of Loyalty” in the Twenty-First Century

This article proposes a means of improving the at-will world for employees—insofar as that world includes the threat of a sudden end to one’s livelihood—that does not tamper with the “at-will-ness” of termination itself. An at-will employee should owe only the duty of “good faith and fair dealing” derived from contract law, which, in effect, would fill any hole left in the legal web defining the employment relationship when the duty of loyalty is excised. Part II of this article provides an overview of the duty of loyalty as it is applied by the courts in the various states. Part III returns to various aspects of the law regarding the duty of loyalty that are particularly ambiguous and argues the ambiguity infects the very validity of imposing a duty of loyalty and renders it very difficult for employers and employees to understand and comply with the duty. Part IV illustrates why the jurisprudential provenance of the duty of loyalty—emanating from the medieval doctrine of master and servant—understandably does not map clearly onto the twenty-first-century global employment market. Finally, Part V argues the duty of loyalty is not necessary to “protect” the employer from “bad” conduct on the part of the employee—which is its essential function—and that if removing the duty of loyalty does pose any significant threat, requiring good faith and fair dealing by the employee satisfactorily fills any perceived gaps

Opening the Doors on Sue-and-Settle: A Model for Mediating Public Policy Disputes

Published in cooperation with the American Bar Association Section of Dispute Resolutio

Yes, Your Personal Data Is at Risk: Get over It

Over the past decade, the number of security breaches that have compromised business records containing the personal information of millions of American consumers has soared. The legal world has largely responded in a traditional fashion: by rushing to the courthouse seeking damages for various alleged injuries from the same businesses that had their computers and networks breached by criminal hackers. Corporate misconduct is a classic justification for expending societal resources to hold a company accountable and deter other companies from engaging in similar, harmful conduct. However, company data on consumers and clients may be compromised in situations involving no corporate misconduct. In fact, in many situations the hacker is the primary culprit. The theft of personal information causes minimal harm to consumers, while the business-the putative defendant-suffers far greater costs associated with a breach. Prevention is costly and difficult, and predicting which companies will be hacked, as well as the means by which it will occur, is next to impossible. For these and other reasons, it may be time to consider a data victims\u27 compensation fund in lieu of private civil litigation. This fund would provide a more efficient and effective mechanism for identifying and exacting financial penalties from only the truly bad apples -companies that significantly fail to employ reasonable measures to secure data. Additionally, the fund would provide prompt and fair compensation to individuals harmed by a data breach