Richmond Journal of Law and Technology

Intellectual Property Rights in Virtual Worlds

On February 13, 2017

By: Etahjayne Harris,

“Virtual Reality (VR) is the use of computer technology to create a simulated environment. Unlike traditional user interfaces, VR places the user inside an experience.”[1] With virtual technology, a user can be transported to a destination of their choice in an instant. Today, virtual reality is increasingly becoming part of our actual reality.[2] For example, “[t]he virtual world Second Life is populated by 1 million people on a daily basis, and there are expected to be as many as 171 million active VR users by 2018.”[3] Companies like Microsoft Corp., Sony Corp., Facebook, Inc. and Samsung Electronics Co. Ltd., are major investors in this emerging technological field.[4] The number of virtual reality devices sold is projected to rise from 2.5 million units in 2016 to 24 million units in 2018. [5] Today, consumers may experience virtual worlds through products like Google Cardboard glasses, Samsung VR, and the Facebook owned Oculus Rift.[6]

Accurate environmental sounds and visual characteristics are essential to creating a truly lifelike virtual reality experience.[7] “As virtual worlds continue to grow in scope and popularity, they also become inextricably linked with the real world.”[8] The need to create realistic, immersive virtual worlds necessarily means using multisensory effect designs (touch, appearance, sound, smell, taste). Do intellectual property rights like trademark rights extend to multisensory effect designs in virtual worlds?

Currently, intellectual property rights do not extend to multisensory effect designs in virtual reality worlds; but they should. Multisensory effect designs are what make virtual worlds seem more like the real world. Environmental elements like touch, taste, sound, smell, and appearance are very important in real life so it follows that these multisensory effects would be essential to creating quality immersive virtual reality experiences. Can these virtual reality multi-sensory effect designs be protected under trade dress? “Trade dress is a specific type of trademark.”[9] Under the Lanham Act, trademark protection extends to, “any word, term, name, symbol, or device” that “is likely to cause confusion, or to cause mistake, or to deceive” as to the source of a product.”[10] This is a very broad standard. In order to get trademark protection, a word, term, name, symbol, or device must be distinctive and used in commerce.[11] A trademark is considered distinctive if consumers recognize the mark as an indicator of the product source, such that they can use it to distinguish one producer’s product from another. [12] Thus, trade dress protection is limited to, “the meaningful use of a mark in a trade or business.”[13] Furthermore, [i]f the trade dress is not inherently distinctive, it can be protected only if, as a result of use, it has acquired secondary meaning in the marketplace.”[14]

“[W]hether a VR sensory scheme will be categorized as product design or packaging will have profound implications in its trade dress eligibility.”[15] If the Lanham Act requirements are satisfied, a virtual reality business owner may be afforded protection over multisensory effect designs that are either inherently distinctive or have acquired distinctiveness attributable to their business over time. The test for trade dress infringement is, “whether there is a likelihood of confusion resulting from the impression created by the defendant’s accused trade dress.”[16] So if the virtual reality business owner has a valid trademark in their multisensory effect design, he or she would be able to bring a claim against another virtual reality business owner that, “inappropriately used the mark in a way that generates consumer confusion.”[17]

The courts have not yet decided whether multisensory effect designs are protected under current trademark law. As of today, these designs are not protected under intellectual property law. As virtual reality gains in popularity and becomes more widespread, it will be important for the courts to resolve this issue.

[1] Brian Jackson, What is Virtual Reality? [Definition and Examples] Marxentlabs (2015), http://www.marxentlabs.com/what-is-virtual-reality-definition-and-examples/ (last visited Nov 30, 2016).

[2] See Jonathan M. Purow, Virtual Reality May Create Novel IP Issues In The Real World Law360 (2016), http://www.law360.com/articles/769479/virtual-reality-may-create-novel-ip-issues-in-the-real-world (last visited Nov 30, 2016).

[3] Id.

[4] See id.

[5] See id.

[6] See id.

[7] See Brian Jackson, What is Virtual Reality? [Definition and Examples] Marxentlabs (2015), http://www.marxentlabs.com/what-is-virtual-reality-definition-and-examples/ (last visited Nov 30, 2016).

[8] Erez Reuveni, ARTICLE: On Virtual Worlds: Copyright and Contract Law at the Dawn of the Virtual Age, 82 Ind. L.J. (2007).

[9] Ellii Cho, Copyright or Trade Tress? Toward IP Protection of Multisensory Effect Designs for Immersive Virtual Environments, Cardozo Arts and Entertainment Journal, 823 (2016).

[10] 15 U.S.C. § 1125(a) (2012).

[11] See Abercrombie & Fitch Stores, Inc. v. American Eagle Outfitters, Inc., 280 F.3d 619, 630 (6th Cir. 2002) (“Because we can conceive of no ‘thing’ inherently incapable of carrying meaning, any ‘thing’ can come to distinguish goods in commerce and thus constitute a mark within the meaning of the Lanham Act.”).

[12] See Inwood Labs., Inc. v. Ives Labs., Inc., 456 U.S. 844, 851 n.11 (1982).

[13] See Abercrombie & Fitch Stores, Inc. v. American Eagle Outfitters, Inc., 280 F.3d 619, 630 (6th Cir. 2002) (“Because we can conceive of no ‘thing’ inherently incapable of carrying meaning, any ‘thing’ can come to distinguish goods in commerce and thus constitute a mark within the meaning of the Lanham Act.”).

[14] Ellii Cho, Copyright or Trade Tress? Toward IP Protection of Multisensory Effect Designs for Immersive Virtual Environments, Cardozo Arts and Entertainment Journal, 824 (2016).

[15] See id.

[16] J. Thomas McCarthy, MCCARTHY ON TRADEMARKS AND UNFAIR COMPETITION § 8:1 (4th ed. 2014).

[17] Ellii Cho, Copyright or Trade Tress? Toward IP Protection of Multisensory Effect Designs for Immersive Virtual Environments, Cardozo Arts and Entertainment Journal, 824 (2016).

Image Source:

https://broadly-images.vice.com/images/articles/meta/2016/07/14/virtual-reality-1468505507.jpg?crop=1xw:1xh;center,top&resize=2000:*&output-quality=70

Understanding “Smart Contracts”

By JOLT

On January 20, 2017

In Blog Posts

By: Hsiao-Han Wang,

The term “smart contract” refers to “the use of computer code to articulate, verify and execute an agreement between parties.”[1] Unlike traditional contracts, smart contracts are written in codes, stored on distributed ledgers (like a database that can store all sorts of information) and secured by cryptographic keys, which make them immutable and help to avoid malfunction.[2]

The idea of a smart contract is not new, but the development of “blockchain” technology provides a way for this concept to be put into practice.[3] Blockchain is a technology that creates “a decentralized, digital ledger that encrypts, registers, and verifies transactions” through a peer-to-peer system, “essentially making public (or private, if you want) record of transactions, stored on thousands of different computers.”[4] With these characteristics, smart contracts allow the transactions over computer system “be verified, monitored, and enforced without the presence of a trusted third party or central institution.”[5] Smart contract requires no direct human involvement after it has been made a part of the blockchain, and will automatically execute once the pre-set conditions are met.[6] As a result, smart contracts have the potential to avoid risks on implement of contracts, to improve efficiency and to reduce transaction costs in financial or commercial agreements.

As blockchain technology continues to advance, some people have begun to believe that smart contracts will soon become alternatives to traditional contracts.[7] People who embrace technologies are excited about the possibility that smart contract might encode and perform complex agreement automatically.[8] However, there are still some potential practical risks and problems that can arise from the use of smart contracts.

Coding errors and software bugs may be among the key concerns that users have. For example, just like traditional contracts where words and specific terms are used in the agreement, the code base may not perfectly reflect what the parties understand to be their agreement, or the effect of the code base may be misrepresented by a party to be different to what it actually is.[9] Since the execution of smart contracts relies on computer network, cybersecurity is also a potential risk area that should be taken into consideration. A $50 million hack happened to DAO, a decentralized investment fund which was funded by thousands of people raising about $160 million with code based on smart contract protocol, is an example showing the problem of lacking proper programming to secure the system against external attack.[10] Some smart contracts that rely “real-time data feeds” to execute entire or certain parts of the agreement may also face the risk that potential manipulation of underlying data feeds and indices will trigger real-time contract execution.[11]

In addition to the technology, other issues also need to be considered when disputes between parties arise. When parties take legal action, questions such as where to bring suit or what law to apply come into play. There is currently no international internet law. Therefore, negotiation on jurisdiction may need to be set up beforehand when parties involved are from different states or even nations.[12]

The underlying characteristics of blockchain and smart contracts bring up potential legal issues as well. For example, one of the characteristics of blockchain is its transparency, which allows users to gain access to any permanent records on blockchain.[13] While the records are anonymously stored, which does not show the identity of transactions, information regarding the detail of transactions allow others to guess on it.[14] This, therefore, may raise the privacy concerns for contracts and property ownership, after all, some financial and commercial data is highly sensitive.[15] Another example may be deriving from the character of decentralization. Blockchain allows people to create a new type of entity, which is called “decentralized organization.” Such organizations are composed with “autonomous individuals given discrete tasks and rewards,” and operate in the way more like corporations but without formal legal structure.[16] Lack of formation initially does not sound like a big deal in terms of day-to-day operation. It would become a serious problem for participants, however, when this kind of organization gets sued in the court. Since it is a new type of entity, what law or classification should apply to them is still a question up in the air. But without formalized legal structure, courts are likely to hold individuals in the organization personally liable.[17]

The term “smart contract” does not have a settled definition yet, and the concept is apparently still at an early stage of development. However, as the technology progresses, state and federal government may need to develop a set of statutes or regulations to deal with various possible situations in the future to address risks and issues that may result from this new type of contract. It may be fair to say that smart contracts might be able to replace some of the functions of traditional contracts in the future. Nonetheless, it also creates new legal issues which are still waiting for a more definitive and suitable solution to come by.

[1] Josh Stark, How Close Are Smart Contracts to Impacting Real-World Law?, CoinDesk (Apr. 11, 2016, 2:00 PM), http://www.coindesk.com/blockchain-smarts-contracts-real-world-law.

[2] See Kate H. Withers, Smart Contracts: Opportunities and Legal Risks in FinTech, National Law Review (Nov. 8, 2016), http://www.natlawreview.com/article/smart-contracts-opportunities-and-legal-risks-fintech.

[3] See Lee Bacon, Nigel Brook & George Bazinas, “Smart Contracts”: Where Law meets Technology, Clyde & Co (June 22, 2016), http://www.clydeco.com/insight/article/smart-contracts-where-law-meets-technology.

[4]Casey C. Sullivan, What Is Blockchain? A Lawyer’s Guide, FindLaw (Nov. 14, 2016, 10:58 AM), http://blogs.findlaw.com/strategist/2016/11/what-is-blockchain-a-lawyers-guide.html; see also Joe Dewey & Shawn Amuial, What Is A Blockchain, Big Law Business (Sept. 22, 2015), https://bol.bna.com/what-is-a-blockchain.

[5] Benjamin Beck & Dr. Ulrich Worm, Blockchain-Based Applications – Evolving Legal Issues, Mayer Brown (Sept. 8, 2016), https://www.allaboutipblog.com/2016/09/blockchain-based-applications-evolving-legal-issues.

[6] See Joe Dewey & Shawn Amuial, What Is a Smart Contract?, Big Law Business (Sept. 24, 2015), https://bol.bna.com/what-is-a-smart-contract.

[7] See Stark supra note 1.

[8] See Cheng Lim, TJ Saw & Calum Sargeant, Smart Contracts: Bridging the Gap Between Expectation and Reality, Oxford Business Law Blog (July 11, 2016), https://www.law.ox.ac.uk/business-law-blog/blog/2016/07/smart-contracts-bridging-gap-between-expectation-and-reality.

[9] See id.

[10] See Klint Finley, A $50 Million Hack Just Showed That the DAO Was All Too Human, Wired (June 18, 2016, 4:30 PM), https://www.wired.com/2016/06/50-million-hack-just-showed-dao-human; See also Jamie Redman, How Should We Prepare Smart Contracts to Replace Law Firms?, Bitcoin.com (June 26, 2016), https://news.bitcoin.com/smart-contracts-replace-law-firms.

[11] See Withers supra note 2.

[12] See Richard Howlett, A Lawyer’s Perspective: Can Smart Contracts Exist Outside the Legal Structure?, Bitcoin Magazine (July 11, 2016, 6:52 PM), https://bitcoinmagazine.com/articles/a-lawyer-s-perspective-can-smart-contracts-exist-outside-the-legal-structure-1468263134.

[13] See Peter Kirby, Blockchain Transparent Lending: How Accountable Lending Systems Can Prevent A ‘Big Short’ For The Digital Age, Blockchain News (Feb. 24, 2016), http://www.the-blockchain.com/2016/02/24/blockchain-transparent-lending-how-accountable-lending-systems-can-prevent-a-big-short-for-the-digital-age.

[14] See David Cornwell & James Lawrence, Blockchain – emerging legal issues, Lexology (Oct. 12, 2015), http://www.lexology.com/library/detail.aspx?g=6e5a942e-94ea-4891-a07c-a9d96343dc95.

[15] See Id.

[16] Stephen D Palley, How to Sue A Decentralized Autonomous Organization, CoinDesk (Mar. 10, 2016), http://www.coindesk.com/how-to-sue-a-decentralized-autonomous-organization/#; see also Cornwell supra note 14.

[17] See Palley supra note 16.

Image Source:

http://bluzelle.com/wp-content/uploads/2015/09/smartcontracts.png

Social Media Posts as Evidence

By JOLT

On January 18, 2017

In Blog Posts

By: Kathleen Pulver,

Social media has changed the face of the legal landscape as we know it. As of 2015, nearly two-thirds of American adults were using social media. [1] The percentage is even higher among young adults, reaching an outstanding 90%. [2] It is now commonplace to see warrants appear in cases for access to social media pages and photographs. [3]

In order for evidence to be admitted in court, a four step analysis must be conducted.[4] First, under Rule 401, for any evidence to be admissible in court, it must be relevant.[5] A finding of relevance requires that the evidence have a tendency to make a fact more or less probable than it would be without the evidence, and the fact must be one of consequence in determining the action.[6] Second, after a finding of relevance, the evidence must meet the standard laid out by Rule 901.[7] Federal rule of evidence 901 states: “to satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce the evidence sufficient to support a finding that the item is what the proponent says it is.”[8] The rule provides several specific examples of the appropriate way to authenticate different kinds of evidence, however the most common way to authenticate is through the testimony of a witness, with knowledge of the evidence, that it is what it claims to be.[9] Third, the evidence may not be hearsay, defined by rule 801 as, an out of court statement made by a declarant offered to prove the truth of the matter asserted.[10] Finally, the admission of the evidence must not be blocked by another rule, such as privilege, or rule 403 which blocks the admission of evidence which has its probative value “substantially outweighed by a danger of one or more of the following: unfair prejudice, confusing the issues, misleading the jury, undue delay, wasting time, or needlessly presenting cumulative evidence.” [11] Social media and other electronic evidence present unique challenges when conducting this analysis.

Social media evidence can certainly meet the first prong as we can think of numerous reasons why a certain posting or picture could be relevant to a criminal or civil case. Social media postings have been used as evidence of prior intent to harm and to rebut a claim of injury with photos of the person claiming injury doing things they shouldn’t be able to do while injured.[12] It is also clear that certain social media postings could get around the third and fourth prongs by meeting a hearsay exclusion, such as statement made against interest, and being more probative than prejudicial. [13] The difficulty with social media evidence is the second prong, ensuring that there is enough evidence presented to authenticate the posting to be what it claims to be.

When the evidence rules were first created, creating fraudulent documents was nowhere near as simple as it is now. With the evolution of technology, people are now placing more of their trust in the information provided by online sources, however this faith may be misplaced. Evidenced by the recent Facebook fake news scandal, we cannot trust everything we read online.[14] Like fake news stories, it is not difficult to create a fake social networking page.[15] In fact, a simple google search of “creating a fake Facebook” brings up more than 5 sources willing to assist in the creation of a fake Facebook.[16] This constant availability of means to create fraudulent sources brings up difficult authentication questions under the second prong that have yet to be significantly addressed by most courts. Only time will tell how courts adjust to these newly presented problems.

[1] See PEW RESEARCH CENTER, Social Media Usage: 2005-2015 (Oct. 8, 2015), http://www.pewinternet.org/2015/10/08/social-networking-usage-2005-2015/.

[2] See id.

[3] See e.g., Bradley v. State, 359 S.W.3d 912 (2012); Elonis v. United States, 135 S. Ct. 2001 (2015).

[4] This post discusses only the federal rules of evidence. Each state has their own rules of evidence, although many closely follow the same analytical structure as the rules for the federal courts.

[5] See Fed. R. Evid. 401.

[6] See id.

[7] See Fed. R. Evid. 901.

[8] Id.

[9] See id.; See also David I. Schoen, The Authentication of Social Media Postings, ABA Association (May 17, 2011), https://apps.americanbar.org/litigation/committees/trialevidence/articles/051711-authentication-social-media.html.

[10] See Fed. R. Evid. 801.

[11] Fed. R. Evid. 403. See Fed. R. Evid. 502.

[12] See Jessica Velasco, Social Media Can and Will Be Used Against You in Court, Socialnomics (Dec. 30, 2014), http://socialnomics.net/2014/12/30/social-media-can-and-will-be-used-against-you-in-court/.

[13] See Fed. R. Evid. 403; Fed. R. Evid. 801(d)(2).

[14] See Mirren Gidda, Facebook Staff Form ‘Secret Taskforce’ to Deal with Fake News Controversy, Newsweek (Nov. 15, 2016, 6:58 AM), http://www.newsweek.com/2016-election-facebook-google-fake-news-donald-trump-521255.

[15] See, e.g., How Do I Create a Page, Facebook, https://www.facebook.com/help/104002523024878?helpref=faq_content (Last visited Nov. 20, 2016).

[16] Search on Instructions for Creating a Fake Facebook Page, Google, https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=creating%20a%20fake%20facebook.

Image Source:

http://www.klugerkaplan.com/blog/wp-content/uploads/2013/01/12_5_LG06.png

“Smart” Contact Lenses: Spy Gadget or Formidable Threat to Privacy?

By JOLT

On January 16, 2017

In Blog Posts

By: Genevieve de Guzman,

Wearable technology is not new to the world of action and science fiction movies, but this technology has developed from being mere speculation to having real-world possibilities. As technology becomes an increasingly integral part of people’s daily lives, it seems an inevitability that it also becomes increasingly integrated with our physical beings, and what could be more intimate than an individual’s perception of their world?

Google pioneered “smart” glasses with Google Glass[1] and “smart” contact lenses with glucose-sensing and monitoring contact lenses[2] and solar-powered contact lenses capable of communicating with computers and mobile devices and collecting biological data such as internal body temperature and blood-alcohol content.[3] More recently, Google filed a patent describing a device akin to a bionic eye.[4] This device is described as an intra-ocular implant that features an electronic lens that can be controlled to provide an optical power to focus images alternatively, essentially correcting and enhancing vision.[5] However, this device serves less as a contact lens and more as a surgical implant.

Arguably following Google’s lead, other researchers and companies have reportedly began developing similar “smart” contact lenses. Scientists at the University of Michigan are working on night vision contact lenses that uses thermal imaging to view a full spectrum of light, including ultraviolet light.[6] Researchers at the University of Wisconsin are developing contact lenses that autofocuses within milliseconds without the loss of contrast and sensitivity that come with glasses, conventional contact lenses, and surgery.[7] Johnson & Johnson are collaborating with a subsidiary of HP, Inc. to develop a contact lens that can adapt to the environment to “reduce glare and eyestrain indoors and out[doors],” change the cosmetic coloring of eyes, and treat presbyopia.[8] Swiss start-up company Sensimed recently received approval from the United States Food and Drug Administration (FDA) to start human testing for its contact lenses that promise to cure glaucoma.[9]

Samsung and Sony also join the race to develop “smart” contact lenses but aim to make them smarter and to reach a wider consumer base. Both companies describe contact lenses with built-in cameras, various movement sensors, and antennae that transmit and receive data as well as supply and receive electric power.[10] These contact lenses may be considered a response to the growing use of wearable technology and social media. Samsung filed its patent application in South Korea in 2014 and notes that the lenses would “allow users to view augmented reality” in more natural ways with a small display unit in the center of the lens and can sync up to smartphones wirelessly via the antenna.[11] Motion sensors in the lenses would allow the user to control the lens’ camera feature using blinking, similar to how Google Glass captured photos with winking, and a playback feature.[12] Samsung seems to function like a contact lens version of Google Glass.[13] Sony filed its patent application in the United States. Its lens would use piezoelectric sensor (example of pressure sensor), an infrared sensor, an acceleration sensor, a gyro sensor (example of tilt sensor), or an ocular potential measurement unit that converts eye movement into electrical power to control the smaller versions of part of a modern digital camera embedded in the lens.[14] Unlike the Samsung Lens, the Sony lens can store data without the need for a smartphone as well as contain features such as autofocus, automatic exposure adjustment, aperture controls, adjustable zoom, and playback.[15]

While these advancements in wearable technology are substantial steps toward the future, “smart” contact lenses differ from other wearable products in their covertness. Needless to say, these “smart” contact lenses present many privacy and security concerns. Google Glass raised similar issues, but its design was distinguishable while these lenses would enable clandestine photography that is virtually undetectable. Privacy with these lenses, in public places and even in semi-public places such as restrooms, would be virtually impossible. Covert surveillance of private meetings dealing with sensitive information, unconsented recordings of intimate interactions, violations of stalking laws, and the lenses’ susceptibility to hacking, involuntary use, malfunction, etc. are all necessary considerations, not to mention social harms as technology will be an even more intimate, integral part of daily life. This could also add a new dimension to the discussion of law enforcement body cameras and government surveillance of its citizens. The Sony and Samsung patent applications have not yet been granted, nor would their issuance guarantee that the products would be on the market any time soon. Until then, these “smart” contact lenses will be the subjects of conspiracy theories, hypothetical analyses, and spy movies.

[1] See U.S. Patent No. 9,195,067 (filed Sep. 28, 2012).

[2] See U.S. Patent No. 8,985,763 (filed Sep. 26, 2012).

[3] See U.S. Patent No. 9,158,133 (filed Jul. 26, 2012).

[4] See U.S. Patent Application No. 20160113760 (filed Oct. 24, 2014).

[5] See id.

[6] See Kate McAlpine, New tech could lead to night vision contact lenses, Michigan News (Mar. 16, 2014), http://www.ns.umich.edu/new/releases/22042-thermal-vision-graphene-light-detector-first-to-span-infrared-spectrum (last visited Nov. 17, 2016).

[7] See Fish and insects guide design for future contact lenses, EurekAlert! (Mar. 14, 2016) https://www.eurekalert.org/pub_releases/2016-03/nei-fai031116.php (last visited Nov. 17, 2016).

[8] See Richard Kirkner, J&J’s Plans for Smart & 3D Printable Contact Lenses, OIS News (June 8, 2016) http://ois.net/jjs-plans-for-smart-3d-printable-contact-lenses/ (last visited Nov. 17, 2016).

[9] See Sensimed announces first-of-a-kind product approval for its Contact Lens based sensing device by U.S. FDA, Sensimed (Mar. 15, 2016) http://www.sensimed.ch/images/pdf/PR_2016-03-15_sensimed_FDA_US_E.pdf (last visited Nov. 17, 2016).

[10] See Sony U.S. Patent Application No. 20160097940 (filed Feb. 12, 2014); S. Kor. Patent Application No. (filed Sept. 26, 2014).

[11] See Danielle Muoio, Samsung just patented a contact lens with a built-in camera, Business Insider (Apr. 11, 2016) http://www.businessinsider.com/samsung-filed-a-patent-for-smart-contact-lenses-2016-4 (last visited Nov. 17, 2016).

[12] See Amit Chowdhry, Samsung Patent Unveils Idea For Smart Contact Lenses With A Camera And Display, Forbes (Apr. 11, 2016) http://www.forbes.com/sites/amitchowdhry/2016/04/11/samsung-patent-unveils-smart-contact-lenses-with-a-camera-and-display/#438a947067be (last visited Nov. 17, 2016).

[13] See id.

[14] See Sony U.S. Patent Application No. 20160097940 (filed Feb. 12, 2014).

[15] See Sony Filed a Patent for Video-Recording Contact Lens, Huffington Post (Apr. 28, 2016) http://www.huffingtonpost.com/entry/sony-contact-lens-camera_us_57220fc6e4b0f309baefd3f2 (last visited Nov. 17, 2016).

Image Source:

http://cdn.pocket-lint.com/r/s/320x/assets/images/phpocj7cd.jpg

The Uber Important Uber Lawsuit

By JOLT

On January 15, 2017

In Blog Posts

By: Nicole Desbois,

Uber’s 100 million-dollar settlement agreement with its drivers was just recently rejected by a federal Judge in California. The Judge rejected the lawsuit claiming 100 million wasn’t enough to adequately settle the dispute. The issue is whether Uber drivers are contractors or employees entitled to benefits: making Uber venerable to state penalties. If the drivers were to be classified as employees rather than contractors, then 100 million would be “only 10 percent of what lawyers for the drivers estimate that Uber could owe them and provided only $1 million toward state penalties that could add up to more than $1 billion.”[1]

The ruling of the Federal District Judge, Chen, rejected the settlement on the basis of a California law called the Private Attorneys General Act (“PAGA”). PAGA allows “private lawyers to sue companies on behalf of the state government.”[2] Again, in that case the settlement’s 1 million dollars toward state penalties would barely even touch the surface of Uber’s potential future litigation costs and state penalty fees.

It is not entirely clear whether or not Uber Drivers are employee’s rather than contractors. The courts remained undecided, and “‘[t]here is no set definition of the term “independent contractor,”’ according to the California Department of Industrial Relations website.[3] Rather, the state refers to an 11- point test. Is the worker paid per hour or per job? Who supplies the necessary workspace and tools? And, most importantly, how directly does the company control what workers do?”[4] No single factor in this 11-point test is dispositive.[5] The answer is often left up to a juries’ judgment.[6]

For now, the rejection of this settlement offer appears to be a double edge sword. The bright side for Uber driver’s is that Uber may in fact be violating state laws by classifying their employees as contractors. And had the agreement been approved then Uber’s drivers would have remained classified as contractors without employee benefits. Drivers’ now still have the option to either sue in court, or attempt to renegotiate a larger settlement.

However, an arbitration clause in the drivers’ contract could prevent many from participating in a class action lawsuit.[7] Uber has already successfully appealed to one court the classification of many of the drivers’ as a class because a majority of the participants would be in violation of the arbitration clause. [8]

This recent ruling overturned a lower courts ruling that the arbitration clause was not enforceable.[9] However, the drivers’ lawyer, Liss-Riordan, still has a second, separate appeal pending arguing the clause is unenforceable “for a different reason – because it violates the drivers’ rights under the National Labor Relations Act to engage in concerted activity.”[10]

Forcing drivers to bring their claims individually court drastically affect the amount Uber would be required to pay out.[11] The reason for this is many individuals do not seek to pursue arbitration.[12] However, Liss-Riordan is more than ready to pursue this avenue. Claiming already 1,000 drivers have signed up. [13]

The outcome of this lawsuit could have a large scale ripple effect. With the evolution of technology and the ability of companies to outsource work to contractors, employers need to be careful not to cross the line.

Classifying the driver’s as employees may also have negative impacts for the drivers themselves.[14] Although there are no state laws that prohibit employees from working with competitors, i.e. a Lyft driver working for Uber and vice versa, Uber and companies would likely begin to draft in those stipulations.[15]

For now, the issue remains undecided. A decision regarding the arbitration clause is still pending. Until the arbitration clause issue is decided, Uber has successfully requested that the other issues up on trial remain pending.

One thing is for sure, the relationship between employers and contractors is likely to change within the next decade. Some experts within the field of employment contracting believe that on-demand independent contractors could grow to 40% of the workforce by the end of 2020.[16] As the workforce continues to grow towards a trend of independent contractors, employment benefits for contractors should grow too.

[1] Andrea Peterson, Judge: $100 Million Not Enough to Settle Uber Employment Lawsuit, Washington Post (Aug. 19, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/08/19/judge-100-million-not-enough-to-settle-uber-employment-lawsuit/.

[2] Id.

[3] Adam Brinklow, Year in Preview: What the Uber Lawsuit Means for Workers in the Sharing Economy, SF Weekly, (Dec. 30, 2015), http://uberlawsuit.com/Year%20in%20Preview%20What%20the%20Uber%20Lawsuit%20Means%20for%20Workers%20in%20the%20Sharing%20Economy.pdf.

[4] Id.

[5] See id.

[6] See id.

[7] See Andrea Peterson, Judge: $100 Million Not Enough to Settle Uber Employment Lawsuit, Washington Post (Aug. 19, 2016), https://www.washingtonpost.com/news/the-switch/wp/2016/08/19/judge-100-million-not-enough-to-settle-uber-employment-lawsuit/.

[8] See id.

[9] See id.

[10] Uber Lawsuit, http://uberlawsuit.com (last visited Nov. 21, 2016).

[11] See Curt Woodward, Uber Lawsuit Could Shed Drivers After Settlement, Boston Globe (Aug. 19, 2016), https://www.bostonglobe.com/business/2016/08/19/uber-lawsuit-could-shed-drivers-after-settlement-rejected/G0zhHjOsjqpt7LoOZ3vjKJ/story.html.

[12] See id.

[13] See id.

[14] See Adam Brinklow, Year in Preview: What the Uber Lawsuit Means for Workers in the Sharing Economy, SF Weekly, (Dec. 30, 2015), http://uberlawsuit.com/Year%20in%20Preview%20What%20the%20Uber%20Lawsuit%20Means%20for%20Workers%20in%20the%20Sharing%20Economy.pdf.

[15] See id.

[16] See Elaine Pofeldt, Intuit: On-Demand Workers Will More Than Double by 2020, Forbes (Aug. 13, 2015), http://www.forbes.com/sites/elainepofeldt/2015/08/13/intuit-on-demand-workers-will-more-than-double-by-2020/#7716e3ed679d.

Image Source:

http://blogs-images.forbes.com/dandiamond/files/2015/06/Uber_protest-e1434569997112.jpg

Privacy and Encryption in Trump’s America

By JOLT

On January 5, 2017

In Blog Posts

By: Ellie Faust,

During Donald Trump’s campaign, he certainly had an opinion regarding cyber security, but his opinions have been pretty inconsistent. While the president-elect vowed to protect the nation’s networks against foreign spies and criminals, he also encouraged Russian hackers to distribute emails stolen from Democratic nominee, Hillary Clinton.[1] While we do not know much about Donald Trump’s stance on technology policies, we do know that the man loves surveillance and hates encryption.

With Trump’s victory and the reelection of Republican Senator Richard Burr, the chairman of the Senate intelligence committee, the battle over encryption could intensify. Last year, Burr led a failed effort to pass legislation that would require companies to build “back doors” into their products in order to allow the government to evade encryption and other data protection.[2] The tech industry is unwavering in adamantly opposing back doors and believes the government has no right to dictate the design of tech products.[3]

It is likely that Burr will soon reintroduce his encryption legislation. This year, with the support of the White House and Republican majorities in both houses of Congress, the passing of legislation is much more likely. Not to say that Democrats and the more libertarian minded Republicans of the House will not put up a fight.[4]

Many believe that a Trump presidency could very well lead to a restoration of the Patriot Act along with increased pressure on Silicon Valley companies to break encryption.[5] It has become apparent throughout the course of his campaign that Trump is supportive of reinstating the dormant portions of the Patriot Act and the collection of bulk cell phone metadata by the National Security Agency.[6]

Trump’s campaign has always been less than tech friendly. From encouraging a boycott of Apple products to a plea to close off parts of the Internet in order to limit Islamist propaganda, the majority of Silicon Valley is certainly not thrilled about the outcome of this election.[7] The battle between the tech world and Donald Trump has begun. While we wait for the action, there are a few things we can do now to ensure some sort of personal security in the future.

If you are one of the many concerned about the possible increased surveillance, there are a few simple steps you can take to protect yourself now. To keep text messages private, you should look to install a service that provides end-to-end encryption. Apple’s iMessage currently offers this service but only between iMessage users.[8] If you do not have an iPhone, the apps Signal and WhatsApp both offer end-to-end encryption but again, both users need to have the app installed in order for the encryption to work.[9] For those with a questionable search history, the Internet browser, Tor, is the way to go. This browser makes your search activity anonymous by routing the data though a variety of destinations before sending it out to the web.[10] While we do not know what is ahead of us, it never hurts to protect yourself just in case.

[1] See Hiawatha Bray, Trump, the digital authoritarian, Boston Globe (Nov. 10, 2016), https://www.bostonglobe.com/business/2016/11/09/trump-digital-authoritarian/77tnj7mF95eZManXFOkZ7N/story.html.

[2] See Dustin Volz and Joseph Menn, Trump election ignites fears over U.S. encryption, surveillance policy, Reuters (Nov. 9, 2016, 7:50 PM), http://www.reuters.com/article/us-usa-election-cyber-idUSKBN13503H.

[3] See id.

[4] See id.

[5] See Phil Muncaster, Trump’s Presidency Raises Encryption and Surveillance Fears, InfoSecurity (Nov. 10, 2016), http://www.infosecurity-magazine.com/news/trumps-presidency-raises/.

[6] See David Gilbert, What a Donald Trump presidency would mean for privacy and security, Comparitech (Sept. 6, 2016), https://www.comparitech.com/blog/vpn-privacy/trump-privacy-cyber-security/.

[7] See Volz, supra note 2.

[8] See id.

[9] See id.

[10] See id.

Image Source:

http://www.gannett-cdn.com/-mm-/44780648f78c92d2c4a567d1cd826b912f8e8a29/c=637-87-2091-1180&r=x404&c=534×401/local/-/media/2015/07/12/USATODAY/USATODAY/635723201689613363-AP-GOP-2016-Trump.1.jpg

Shut The Yak Up

By JOLT

On December 3, 2016

In Blog Posts

geofence

By: Victoria Linney,

Yik Yak is a popular app among many college and university students. The app is a location-based network that helps people connect with others around them.[1] However, the app differs from Twitter and Facebook in that users are able to post on the app anonymously and must be within a certain radius to see the posts.[2] Only users who are seventeen and older are allowed to use the app, and the company actively blocks middle and high schools from Yik Yak by using geofences.[3] Geofencing is a method of placing boundaries based on location, and depending on where you fall in said boundary you are either able to use the Yik Yak app or not.[4]

Due to the anonymity of the app, users feel free to post whatever they are currently thinking, and sometimes these posts lead to cyberbullying.[5] But, Yik Yak takes cyberbullying very seriously, and asks that users screenshot and “downvote” the post before reporting the post.[6] Once the yak has been reported, it is removed from the user’s feed and if the yak violates Yik Yak’s rules the user who posted the yak is suspended and the yak is removed from all feeds.[7]

However, the measures taken by Yik Yak to prevent cyberbullying are not enough for some people. While middle and high schools are unable to access the app, there has been a call for college campuses to block Yik Yak.[8] Some campuses have responded to this call by banning the app from their wireless networks.[9] But this move is largely symbolic, because as long as students are able and willing to switch off wifi on their phones, they are able to access the app by using phone data.[10] In an attempt to make more than a purely symbolic move, some colleges have asked Yik Yak to install a geofence around their campuses, which would prevent students from accessing the app, even while using data.[11] However, Yik Yak does not comply with these requests, and states clearly on the geofence request form on their website that they “only geofence middle and high schools (primary and secondary) and will not geofence an entire town or college campus.”[12]

But, the question still remains – even if Yik Yak was willing, or compelled, to put geofences around university campuses, would doing so violate students’ First Amendment rights? If a public college or university were to implement a geofence to ban Yik Yak, they would be violating the First Amendment.[13] This is because the Supreme Court has stated that the purpose behind the First Amendment is to “protect unpopular individuals from retaliations – and their ideas from suppression – at the hand of an intolerant society.”[14]

Protecting unpopular ideas, however, does not mean that threatening language is protected. True threats of violence are constitutionally unprotected, but true threats are not the only things being posted on Yik Yak.[15] People post about what the dining hall is serving, or about a tough breakup they are going through.[16] To block an entire platform designed for people to express their thoughts and opinions simply because some posts on the app are unpopular is contrary to the spirit of the First Amendment. As such, implementing a geofence to ban Yik Yak on college campuses would likely be held as unconstitutional, regardless of whether the university is public or private.

[1] See About, Yik Yak, https://www.yikyak.com/about (last visited Nov. 13, 2016).

[2] See Tasnim Shamma, Yik Yak Tests Universities’ Defense of Free Speech, NPR (Jan. 23, 2016), http://www.npr.org/sections/alltechconsidered/2016/01/23/463197593/yik-yak-tests-universities-defense-of-free-speech.

[3] See How Do You Prevent Children From Using Yik Yak?, Yik Yak, https://www.yikyak.com/support/faqs/sections/201022049/204565809 (last visited Nov. 13, 2016).

[4] See Shamma, supra note 2.

[5] See Adam Steinbaugh, The Futility of ‘Banning’ Yik Yak on Campus, The FIRE (Feb. 22, 2016), https://www.thefire.org/the-futility-of-banning-yik-yak-on-campus/.

[6] See I’m Being Bullied/Targeted, Yik Yak, https://www.yikyak.com/support/faqs/sections/201022049/205758949 (last visited Nov. 13, 2016).

[7] See id.

[8] See Steinbaugh, supra note 5.

[9] See Nathan Rubbelke, Campuses ‘Symbolically’ Ban Yik Yak as Battle Over App Rages, The College Fix (Oct. 21, 2015), http://www.thecollegefix.com/post/24735/.

[10] See Tyler Kingkade, Students Dip Into Their Data Plans to Get Around College’s Yik Yak Ban, Huff Post (Apr. 12, 2016), http://www.huffingtonpost.com/entry/illinois-college-banned-yik-yak_us_570d0bb7e4b0836057a25ad7.

[11] See College of Idaho Tries to Ban App Yik Yak on Campus, Wash. Times (May 15, 2015), http://www.washingtontimes.com/news/2015/may/15/college-of-idaho-tries-to-ban-the-app-yik-yak-on-c/.

[12] Geofence Request, Yik Yak, https://www.yikyak.com/support/requests/geofence (Nov. 13, 2016).

[13] See Steinbaugh, supra note 5.

[14] McIntyre v. Ohio Elections Comm’n, 514 U.S. 334, 357 (1995).

[15] See Eugene Volokh, National Coalition in Favor of Campus Censorship, Wash. Post (Oct. 26, 2015), https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/10/26/national-coalition-in-favor-of-campus-censorship/.

[16] See Shamma, supra note 2.

Image Source:

https://lh6.ggpht.com/1qpT_PhfVep6JrqIZT9ONyUofE03_V9jmPpc3b_KOmUf0r184qXjRFB3QHkHP5cJ9RZ8=w300

Volume XXII Issue IV

By JOLT

On December 2, 2016

In News

May 16, 2016

Dear Readers,

The Richmond Journal of Law and Technology is proud to present its fourth and final issue of the Twenty-Second Volume. At its inception in 1995 JOLT became the first law review to be published exclusively online. From this moment on, the Journal has continued to set trends in legal scholarship. As one of the leading publications in the legal technology field, JOLT has the privilege of publishing articles that address topics at the forefront of the law. The articles in the Fourth Issue offer exciting discussions on forward-looking areas of the law and give readers a glimpse into the ways in which technology is transforming the legal landscape. The Journal hopes that these articles will drive advancements in the law and in practice, and we look forward to the discussions they evoke.

In our first article, entitled “Digital Direction for the Analog Attorney—Data Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow,” authors Stacey Blaustein, Melinda McLellan, and James Sherer outline some of the many challenges facing attorneys operating in the current high-tech legal environment. The article examines the ways in which existing and emerging ethical rules and guidelines may apply to the practice of law in the digital age. Cloud technology and social media are among the prominent technical platforms which, while convenient and efficient, pose significant threats to the technologically incompetent lawyer and his clients. This article is certain to spark further conversation about these issues as they continue to evolve.

Our second article, and final article of Volume XXII, is the selected 2016 JOLT Student Comment. Written byJOLT’s graduating Managing Editor, Megan Carboni, this article makes an exciting and bold proposal to bridge the gap in employment classification for workers in the “sharing” or “collaborative” economy. This new technology-enabled marketplace, spurred by Uber and mimicked by numerous other innovative service-sharing applications, posits a vexing balancing act between meeting the needs of businesses and their quasi-employees. Uber and similar businesses rely on classifying their workers as independent contractors, avoiding the potentially crippling benefits and obligations that these businesses would be forced to provide for their employees. At present there are only two definitions—employee and independent contractor—making it difficult to strike a balance without severely interfering with the employer’s business or employee expectations and needs. This article proposes an innovative third classification, the “dependent contractor,” as the best solution to meet the needs of both employer and employee.

On behalf of the entire 2015–2016 JOLT staff, I want to extend our sincerest thanks for your continued readership. I would also like to thank each of our authors for the time and hard work they have put into these articles. As always, JOLT greatly appreciates the ongoing support from the University of Richmond School of Law and is especially grateful for the guidance of our faculty advisors, Dean Jim Gibson and Professor Chris Cotropia.

On a more personal note, I wanted to extend my utmost appreciation and gratitude to the 2015–2016 JOLTEditorial Board and staff. It has been a pleasure serving as the Editor-in-Chief of Volume XXII and I could not have successfully completed the Volume without the consistent hard work and dedication of the Journal’s members. On behalf of the outgoing class of 2016, I would like to wish Volume XXIII and the new Editorial Board all the best as they continue shaping JOLT’s reputation as the leading publication in the legal technology world.

Sincerely,

John G. Danyluk Editor-in-Chief, Volume XXII

Digital Direction for the Analog Attorney – Data Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow, by Stacey Blaustein, Melida L. McLellan, and James A. Sherer

A New Class of Worker for the Sharing Economy, by Megan Carboni

The Skeleton of a Data Breach: The Ethical and Legal Concerns

By JOLT

On December 2, 2016

In Article

BDM Publication Version PDF

Cite as: Hilary G. Buttrick et al.,The Skeleton of A Data Breach: The Ethical and Legal Concerns, 23 Rich. J.L. & Tech. 2 (2016), http://jolt.richmond.edu/wp-content/uploads/volume23_article2_Buttrick.pdf.

Hilary G. Buttrick,* Jason Davidson,** Richard J. McGowan***

Introduction

[1] After over thirty data breaches spanning the third and fourth quarter of 2012, Forbes magazine labeled the summer of 2012 as “The Summer of the Data Breach.”[1] Four years later, businesses across multiple industries have suffered brand-image damage and paid millions of dollars in remedial expenses; we are living in the era of the mega breach.[2] In 2014, companies such as Target, Home Depot, JP Morgan Chase, Anthem, Sony, UPS, Jimmy John’s, Kmart, Neiman Marcus, Community Health Systems, and the White House suffered data breaches.[3] The Home Depot breach alone resulted in the loss of “56 million credit card accounts,” “53 million email addresses,” and an estimated 63 million dollars in damage.[4] In addition to the economic fallout associated with data breaches, the 2015 Ashley Madison data breach highlighted the personal toll faced by consumers when their “private” information becomes “public.”[5] That data breach exposed the identities of millions of would-be philanderers, shaming not only the subscribers to Ashley Madison’s service, but also innocent bystanders such as their family members.[6] The frequency of data breaches has shown no signs of abating in 2016—in the first quarter, multiple hospitals fell victim to “ransomware,” a data breach that allows hackers to literally hold patient data hostage.[7] Several hospitals had to pay hackers to regain access to their patients’ data.[8]

[2] “Decentralized technology” creates a different set of problems than the simple misuse of a single individual’s “technological profile” and information.[9] Today, unauthorized access to electronic information, a result of what Burnham in 1983 referred to as “transactional information,”[10] includes “hackers breaking into systems or networks, third parties accessing personal information on lost laptops or other mobile devices, or organizations failing to dispose of personal information securely.”[11] Data breaches exemplify the first type of unauthorized access and despite their frequent occurrence, they are little examined from an ethical standpoint. Though Google Scholar lists over 82,000 entries under “ethics of a data breach,” very few combine both terms in the title.[12] One article that does so notes a “dearth of prior organizational-level privacy research, which has largely overlooked ethical issues or the personal harms often caused by privacy violations.”[13] Even within the field of technology, “there has not been a huge literature on ethics within the mainstream of information systems journals.”[14] Part of the problem is the novelty of data breach cases. They are so new and different that they appear to be technologically, morally, and legally unlike other problems. We suggest that analogies and analyses exist which can help resolve some of these moral and legal puzzles.

[3] First, this paper discusses the anatomy of a data breach, providing technical background on the way breaches occur. Next, we identify the ethical dimensions of data breaches. While privacy is a key topic in any ethical analysis of a data breach, other issues are more pressing, such as the responsibility of organizations to prevent and to repair consequences of data breaches. Then we analyze the current status of the law with regard to data breaches. We note immediately that the laws of various states are exactly that, various and eclectic. No consistent and stable legal understanding appears to have availed itself. The article concludes with guidance regarding data breach prevention, which can help businesses meet their ethical and legal obligations.

I. Data Breach Basics

[4] According to popular folklore, the first computer “bug” was officially documented in 1945.[15] This was years before the first personal computer was released, and instead of malware or social engineering deception, the “bug” was literally a moth that was stuck between two components of IBM’s Harvard Mark II.[16] After a cataclysmic data breach in the modern computing age, however, postmortem reports eventually surface that provide the details of each individual breach.[17] These reports explain the hacker’s methodology, the company’s missed warning signs, and the collateral damage from the breach.[18] Each individual breach has its own signature as every data system is as unique as a fingerprint; however, these breaches generally occur in one of several ways.

[5] The most common and well-documented method of cyber-attack uses malware.[19] Malware, which includes viruses, worms, and trojan horses, is the “generic name for evil software.” [20] A 2016 data breach report by Verizon found that malware continues to be the major contributor to data breaches involving stolen credentials and point of sale attacks. [21] Malware attacks, specifically worms, were publically credited for both the Target[22] and Home Depot[23] data breaches. Ironically, the first worm was created in 1975 by Xerox as a network analysis tool.[24] Modern day worms are standalone programs that can replicate and spread throughout a network when activated.[25] Some of the more notable worms include Melissa, ILOVEYOU, Slammer, and the Morris worm.[26] Malware is not the only factor that can lead to network compromise. Security breaches often are attributable to social engineering.[27]

[6] Social engineering employs deception tactics to persuade the user to simply give the cybercriminal direct access to the system under attack, similar to the modus operandi of a traditional con-artist.[28] Social engineering attacks direct messages and correspondence to users who have access to the systems that are being attacked.[29] Through different methods of deception, the user is prompted to give away the information needed to access the system.[30] The most common methods of social engineering are spear phishing, smishing, and vishing.[31] Spear phishing is direct correspondence, usually via email, that is personally crafted to gain the trust of the end user.[32] Once trust is obtained, the user is prompted for login credentials and the system is compromised. Smishing and vishing are similar to spear phishing; however, they use text messages (smishing) and voice communication (vishing) as mediums.[33] It is also worth noting that old-fashioned tactics such as breaking and entering, removing files from the printer, or simply guessing passwords are still commonly used tricks of the trade.[34]

[7] To circumvent the millions of dollars companies invest in information technology security, hackers often use a combination of the tactics discussed above. As detailed in the Dell SecureWorks report on the Target infiltration, a combination of social engineering and malware was used to cause the collapse.[35] Hackers first targeted Fazio Mechanical Services, a vendor for Target.[36] They were able to gain login credentials through spear phishing, which in turn granted them direct access to the systems that opened a pathway to Target’s network.[37] Upon accessing Target’s data network, the hackers injected a worm into the system.[38] This worm compromised Target’s point of sale systems using a customized version of malware called Black POS.[39] This malware then compromised Target’s server, which allowed the data to be distributed and copied to servers located throughout the world; accordingly, the hack was very difficult to trace.[40]

[8] For businesses, the question of data breach is not “if” but “when.” It is indisputable that the hackers in the examples discussed above bear the moral responsibility for their acts.[41] But the moral responsibility of the business that sustains the data breach presents a closer question. Businesses require consumers to provide their private information when completing even the most routine transactions; this places the business in a unique position of trust. The scope of a business’s moral responsibility for breach of that trust is discussed below.

II. Moral Responsibility and Data Breach

[9] Of course, the right to privacy is at the fore. However, information technology “explicitly embodies particular important values…privacy, autonomy, universal usability, trust, and cooperation.”[42] The existing literature does not explore the scope of a business’ moral responsibility for data breach. Accordingly, reference to other areas, such as moral responsibility for marketing, is instructive. The values associated with information technology suggest moral analysis based on the ethics of marketing and on notions of corporate responsibility, inasmuch as knowledge plays a role in making autonomous choices and trust is associated with responsibility.[43]

[10] Three main positions have been staked out over the years with regard to marketing: the contractual view, the due care theory, and the social costs view, sometimes referred to as the “deep pockets” view.[44] Captured in the phrase, caveat emptor, the contractual view of the buyer-seller relationship holds that the seller, typically a business, only has the duties to the buyer that the contract states.[45] Thus, under the contract view, Ford could indeed sell a product which, when struck from behind at 21 miles per hour, could produce a flaming inferno.[46]

[11] The problem is that consumers lack the knowledge that the producer has and therefore cannot act knowledgably in purchasing a product. The due care position recognizes the imbalance and the vulnerable position of the consumer by placing additional duties on the business.[47] As Culnan and Williams put the matter, “[w]e further argue that because consumers are vulnerable in their dealings with businesses due to information and control deficits, organizations have a moral duty—often overlooked, we observe—that extends beyond legal compliance requiring them to take reasonable precautions with consumer data and to avoid harm in using this data.”[48] The “deep pockets” view–analogous to the legal notion of strict liability–would have the seller assume all costs–even when exercising “due care” to protect the consumer from risk and injury–of a product.[49] In other words, when a problem occurs, no investigation need be undertaken: the seller takes the responsibility, or caveat vendor.[50] Given the poor record of businesses with regard to handling data breaches,[51] the third option appears most reasonable.

[12] Corporations have been reluctant to take steps to exhibit moral responsibility in the area of data breach.[52] Normally, when wrongdoing occurs in an organizational setting, the elements of magnitude and certitude of harm as well as connection and contribution to the harm are utilized.[53] Corporations appear to underestimate magnitude and certitude of harm and appear to ignore the contribution they make to data breaches by being primarily reactive rather than proactive.[54] While an analysis of a business’s moral responsibility for a data breach suggests the appropriateness of a rule akin to strict liability, the law is far from imposing such an obligation.[55]

III. Legal Liability and Data Breach

[13] Not surprisingly, the development of data breach law has lagged behind the speed of technological innovation.[56] There are two significant legal questions surrounding data breaches. First, what legal obligations does a business owe its customers regarding data security and notifications of a breach? Second, what legal remedies do consumers have if their private information is compromised as the result of a data breach? As discussed below, there is currently no comprehensive federal regulatory scheme addressing data breach.[57] Instead, businesses must attempt to comply with a patchwork of state laws addressing data breach notifications.[58] Additionally, consumers are left with few effective civil remedies when their private information is breached.[59]

A. Data Breach Notification Laws

[14] At present, there is no comprehensive federal statute addressing a business’s obligation to safeguard personal information.[60] While there are a few federal statutes aimed at protecting personal information in narrow contexts (such as the protection of medical and health-related information under the Health Insurance Portability and Accountability Act of 1996),[61] the legal rules governing data breach are handled largely at the state level.[62] Currently, “[f]orty-seven states, [and] the District of Columbia” have laws addressing business obligations with regard to data breaches.[63] Three states—Alabama, New Mexico, and South Dakota—have no statutes on the books addressing consumer notification of data breaches.[64] Most states impose obligations on businesses to maintain “reasonable security” measures “to protect personal information.”[65] While definitions vary from state to state, “personal information” commonly includes an individual’s social security number,[66] or

[A]n individual’s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) A driver’s license number. (B) A state identification card number. (C) A credit card number. (D) A financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person’s account.[67]

[15] A “breach” occurs when there is an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. . . .”[68]

[16] In the event of a data breach, existing statutes require businesses to provide some type of notification to the consumer.[69] The type and timing of that notice, however, varies from state to state.[70] Some states require consumer notification whenever unauthorized access of personal information occurs.[71] Other states require businesses to notify consumers only if there appears to be a reasonable risk that some harm will result from the breach.[72] Many states require businesses to notify the attorney general of data breaches.[73] Some statutes require notification within a specified time frame, while others simply require that notification be done expediently.[74] Businesses that serve consumers in multiple states must comply with the notification requirements of each of the states where affected consumers reside.[75] Thus, when a large data breach occurs, businesses face a considerable challenge in ensuring compliance with the various notification laws throughout the country.[76]

[17] This patchwork of state regulation leads commentators and policy advocates to suggest that a comprehensive federal data breach statute should be enacted.[77] A federal data breach statute would preempt state regulation, thus simplifying the breaching business’s compliance requirements and costs.[78] Instead of struggling to comply with the various notification laws of multiple states, a business would look to only one source—federal law—to discern its obligations in the event of a data breach.[79] While federal bills have been proposed,[80] Congress has failed to pass any comprehensive proposal.[81]

[18] Moreover, critics claim that draft bills are weak and do not offer enough protection for consumers.[82] In particular, critics note that the proposals do not do enough to incentivize data breach prevention because they focus on consumer notification after a breach has already occurred.[83] To incentivize data breach prevention, businesses must view added security measures as solid investments that minimize risks of loss.[84] The primary business risks associated with data breaches are loss of customer goodwill and, of course, lawsuits from affected consumers.[85] As discussed below, data breach lawsuits are difficult to pursue. Accordingly, the threat of consumer litigation has not played an extensive role in influencing businesses to adopt more stringent security measures.[86]

B. Consumer Remedies for Data Breach

[19] Some commentators have argued that in order to meaningfully encourage businesses to adopt better data protection measures, businesses must view customer litigation as a serious threat.[87] The threat of litigation in this context has been largely hollow because consumers have few legal remedies when their personal information is breached.[88] While data breach statutes require businesses to notify consumers in the event of a breach, only a handful of those statutes create a private cause of action that allows the consumer to bring a lawsuit against the business.[89] Thus, in the majority of states with data breach statutes, the consumer is statutorily entitled to notice of the breach but little else.[90] Given the lack of meaningful statutory remedies for data breaches, consumers have looked to the common law for a cognizable theory of recovery.[91] Consumers have sought damages for data breaches under theories of negligence, breach of contract, breach of fiduciary duty, and infliction of emotional distress.[92] These common law theories are not well-suited to data breach cases and often end in dismissal for several reasons.[93]

[20] First, the harm that results from data breaches is most commonly economic harm—there is no personal injury or physical property damage sustained by the consumer as a result of the data breach.[94] Many jurisdictions follow a rule called the “economic loss doctrine,” which prevents consumers from recovering purely economic damages under a tort theory (such as negligence or infliction of emotional distress).[95] Thus, in jurisdictions that follow the economic loss doctrine, data breach claims sounding in tort rarely reach the jury because they are dismissed as the result of pretrial dispositive motions filed by the defendant.[96]

[21] Second, many data breach cases are dismissed because the consumer lacks standing to bring such a claim.[97] Standing is a constitutional prerequisite to litigation that requires the plaintiff to have suffered an injury in fact.[98] In other words, the harm sustained by the plaintiff must be real, not hypothetical or speculative.[99] In data breach cases, the injury can be hard to define. Plaintiff consumers often argue that the data breach itself and the risk of future identity theft are sufficient harms; defendant businesses contend that no injury has occurred unless the plaintiff can show a link between the data breach and an actual instance of identity theft.[100] Not surprisingly, the courts are divided on what type of injury suffices to confer standing in a data breach case.[101]

[22] Even if the plaintiff consumer in a data breach case survives the standing hurdle, he or she must still prove all of the elements of his or her case in order to win. In most instances, the consumer will have to prove that his or her injury was caused by the defendant’s data breach.[102] Proving causation in data breach cases can be difficult because the plaintiff’s personal information may have been compromised in other data breaches, making it nearly impossible to establish that the suffered identity theft was solely the result of the defendant’s breach.[103]

[23] The procedural and substantive difficulties associated with data breach litigation mean that very few of these cases are likely to survive dispositive motions and reach a jury, which in turn makes them less attractive to class action attorneys.[104] The procedural hurdles, the cost of litigation, and the prospect of a small recovery are enough to deter most individual consumers from bringing a data breach lawsuit.[105] Without effective legal remedies, most consumers must simply put up with the headaches associated with data breaches.[106] While external litigation pressures and the current data breach regulatory state may not incentivize businesses to take additional steps to safeguard consumer privacy, ethics would certainly suggest that businesses should voluntarily adopt higher standards for data protection.[107]

IV. Business Strategies to Minimize the Risk of Data Breach

[24] Several tactics can help reduce the threat of cybercrime. The first tactic is infrastructure.[108] A modern company must continually perform routine maintenance including, but not limited to, security patches, operating system upgrades, and hardware upgrades. Often cyber criminals exploit older software to maliciously gain access to data networks.[109] The initial discovery of these exploits before the software manufacturer has developed a security patch is called a “zero-day attack.”[110] Once a hardware or software exploit is identified, software and hardware vendors act to create patches to repair the problem as quickly as possible.[111] It is up to the corporation to obtain and apply these patches.

[25] The second prevention method is active monitoring.[112] Similar to the way that the FBI manages the national threat level, a company’s IT department must manage the cybercrime threat level.[113] Myriad firewall and IT monitoring software is available to monitor network traffic.[114] Many anti-virus software programs automatically scan and remove commonly found malware.[115] In addition, IT security companies provide external monitoring services to augment a company’s internal monitoring procedures.[116] These offsite IT services offer network traffic monitoring and even provide built-in client insurance/reimbursement if a data breach occurs due to negligence within their services.

[26] The third prevention method is education.[117] While most people envision a hacker in a dark basement surrounded by computers, social engineering is a remarkably effective method of data intrusion.[118] For example, a study of data breaches occurring in 2015 found that “30% of phishing messages were opened by the target across all campaigns.”[119] The risk of data breach can be mitigated if employees know they should never share passwords; they should frequently change passwords, and they should lock their office doors.[120] Additional security measures such as key fobs, biometric readers, and similar devices that must remain with employees, should also be kept private. While no one strategy can guarantee that a business will not sustain a data breach, the preceding measures will lessen the risk.

V. Conclusion

[27] Though data breaches are a relatively new phenomena, guidance about the technology, morality, and legality of data breaches is available. If we are correct, corporations must do a better job of determining where data breaches are likely to occur, whether from human error or informational system flaw. Corporations must take steps to minimize risk before data breaches occur. Protocols must be put in place that assume responsibility for the consumers’ negative consequences, such as notifying them immediately and providing help in diminishing the harm from the data breach. The legal liability will be mitigated; trust and cooperation will more likely flourish.

*J.D., Assistant Professor of Business Law, Butler University.

**M.B.A., Instructor of Management Information Systems, Butler University.

***Ph.D., Instructor of Business Ethics, Butler University.

[1] See Dave Lewis, Notes from RSA: Accountability in Security, Forbes, (Apr. 29, 2015, 6:30 PM), http://www.forbes.com/sites/davelewis/2015/04/29/notes-from-rsa-accountability-in-security/#47e46e292163, archived at https://perma.cc/HV4B-D7T8.

[2] See Bill Hardekopf, The Big Data Breaches of 2014, Forbes, (Jan. 13, 2015, 7:06 PM), http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/#4ad6aa5f3a48, archived at https://perma.cc/WYT4-8JX8.

[3] See id.; see Ellen Nakashima, Hackers Breach Some White House Computers, Wash. Post (Oct. 28, 2014), https://www.washingtonpost.com/world/national-security/hackers-breach-some-white-house-computers/2014/10/28/2ddf2fa0-5ef7-11e4-91f7-5d89b5e8c251_story.html, archived at https://perma.cc/HD4S-MUX2.

[4] The Home Depot, Inc., Annual Report (Form 10-K) (Mar. 25, 2015), at 18–19.

[5] See Eric Basu, Cybersecurity Lessons Learned from the Ashley Madison Hack, Forbes, (Oct. 26, 2015, 11:55 AM), http://www.forbes.com/sites/ericbasu/2015/10/26/cybersecurity-lessons-learned-from-the-ashley-madison-hack/#14c58a7eed99, archived at https://perma.cc/U4L3-R6VE.

[6] See id.

[7] See Seung Lee, Ransomware Wreaking Havoc in American and Canadian Hospitals, Newsweek, (Mar. 23, 2016, 10:23 AM), http://www.newsweek.com/ransomware-wreaking-havoc-american-and-canadian-hospitals-439714, archived at https://perma.cc/MJ2N-UW4T.

[8] See id.

[9] See Mary J. Culnan & Cynthia Clark Williams, How Ethics Can Enhance Organizational Privacy: Lessons From the ChoicePoint and TJX Data Breaches, 33 MIS Q. 673, 673 (2009).

[10] David Burnham, The Rise of the Computer State 50 (1983).

[11] Culnan & Williams, supra note 9, at 675.

[12] See Search Results for “Ethics of a Data Breach,” Google Scholar, https://scholar.google.com/scholar?hl=en&q=ethics+of+a+data+breach&btnG=&as_sdt=1%2C47&as_sdtp=, archived at https://perma.cc/7HZG-UK9D (last visited Sept. 20, 2016).

[13] Culnan & Williams, supra note 9, at 673.

[14] John Mingers & Geoff Walsham, Toward Ethical Information Systems: The Contribution of Discourse Ethics, 34 MIS Q. 833, 837 (2010).

[15] See Computerworld Staff, The Moth in the Machine: Debugging the Origins of the Bug, Computerworld (Sept. 3, 2011, 7:00 AM), http://www.computerworld.com/article/2515435/app-development/moth-in-the-machine–debugging-the-origins-of–bug-.html, archived at https://perma.cc/KC3P-8QRF; see also Fred R. Shapiro, Etymology of the Computer Bug: History and Folklore, 62 American Speech 376, 376–77 (1987).

[16] See Shapiro, supra note 15, at 376–77 (noting that a moth was found in the Mark II in 1945, but contending that the word “bug” was used to describe defects in machines long before 1945; thus, the term did not originate with the insect found in the Mark II).

[17] See Pragati Verma, You’ve Been Breached — What Now? A Post-Mortem Checklist, Forbes: AllClear ID (Aug. 17, 2015, 11:27 AM), http://www.forbes.com/sites/allclearid/2015/08/17/youve-been-breached-what-now-a-post-mortem-checklist/#13a42ec34384, archived at https://perma.cc/Z365-VFCT.

[18] See id.

[19] See Raymond R. Panko & Julia L. Panko, Business Data Networks and Security 91 (Pearson, 10th ed. 2015).

[20] Id.

[21] See Verizon, Inc., 2016 Data Breach Investigations Report, at 20 (2016), http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016, archived at https://perma.cc/E8S4-RHVU (follow “Download the 2016 DBIR”) [hereinafter Verizon Report].

[22] See Keith Jarvis & Jason Milletary, Inside a Targeted Point-of-Sale Data Breach, Dell SecureWorks, at 1 (Jan. 24, 2014), http://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf, archived at https://perma.cc/5V6Y-CAED.

[23] See Hardekopf, supra note 2.

[24] See Michael A. Hiltzik, Computer Viruses Can Be Healthy for Innovation, L.A. Times (Apr. 5, 1999), at 1, http://articles.latimes.com/1999/apr/05/business/fi-24293, archived at https://perma.cc/A5ZD-P4R4.

[25] See Panko & Panko, supra note 19, at 93.

[26] See, e.g., Ned Potter, Top 10 Computer Viruses and Worms, ABC News (Sept. 3, 2009), http://abcnews.go.com/Technology/top-computer-viruses-worms-internet-history/story?id=8480794, archived at https://perma.cc/C6DW-YT2P (listing the top 10 most well-known computer viruses and worms).

[27] See Verizon Report, supra note 21, at 17 (noting that most phishing cases “feature phishing as a means to install persistent malware,” leading to security breach).

[28] See Panko & Panko, supra note 19, at 96–97.

[29] See id. at 96.

[30] See id. at 97.

[31] See id. at 96–97; see FBI, Smishing and Vishing and Other Cyber Scams to Watch Out for This Holiday, Federal Bureau of Investigation (Nov. 24, 2010), https://archives.fbi.gov/archives/news/stories/2010/november/cyber_112410/cyber_112410 [hereinafter Smishing and Vishing].

[32] See Panko & Panko, supra note 19, at 97.

[33] See Smishing and Vishing, supra note 31.

[34] See, e.g., Eric Geier, Your Printer Could Be a Security Sore Spot, PC World (Apr. 25, 2012, 6:01 PM), http://www.pcworld.com/article/254518/your_printer_could_be_a_security_sore_spot.html, archived at https://perma.cc/7PZY-87MX (discussing five security threats network printers may impose); see also Matt Smith, The 5 Most Common Tactics Used to Hack Passwords, Make Use Of (Dec. 20, 2011), http://www.makeuseof.com/tag/5-common-tactics-hack-passwords/, archived at https://perma.cc/YJ4K-NDLR.

[35] See Jarvis & Milletary, supra note 22, at 1,10.

[36] See Staff of S. Comm. on Com., Sci., and Transp., 113th Cong., A “Kill Chain” Analysis of the 2013 Target Data Breach 4 (2014), http://www.public.navy.mil/spawar/Press/Documents/Publications/03.26.15_USSenate.pdf, archived at https://perma.cc/SLX8-24UD.

[37] See id. at 8.

[38] See id. at 9.

[39] See id. at 2, 9.

[40] See id. at 4.

[41] See generally Richard J. McGowan & Hilary G. Buttrick, Moral Responsibility and Legal Liability, or Ethics Drives the Law, 11 J. Learning in Higher Educ. 9, 10 (2015) (discussing the three basic elements of moral responsibility).

[42] Mingers & Walshman, supra note 14 at 839.

[43] See generally John Rawls, A Theory of Justice 347-50 (1971) (discussing the moral psychology and the acquisition of the sentiment of justice).

[44] See Manuel Velasquez, Business Ethics: Concepts and Cases 308 (7th ed. 2012).

[45] See id. at 314; see generally Thomas Garrett & Richard Klonoski, Business Ethics 88 (2nd ed. 1986) (discussing the fairness of a sales contract and the importance of protecting the dignity of the buyers).

[46] See generally Clark Butler, Human Rights Ethics: A Rational Approach 80 (2008) (discussing the moral psychology and the acquisition of the sentiment of justice).

[47] See Edgar H. Schein, The Problem of Moral Education for the Business Manager, 8 Indust. Rev. 3, 4 (1966).

[48] Culnan & Williams, supra note 9, at 674.

[49] See Reed Dickerson, The Basis of Strict Products Liability, 16 Food, Drug, Cosmetic L.J. 585, 591 (1961).

[50] See David A. Hall, Strict Liability and Computer Software: Caveat Vendor, 4 Computer/L. J. 373, 373 (1983).

[51] See generally Culnan & Williams, supra note 9, at 681-82 (discussing the ways in which consumers are vulnerable when businesses lack appropriate data security measures); see also Simon Petravick & Stephan G. Kerr, Protect Your Portable Data—Always and Everywhere, 6 J. of Acct. 30, 31 (2009) (discussing the ways in which businesspeople often fail to appropriately safeguard confidential client information).

[52] See Culnan & Williams, supra note 9, at 681-82.

[53] See McGowan & Buttrick, supra note 41, at 11.

[54] See Culnan & Williams, supra note 9, at 674.

[55] See Norman C. Simon, Brendan M. Schulman & Samantha V. Ettari, Beware the Breach: Data Breaches, Notification Duties, and Legal Liability, Lexology.com (Aug. 29, 2012), http://www.lexology.com/library/detail.aspx?g=221e63eb-ccea-4f5f-80e7-b72905037a6f, archived at https://perma.cc/9FBG-KKQY.

[56] See Adi Snir, Dealing with the Law Lag, LegalVision (May 6, 2016), https://legalvision.com.au/dealing-with-the-law-lag/, archived at https://perma.cc/7SW7-4KFE.

[57] See Peter J. Arant, Understanding Data Breach Liability: The Basics Every Attorney Should Know, 40 Mont. L. 8, 8–9 (2015) (“At the federal level, there is no comprehensive data privacy or security law. Instead the U.S. follows a ‘sectoral’ approach, meaning there are federal laws that apply to specific sectors.”).

[58] See id.; see also Comparison of U.S. State and Federal Security Breach Notification Laws, Steptoe & Johnson LLP (Jan. 21, 2016), http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf, archived at https://perma.cc/4R39-6XJQ.

[59] See Rachel M. Peters, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 Ariz. L. Rev. 1171, 1175 (2014) (“[O]nce an individual has been notified of a breach, she has limited legal recourse against the company or organization that exposed her personal information.”).

[60] See Arant, supra note 57, at 8–9.

[61] See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936; see Arant, supra note 57, at 9 (noting that the Federal Trade Commission may bring lawsuits against companies with “lax security and privacy practices” because they are considered “unfair or deceptive practices”); see also Charlotte A. Tschider, Experimenting with Privacy: Driving Efficiency Through a State-Informed Federal Data Breach Notification and Data Protection Law, 18 Tul. J. Tech. & Intell. Prop. 45, 47, 53–54 (2015) (“Because no federal law in the United States provides a broad, comprehensive set of data breach notification or data protection requirements for all businesses and consumers, other federal administrative bodies have provided catch-all protection in some circumstances.”).

[62] See Jeff Kosseff, Cyberwars: Navigating Responsibilities for the Public and Private Sector: Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System, 19 Chap. L. Rev. 401, 402 (2016) (We have “a patchwork of related laws, including breach notification and privacy statutes, that focus on penalizing companies for inadequate data security. But our legal system lacks a coordinated network of laws that are designed to promote cybersecurity and prevent data breaches from occurring in the first place.”); see also Peters, supra note 59, at 1181 (discussing various state law data-breach notification statutes).

[63] Security Breach Notification Laws, Nat’l Conf. of St. Legislatures (Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx, archived at https://perma.cc/8JUS-CXX5 [hereinafter NCSL Security Breach Research]

[64] See id.

[65] Timothy J. Toohey, Beyond Technophobia: Lawyers’ Ethical and Legal Obligations to Monitor Evolving Technology and Security Risks, 21 J.L. & Tech. 1, 14 (2015) (explaining general state law requirements for data breach security in context of attorneys’ obligations to secure data).

[66] See Ind. Code § 24-4.9-2-10(1) (2014).

[67] Ind. Code § 24-4.9-2-10(2)(A)-(D) (2014).

[68] Ind. Code § 24-4.9-2-2(a) (2014).

[69] See NCSL Security Breach Research, supra note 63.

[70] See Data Breach Charts, Baker Hostetler 1, 17-18, http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf, archived at https://perma.cc/MM5K-ZRT3 (last visited Oct. 4, 2016) (providing state-by-state-survey of data breach notification requirements).

[71] See id. at 9.

[72] See id. at 9-12.

[73] See id. at 13-16.

[74] See id. at 15-16, 18-19.

[75] See Sasha Romanosky et al., Empirical Analysis of Data Breach Litigation, 11 J. Empirical Legal Stud. 74, 80 (2014) (“[I]t is the residence of the individual that drives disclosure, not the location of the breach. That is, disclosure to an individual is required only if the state in which the individual is a citizen has adopted a disclosure law.”).

[76] See Arant, supra note 56, at 10 (“Given the heterogeneous nature of state data breach notification laws, simultaneous compliance with multiple laws can be a logistical nightmare—and an expensive one at that.”).

[77] See Jill Joerling, Note, Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & Pol’y 467, 486 (2010) (“Congress should take action immediately to enact a federal data breach notification law.”); see also Jay P. Kesan, et al., A Comprehensive Empirical Study of Data Privacy, Trust, and Consumer Autonomy, 91 Ind. L.J. 267, 346-48 (2016) (suggesting “a complete overhaul of data privacy law[s] and the creation of [centralized] profile repository” for consumers’ data that would operate in a fashion similar to credit bureaus); Tschider, supra note 61, at 72 (“a federal statute should regulate all businesses involving consumer personal information to effectively preserve customer choice and control with respect to their information, to drive contract efficiency, and to facilitate international trade.”).

[78] See Joerling, supra note 77, at 486.

[79] See id. (“Replacing the current patchwork of . . . state laws with a single comprehensive federal law would give businesses a clear road map to follow after a breach.”).

[80] See, e.g., Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. (2d Sess. 2016) (demonstrating a proposed federal data breach law that did not pass in Congress).

[81] See Brett V. Newman, Hacking the Current System: Congress’ Attempt to Pass Data Security and Breach Notification Legislation, 2015 U. Ill. J.L. Tech. & Pol’y 437, 445 (2015) (“The patchwork state legislation and numerous bill introduced in Congress show how difficult it is to agree on breach notification and data security measures. There is likely an agreement that the United States needs a data breach law, but that does not mean that one will be passed. The problem may also come from a surplus of Congressional committees claiming jurisdiction and trying to tackle the issue—resulting in too many different bills.”).

[82] See Peters, supra note 59, at 1196. (Although Peters analyzes an earlier draft bill, the Data Security & Breach Notification Act of 2013, her criticism holds true for the Data Security Breach Notification Act of 2015.)

[83] See id.; see also Tschider, supra note 61, at 74-75 (emphasizing the need for a federal law that focuses on data protection in addition to data breach notification: “Having clear data protection standards will dramatically reduce uncertainty for consumers and business, as standard data protection requirements will be articulated and required for implementation . . .”); see also Andrea Peterson, Why this National Data Breach Notification Bill has Privacy Advocates Worried, Wash. Post (Apr. 15, 2015), https://www.washingtonpost.com/news/the-switch/wp/2015/04/15/why-this-national-data-breach-notification-bill-has-privacy-advocates-worried, archived at https://perma.cc/C9U3-S3W3 (noting that consumers could have fewer protections under Data Security Breach Notification Act of 2015 than they have under existing state laws).

[84] See Kosseff, supra note 62, at 403 (arguing that laws should create incentives through tax credits and litigation safe harbors to encourage businesses to invest in cybersecurity infrastructure; rather than focus solely on penalties for data breaches).

[85] See Ponemon Inst., 2016 Cost of Data Breach Study: United States, IBM, 1, 3, 13 (2016).

[86] See Peters, supra note 59, at 1193.

[87] See id. at 1197 (noting that a national data breach law that gives consumers a private right of action or requires mandatory credit monitoring “will be an incentive for companies to minimize data breaches.”).

[88] See, e.g., Nicole Hong, For Consumers, Injury Is Hard to Prove in Data-Breach Case, Wall St. J. (June 26, 2016, 8:06 PM), http://www.wsj.com/articles/for-consumers-injury-is-hard-to-prove-in-data-breach-cases-1466985988, archived at https://perma.cc/F3VF-8LKD.

[89] See Baker Hostetler, supra note 70, at 16–18.

[90] See Kesan et al., supra note 77, at 277 (noting that “many other states merely require companies to notify customers of data breaches and the relevant statutes do not create any additional duties or entitlements.”).

[91] See also Thomas Martecchini, A Day in Court for Data Breach Plaintiffs: Preserving Standing Based on Increased Risk of Identity Theft After Clapper v. Amnesty International USA, 114 Mich. L. Rev. 1471, 1474 (noting that courts are divided on “whether increased risk of identity theft is an injury-in-fact sufficient to create standing…”).

[92] See Peters, supra note 59, at 1185 (discussing various common law theories available to consumers for data breach).

[93] See id. at 1185-87 (“[A] principle reason that civil causes of action in data-breach cases are rarely successful is the difficulty consumer data-breach victims have in meeting the standing and injury requirements.”).

[94] But see Kesan et al., supra note 77, at 344 (discussing the various types of harm that result from loss of control over personal data, “including dignitary harms; a chilling effect from law enforcement having too much control over individual expression; and circumstances that interfere with an individual’s ability to exercise freedoms or develop a sense of self-determination.”).

[95] See, e.g., Gunkel v. Renovations, Inc., 822 N.E.2d 150, 154 (Ind. 2005) (holding that economic losses are not recoverable in a tort action premised on the failure of a product or service to perform as expected unless the failure results in personal injury or physical harm to property other than the product; proper remedy sounds in contract).

[96] See Peters, supra note 59, at 1186 (discussing data breach cases dismissed on economic loss grounds).

[97] See id. at 1187 (discussing split of authority with regard to whether consumers have standing to bring suit in data breach cases).

[98] See, e.g., Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688, 691–92 (7th Cir. 2015) (holding that standing requires a litigant to show a concrete injury that is causally linked to the defendants conduct and can be redressed by the court).

[99] See id.

[100] See Peters, supra note 59, at 1189–92 (collecting cases addressing standing and injury-in-fact in context of data breach litigation).

[101] See id.; see also Martecchini, supra note 91, at 1474 (noting that courts are divided on “whether increased risk of identity theft is an injury-in-fact sufficient to create standing…”).

[102] See Michael D. Simpson, All Your Data Are Belong to Us Consumer Data Breach Rights and Remedies in an Electronic Exchange Economy, 87 U. Colo. L. Rev. 669, 685–86 (2016) (discussing difficulties of applying common law tort theories to data breach cases).

[103] See Peters, supra note 59, at 1188 (“[I]f a person is the victim of two or more data breaches in which similar personal information is stolen and that information is not used until years later to harm her, it may be difficult for the victim to demonstrate which breach was the source of the information used.”); see also Newman, supra note 81, at 440 (“proving that a customer lost money due to a specific breach can be difficult.”).

[104] See Peters, supra note 59, at 1192–93.

[105] See generally Jeff John Roberts, This Court Ruling Just Made It Easier to Sue Companies That Get Hacked, Fortune (July 29, 2015, 7:00 PM), http://fortune.com/2015/07/29/data-breach-7th-circuit/, archived at https://perma.cc/C4ZT-SQD7 (discussing the hurdles victims of data breaches face when trying to sue).

[106] See Simpson, supra note 102, at 698 (observing that “the average consumer is essentially at the mercy of a breached entity’s largesse to gain any recompense for stolen data.”).

[107] See supra Part II; see also Martecchini, supra note 91, at 1473 (noting that while many businesses are implementing data protection plans, “many other businesses still remain in denial about the threat of data breaches, either failing to implement any data-security changes or making only nominal modifications.”).

[108] See Pierluigi Paganini, Preventing and Recovering From Cybercrime, Tripwire (Nov. 4, 2014), http://www.tripwire.com/state-of-security/incident-detection/preventing-and-recovering-from-cybercrime/, archived at https://perma.cc/PYB7-VKN5.

[109] See Panko & Panko, supra note 19, at 92.

[110] See id.

[111] See id.

[112] See Paganini, supra note 108.

[113] See DC Metro Cyber Security Summit, The CyberWire (June 3, 2015), https://www.thecyberwire.com/events/dc-metro-cyber-security-summit-2015.html, archived at https://perma.cc/Z4XN-M6NK.

[114] See, e.g., Panko & Panko, supra note 19, at 116–23 (discussing various forms of firewalls, their strengths, and their weaknesses).

[115] See id. at 124.

[116] See, e.g., Third Party Monitoring – Vendor Monitoring, ObserveIT, http://www.observeit.com/solutions/third-party-monitoring, archived at https://perma.cc/P3SX-SW4W (last visited Sept. 23, 2016) (illustrating the monitoring services that a third party security company provides).

[117] See Paganini, supra note 108.

[118] See Verizon Report, supra note 21, at 17.

[119] Id. at 18.

[120] See generally Jerry Fitzgerald, Alan Dennis & Alexandra Durcikova, Business Data Communications and Networking 362 (11th ed. 2012) (noting that security policies should explain to employees how to control the risk of intrusion).