8227 research outputs found
Sort by
Cybersecurity Risk Shifting
No full textThe Change Healthcare cyberattack of 2024 paralyzed the health care system for months, creating an exceedingly far reaching and devastating impact on providers, suppliers, and patients across the country. While the scope of the attack was unprecedented, the cyberattack itself was not new, unique, or isolated. Indeed, this attack came just months after the close of a year in which the United States’ Department of Health and Human Services’ Office for Civil Rights (OCR) recorded the highest number of reported breaches of protected health information and the highest number of breached records. With a medical record fetching nearly four times the cost of a Social Security number and nearly twenty times the cost of a credit card number on the dark web, hackers have turned an increased focus to health care companies that store, maintain, or process protected health information for their activities. As a result, ransomware attacks and other phishing scams now account for the highest cause of data breaches under the Health Insurance Portability and Accountability Act (HIPAA), with OCR realizing a 239 percent increase in hacking-related data breaches since 2018 and 278 percent increase in ransomware attacks during that same time. The reasons for this exponential growth are multifaceted, but one important factor to consider is that although there are aggressive laws criminalizing cyberattacks and theft of electronic data, finding and prosecuting hackers for their activities has become exceedingly complex. Due to the challenges of catching the actual criminal actors, legislators, regulators, and individuals are shifting their focus to the entities experiencing the breach. Certainly, health care companies are not always entirely blameless in these situations, as lack of employee training, challenges with patching known vulnerabilities, and not following industry best practices regarding system security, among other things, ead to system vulnerabilities making it potentially easier for hackers to get into systems. That said, one cannot forget that a sophisticated criminal enterprise with malicious, deliberate intent is the primary “bad actor” in these attacks. In considering statutory, regulatory, and litigation approaches to curb the exponential growth of cyberattacks, there does need to be a focus on the health care companies themselves to ensure they are following applicable security practices to reduce the ongoing criminal activity. These legal approaches should not, however, shift all focus and liability away from capturing and prosecuting the elusive criminal hackers. A shift that assigns all liability to health care companies in a way that adopts a negligence per se approach contrary to the usual principles of premises liability will detract from support that health care companies need to take appropriate action and will result in increased costs in the system, which ultimately impacts patients and the public. Thus, all new legislative, regulatory, and judicial approaches to addressing cyberattacks should strike the right balance between holding health care companies accountable for the great responsibility they have in protecting patient data while not losing sight that fighting the real cause of these attacks—the criminal hacker—will require cooperation and coordination of all parties. This Article provides an overview of the growing problem of ransomware attacks in the health care sector, examining the existing laws utilized most frequently to address these attacks. In considering current regulatory, legislative, and judicial approaches being contemplated, this Article argues that although health care companies should not be seen as victims in the same way as the individuals whose data has been compromised, a statutory, regulatory, or judicial scheme that shifts blame and responsibility entirely to the health care companies will not adequately address the problem and will simply increase costs and expenses to health care consumers. Therefore, any legal approaches to addressing the problem must be balanced—recognizing some responsibility on the part of health care companies in shoring up systems and processes to make their data less vulnerable while simultaneously providing adequate guidance and support to assist entities in combatting cyber risk in coordination with state and federal agencies
Destroy, Rebuild, Repeat: How to Break the Climate Disaster Cycle
Full text linkClimate change is fundamentally reshaping how we live, where we live, and whether we invest in or retreat from climate-exposed communities—but climate and disaster law is not changing with the climate. This legal latency is driven by antiquated statutes, doctrines, and policies that have not kept pace with the climate moment. Ex ante adaptation decisions governing where to live are life and death choices that shape ex post disaster response. Laws and policies should facilitate sound climate decisionmaking, but too often they frustrate individual and governmental decisions on whether to stay or retreat. In this Article, I argue that laws designed for a different physical environment, an environment more stable than the one we currently have, harm our ability to respond to climate-induced disasters.
What is our national adaptation strategy to counteract the climate crisis? We do not have one. What we do have can be described as “unmanaged retreat”—a reactive, disjointed, and ad hoc “strategy” that exacerbates inequalities. Unmanaged retreat also traps communities in a cycle of repeated rebuilding after climate-induced destruction. This “strategy” stands in stark contrast to what climate change demands: proactive, forward-looking, and innovative laws and policies that address climate risk. Achieving a more effective legal framework begins by dismantling legal barriers and breaking the destroy, rebuild, repeat cycle.
This Article provides a new normative framework to break the climate disaster cycle. Legal evolution will require a shift away from a reactive “destroy, rebuild, repeat” model to a systematic, proactive “inform, retreat, suspend” strategy. This transformation favors information (by increased transparency with the public about climate risk), retreat (by voluntary buyouts from climate hazard zones), and suspension (by halting governmental services). Our ability to make this legal shift will determine future adaptation and disaster progress
The Wages of Constitutional Interpretation
Full text linkThe future of constitutional interpretation is a dynamic amalgam of knowns and unknowns. This article explores three. First, an unknown known: the Court\u27s embrace of formal equality methodologies, more than originalist methodologies, is driving current conservative changes in constitutional law and ushering in a stale and acontextual bent to constitutional rights. Second, another unknown known: both the Court\u27s equality and originalist methodologies serve to jettison the longstanding and widespread use of intermediate scrutiny and thereby push the level of protection for rights to the extremes. Finally, a known unknown: the Court\u27s embrace of hyper-formal equality and originalist rules transfers hegemonic power over constitutional interpretation to the judiciary at great risk. Given that the Court\u27s power over constitutional interpretation derives from its popular legitimacy, methods of constitutional interpretation that are divorced from popular input and consequences jeopardize the very power of judicial review
Chevron Was Not, and Cannot Be, Overruled: The Dullness of Loper Bright
Full text linkAs expected, the Supreme Court declared, in Loper Bright Enterprises. v. Raimondo,\u27 that Chevron is overruled. The Court was notably vague about the principle that would replace it, declaring that courts must exercise their independent judgment in deciding whether an agency has acted within its statutory authority, but providing little guidance about how this crucial task should be performed. This is an obvious defect in an opinion with innumerable defects, but the problems with the Court\u27s decision go well beyond its specific flaws. The Court did not understand the decision that it claimed to overrule. Chevron is not simply a pro-administrative approach to statutory interpretation that the Court can condemn and brush aside. Rather, the decision is a major conceptual advance. Chevron is the first clear judicial recognition that statutory interpretation is the initial and invariably necessary stage in the process by which administrative agencies enforce the law. In other words, Chevron revealed a reality, a factual situation that the Court is powerless to alter, however much it may desire to do so
Data-Driven Police Profiling
Full text linkPolice departments increasingly rely on algorithms and other data- driven methods of identifying high-crime areas andpeople who are at high risk for involvement in crime. This Article examines several constitutional obstacles to this type ofpolicing. First, to the extent that these algorithms rely on data entitled to privacy protection, they may violate the Fourth Amendment. Second, the steps police take in response to a hot place or person designation must also be subject to constitutional regulation. Further, the principle of legality should prohibit the police from acting on any risk designation, even one that is very likely accurate, in the absence of direct observation of risky conduct. For the same reason, and to combat the influence of racially based dirty data, algorithm developers must finely tune both the inputs and outputs of their profiles. Finally, a failure to disclose the inner workings ofa predictive algorithm may violate the Confrontation Clause. Combined, these legal concerns could well spell the demise of profile-driven policing
NetChoice, Regulatory Competition, and the Real Battle Behind Social Media Regulations
Full text linkRegulating online social media platforms has been a fiercely debated issue for years. The NetChoice case decided by the US Supreme Court 2023 Term arises from a circuit split regarding Florida and Texas laws that regulate social media content moderation. Most discussions on regulation of social media content moderation have focused on whether social media platforms are speakers (editors) or carriers (conduits), and whether their moderation practice constitutes editorial judgment (i.e., protected speech). This Article argues that this framing of the debate ignores another more important role of social media platforms—as regulators. Platforms, when they enact and enforce their content rules, are regulating the speech of users. When the government prescribes how platforms should moderate content, it is using its public regulatory power to preempt the platforms’ private regulatory power.
In the social media context, regulatory competition and preemption among state or national governments are common. Different powers are trying to shape the platforms according to their own normative visions of free speech. However, there exist multiple and competing visions, the two most prominent of which are the US vision and the European Union vision. Hence, the real concern of the Texas and Florida laws is not that they are content-based, but that they have imposed one particular vision of free speech values upon the global “public square,” a place that is characterized by legal and cultural pluralism. Accommodating such value heterogeneity and conflict is not easy. This Article proposes three possible ways forward: (1) a judicial approach that embraces open-ended balancing instead of strict categoricalism; (2) an administrative approach that nudges procedural governance by platforms and democratic participation by users; and (3) a technological approach that aims to decentralize the structure of social media
Transforming the World with Reparations
No full textThis special issue of the American Journal of International Law—devoted entirely to reparations in international law—offers a range of perspectives on reparations for large-scale harms relating to colonialism, slavery, industrialization, and transboundary pollution. As the symposium authors describe, the gap between the reparations that justice might demand and the ones that international law provides is enormous. The international law for reparations does not come close to remedying such harms and is not poised to do so anytime soon
Putting Police Body-Worn Camera Footage to Work: A Civil Liberties Evaluation of Truleo\u27s AI Analytics Platform
No full textThis Article summarizes findings from a civilliberties evaluation of Truleo, an Al-powered analytics platform designed to automate thereviewofpolice body-worn camera (BWC) footage. It includes a summary of how Truleo\u27s platform works, policy choices made by the company, and our assessment ofsafeguards and risks of the platform from a civil liberties perspective. This Article also offers a series of recommendations for policymakers considering the adoption of Truleo or similar technologies. These indude the necessity for independent testing of claimed benefits, democratic authorization for deployment, and ongoing transparency and public input around the platform\u27s design and operation. Importantly, this Article argues that BWC footage should be treated as civic data owned by the public, not the police, to enable wider access and use for purposes such as research, oversight, and the exploration ofalternative public safety approaches. Generalizing beyond Truleo, we note that despite their cost, explosivegrowth, and the incredible amount ofpersonal data they capture, BWCs are significantly underregulatedbylaw, with many criticalpolicychoices leftto thelawenforcement agencies that use the technology: As a result, the use of the technology has shifted away from its original impetus-to improve outcomes for members of the public interacting with the police and to provide transparency and accountability when things go wrong-and increasingly toward an investigative tool. But we view BWC as the largest collection of data on policing in existence, and one that has been woefully underutilized as a tool for evaluating and improvingpolicing, thus leaving much of the value of our nation\u27s investment in BWCs untapped. AI technologies like Truleo can rebalance the scales by automating the review of this BWCfootage, but we worry that Truleo\u27s full potential will never be achieved so long as police retain sole control of the data. Accordingly, we emphasize the need for proactive policymaking bylegislators to ensure that emergingA analytics technologies serve the public interest and help realize the benefits ofthe significant public investment in BWCs