Comments to the department of commerce on incentives to adopt improved cybersecurity practices

In this Comment, I provide a brief overview of what I believe is a useful framework for understanding different forms of government interventions (policies), and how they can be applied to IT security in order to protect critical infrastructure. I also describe cyberinsurance, and discuss how this market (not government) mechanism may hold great promise for improving the security posture of the private sector. I begin by addressing what I believe is a relevant and as of yet unanswered question regarding the current state of IT security investment

Empirical Analysis of Data Breach Litigation

Legal privacy scholarship typically emphasizes the various ways that plaintiffs fail when bringing legal actions against entities when their personal information is lost or stolen. However past scholarship considers only a limited sample of published judicial opinions from large data breaches. And so, little is actually known about the characteristics and outcomes of a representative set of data breach lawsuits. In this manuscript, we manually collect data from Westlaw and PACER and analyze court dockets of over 200 federal data breach lawsuits from 1998 to 2010, making this, to our knowledge, the first empirical examination of data breach litigation. We explore two main research questions. First, what characteristics of a data breach drive litigation, and why? Second, what characteristics of the breach and the lawsuit drive settlement, and why

Privacy Costs and Personal Data Protection: Economic and Legal Perspectives

We analyze personal data protection laws in the United States through the lenses of the economic theories of ex ante safety regulation, ex post liability and information disclosure. Specifically, we consider and contrast how legal and economic theories interpret privacy costs and the remedies to those costs. First, we introduce the general economic theories of ex ante regulation, ex post liability and information disclosure. Then, we present their causal relationships and show how they attempt to reduce possible privacy harms caused by a firm’s activity. We then scrutinize their impact by contrasting legal and economic doctrines. Finally, we provide deeper economic analysis of the three legal mechanisms and highlight conditions under which they may become socially inefficient