The last year has been pretty productive for me. Professionally, I think I’m going the right direction. I wrote my first solo article, which was offered a spot in a law review. But that’s not really the first thing that comes to my mind.
At various points through the day, I find myself chuckling. Well, it’s not really a chuckle. It’s a short laugh that exits through my nose in one staccato burst. “I had two cancers last year,” I say to my husband. If I don’t continue, he’ll reply “And then two trees fell on our house.” It’s like a call and response.
Saying these things perhaps brings me closer to “dealing” with them. Or maybe I have dealt with them but not accepted them. Or maybe I’ve accepted them but it doesn’t quite click. I know what’s going on. Life happens. Unfortunate things are a part of that.
Earlier today, I remarked to my husband about how my hair is so poofy. Everyday, it’s just a little longer than the day before. When it was coming out in clumps during chemo, I had him cut it short. I bought wigs. I wore a wig to the AALS hiring conference last year when I was trying for the third year in a row to get an academic job. The first full day, I had my wig situated just a little wrong, and I had a headache by the end of the day. I’m a few months beyond “the shortest my hair has ever been” but I still run my hands through it and marvel at the way it grows out straight and then holds itself up by curling against my scalp. I developed a streak of grey in my hair when my immune system decided to attack the mole on my scalp about ten years ago. My husband said that my grey streak looks super badass at this length.
How did I get through all of this mess? I still wonder. The most important thing to me, though, has been perspective shifting, which I think is subtly different from spotting the “silver lining.” When the doctors told me I had a rare T-cell disorder, one of my first thoughts was “Cool, my data might benefit researchers.” When I had a painful gout flare on my first day of chemo, I shifted my perspective temporally. I said to my husband “Remember that time when I had a gout flare the same day I started chemo and you had to push me around the clinic in a wheelchair? That sucked but we got through it.” When I heard the crash and saw the tree that had just destroyed my deck, I immediately called our insurance company to start a claim. And then I shifted my perspective, because “New roof and new deck, 2019” will look really good on a listing once we sell. That didn’t fix the damage or remove the 50+ year old Douglas Fir, but I was taking it one step at a time, planning for those steps to eventually lead to closure.
Overall, my philosophy has been “This too shall pass.” It might pass like a kidney stone, but it’ll pass. I didn’t realize until a few years ago that I have a very obvious, textbook case of post-traumatic stress disorder. Well, except for the part in the DSM-V or whatever they’re on now that requires comparison to mental states before the trauma. I had no before, because cystograms were part of my life before I was even forming accessible memories. So I have PTSD brought on by repeated medical trauma in childhood, and it made me surprisingly good in a crisis.
Last year, I was diagnosed with primary cutaneous anaplastic large cell lymphoma. I had a swollen lymph node in addition to some spots on my back. Because I’m a kidney patient already, my doctors wanted to have the lowest impact imaging possible, so I got a PET scan that also identified a tumor in my thyroid. Then there was the needle biopsy, which was unpleasant, because when someone tells you not to swallow because they’re sticking a needle right next to your trachea, you suddenly realize how many times you swallow without thinking about it. The swollen lymph node matched with the ALCL that they found on my back, and the extra glowing bits in the PET scan were just standard, common thyroid cancer. And I still felt about as lucky as someone can be and still have two cancers.
First step was surgery. I told my husband “Until I have surgery, I’m only dealing with one cancer. After surgery, I’m only dealing with one cancer.” Alas, it was not quite to be. The thyroid surgery went okay, except one of the tumors was stuck to my trachea, so the surgeon had to very carefully scrape it off. So I had chemotherapy for the ALCL and then took a radioactive iodine pill to take care of any leftover cells.
And now I’m dissociating. This is why I think that I haven’t fully dealt with my situation. Because when I start to devote specific time and energy to thinking about it, writing about it, I get woozy, my body temperature goes up, and my head starts buzzing more than it was before. So I’ll take that as a biological sign to stop writing for now and leave further reflection on cancer for later.
Cell phones. They’re so convenient these days, right? Gone are the days of playing Snake on a Nokia flip phone while waiting at the DMV. The average smart phone has dozens of apps installed. I can browse social media, stream movies, check email, and check the status of any of my Internet-connected devices at home. While I’m changing my thermostat from across town, my service provider is routing the data from cell tower to cell tower. With the push notifications that a lot of apps use to stay updated, cell phones are often yelling back and forth at the nearest cell tower, whether we’re using the phone at the moment or not. Smart phones give data more mobility, and in exchange for that mobility, providers know our movements.
This week, Motherboard reported that telecommunications companies have been tricked into giving up cell site location data to people who lied about being police officers. John Letcher Edens worked in debt collection as a skiptracer, which is a person who specializes in tracking people down. One of his methods was to pretend to be a U.S. Marshall and claim that there were exigent circumstances, and that he needed real-time location data for this cell number immediately. The fellow skiptracer who reported him to police posted her own account of the story in 2015.
In January, the same Motherboard reporter exposed the practice of cell service providers selling cell site location data to bounty hunters. So just so we’re clear, some service provider employees don’t need to be tricked into disclosing cell site data; they can also be bribed. But is it really bribery if it’s not illegal to share that data anyway?
This brings me to one of my favorite talking points: The Electronic Communications Privacy Act Is A Hot Mess.
The Electronic Communications Privacy Act has three major parts: the Wiretap Act, the Pen Register Act, and the Stored Communications Act.
The Stored Communications Act addresses the voluntary disclosure of communications under Section 2702, and the compelled disclosure of communications under Section 2703.
In Section 2703, some information can be sought using an order that, in terms of the showing required, is less than a warrant but more than a subpoena. These are often referred to as 2703(d) orders. The general rule in the SCA is that a warrant is needed for most content information. A subpoena is sufficient for some non-content information, like billing address (2703(c)(2)). In Carpenter v. United States (2018), the Supreme Court held that 2703(d) orders are not sufficient for historical cell site location data. So get a warrant.
The idea of selling cell site location data is relevant to the voluntary SCA provisions in 2702. Section 2702(a) reads:
(a)Prohibitions.—Except as provided in subsection (b) or (c)—(1)a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and (2)a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—(A)on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service; (B)solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and (3)a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.
You can see that 2702(a)(1) and 2702(a)(2) are limited to content. Section 2702(a)(3), on the other hand, only addresses disclosures made to governmental entities. This disclosure of records is further qualified by exceptions in 2702(c).
(c)Exceptions for Disclosure of Customer Records.—A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2))—(1)as otherwise authorized in section 2703;(2)with the lawful consent of the customer or subscriber;(3)as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;(4)to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;(5)to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A;(6)to any person other than a governmental entity; or(7)to a foreign government pursuant to an order from a foreign government that is subject to an executive agreement that the Attorney General has determined and certified to Congress satisfies section 2523.
But again, those are exceptions to the general rule that customer records cannot be shared with governmental entities. It doesn’t say anything about bounty hunters or debt collectors. If any citizen want to get a full record of where a particular device has been during a particular time period, they can just ask. Because historical cell site location data isn’t content, voluntary disclosure doesn’t put the service provider in any legal jeopardy.
Historical cell site location information thus poses a bit of a problem in the law. Compelled production requires a warrant, and thus probable cause. But voluntary disclosure to private citizens is not addressed by the SCA. John Letcher Edens was indicted on seven counts of impersonating a federal officer, which he did to trick providers into sharing real-time location data. Using stored data and guessing based on patterns might have been easier on his criminal record in the long run. Instead, Edens exploited procedures for obtaining real-time non-content information with the Pen Register Act.
The ECPA needs another look. The content/non-content distinction is overrated and outdated. The Supreme Court’s decision in Carpenter highlights the flaws with the assumption that content data should be entitled to more protection than non-content data. Carpenter also calls into question the assumption that the process for pen registers provides adequate protection for real-time location information.
Is that really the title I’m going with? Yes, I think it is.
Today’s post is a work in progress. I spotted something that interested me, but I am not an expert on gaming law, so my position on this is likely to evolve. Basically, there’s an interpretive mess concerning the regulation of online gambling that is not sports-related. In 2011, a memorandum opinion by Assistant Attorney General Virginia Seitz reinterpreted the Wire Act to not apply to in-state lotteries where some of the transmissions occur across borders. Because lotteries were not “sporting events or contests,” the reasoning went, it did not violate the Wire Act to transmit information using facilities operating in interstate commerce. This interpretation was overturned in 2018 by the Department of Justice.
The Wire Act is a federal law codified at 18 USC 1084. It reads in part:
(a) Whoever being engaged in the business of betting or wagering knowingly uses a wire communication facility for the transmission in interstate or foreign commerce of bets or wagers or information assisting in the placing of bets or wagers on any sporting event or contest, or for the transmission of a wire communication which entitles the recipient to receive money or credit as a result of bets or wagers, or for information assisting in the placing of bets or wagers, shall be fined under this title or imprisoned not more than two years, or both.
For some reason, I enjoy statutory interpretation, so let’s play with this one a bit. I don’t have formal training in diagramming sentences, but that one is a doozy, innit?
WHOEVER – The subject of our sentence is Ms. Whoever, who is in “the business of betting or wagering.” Against legal advice, Ms. Whoever uses an interstate-operating “wire communication facility” to transmit bets and wagers “on any sporting event or contest.” Ms. Whoever also transmits information to help people place bets on “any sporting event or contest.” Ms. Whoever further uses these interstate transmission methods for notifying recipients about their winnings. Ms. Whoever also uses interstate transmission methods to transmit “information assisting in the placing of bets or wagers.”
Seitz’s 2011 memorandum said that lotteries are not “sporting events or contests” and therefore the Wire Act is not implicated by state lotteries that use out of state facilities to process in-state transmissions related to the lottery.
So just as a quick rewind, there’s a law about transmitting information about gambling, and for a few years, it was interpreted as only referring to sports gambling, supposedly facilitating the growth of the online gambling industry in all other areas. This interpretation was opposed quite adamantly by those already established in the casino industry. The interpretation was reconsidered and overturned in 2018.
One of the key parts of the disputed interpretation is the third clause, which refers to information on placing bets and wagers. A couple of commas above that, there was another prohibition about transmitting information on placing bets and wagers, but that clause specifically refers to sporting events and contests.
Even if it had been limited to sporting events or contests, why wouldn’t it have applied to online poker? ESPN covers poker tournaments! And (un)surprisingly, “sporting events or contests” is not defined in the statute. Why, then, did the Seitz memo and subsequent interpretations seem to assume that “sporting” modifies both “events” and “contests”? Referring to something as an “event” presumes a focus on the spectator, while referring to something as a “contest” presumes a focus on the participant. A contest, however, is not inherently about sports. There are beauty contests, and some games of chance are called contests.
For now, the Department of Justice is back to interpreting the Wire Act to apply to gambling-related transmissions on the Internet for non-sports betting as well. The fuzzy line between sporting events and contests, though, may appear in future discussions of statutory construction.
I was pretty busy in 2018, which is a story for later. One of the things that I did with my time was I spent months digging through every state data breach law to compare them. In this entry, I am summarizing some of the observations that I made during this study.
I put this together as a snapshot of some of the common elements:
Analysis included fifty state laws, the data breach law of the District of Columbia, and a model data breach law proposed by a private organization. Progress was tracked in a spreadsheet. Linguistic analysis led to the creation of 121 columns, which can be placed into eight categories: 1) General information; 2) Enforcement; 3) Notification requirements; 4) Security requirements; 5) Personal information; 6) Breaches; 7) Interaction with other laws; and 8) Miscellaneous.
Data breach laws should address prevention. Encryption is a bare minimum practice that almost all states include in their data breach laws. Wyoming is the singular exception, as the language of the Wyoming statute only refers to redaction of personal information, not encryption.
State data breach laws that address prevention may also do so by requiring reasonable security practices, as sixteen states do, or by addressing the disposal of records, as is the case in twenty-three states. Records disposal can be and often is addressed elsewhere in a state’s code, but for this study, only records disposal provisions that were in the textual proximity of data breach laws were counted. Nevada is one of the states that requires some reasonable security practices, but Nevada also goes further by exempting entities from data breach liability if they comply with the security requirements and if the breach incident was not caused by gross negligence.
Of the sixteen states that require the adoption of reasonable security practices, eight states also require covered entities to ensure that third parties they send data to have reasonable security measures. Oregon does not address data transfers broadly, but requires “service providers” that work with the covered entity to be subject to contract terms requiring safeguards and practices to protect personal information.
Massachusetts (201 Code of Mass. Reg. 17.04) and Oregon (Or. Rev. Stat. § 646A.622) have the most detailed security requirements among state data breach laws. Of the two, Massachusetts is more detailed about technology, and Oregon is more detailed about administrative protocol. Massachusetts requires secure authentication protocols, secure access control measures, encryption, ongoing monitoring of systems that contain personal information, firewalls to protect systems that contain personal information, up-to-date antivirus software, and employee education on the security of personal information. Oregon requires three categories of protection: administrative safeguards, technical safeguards, and physical safeguards. Administrative safeguards include employee training, regular review of user access privileges, and risk management practices. Technical safeguards include security updates, regular tests of the effectiveness of security, and requirements to monitor, detect, prevent, and respond to cyberattacks and system failures. Physical safeguards includes relevant risk assessment, monitoring, and safeguards for the disposal of records.
Data breach statutes
are activated by security events. In analyzing statutory language, attention
was paid to how the statutes defined a breach of security. A majority, 28 of
51, referred to a breach as an incident that “compromises the security,
confidentiality, or integrity” (SCI) of protected information. Seven states
require that the incident “materially” compromises the SCI of protected
information. Eight states omit data integrity as a factor. In two of those
eight, the incident must materially compromise the security or confidentiality
of protected information. Eight other states do not include SCI language in
their definition of a breach of security.
A wide majority, 50 of 51, tie breaches to the unauthorized acquisition of protected data. Sixteen states tie breaches to the unauthorized access to protected data. Of those sixteen, New Jersey is the only one that does not also connect breaches to unauthorized acquisition. Maine and North Carolina include the unauthorized release of information in their breach definitions, and unauthorized use is part of the breach definition in both Maine and Massachusetts. Alabama, New York, and Vermont include some guidelines for determining whether protected information has been subject to unauthorized acquisition. Data breach laws are almost always focused on the breach of personal information that could facilitate identity theft. The standard formula is last name and first initial plus a social security number, driver’s license number, or financial account information and the means to access that account, such as a password or PIN. Biometric data is included in the definition of personal information in a minority of states, including Arizona, Colorado, and Illinois. In Connecticut, biometric data is listed as a protected type of “confidential information” in section 4e-70, which pertains to state contractors who receive confidential information, but NOT as a type of “personal information” under section 36a-701b, which is the state’s primary data breach law. Delaware and Wisconsin include not just biometric indicators, but also an individual’s DNA profile as an example of personal information.
Most data breach laws are based on notifications at this time. Recurring questions include:
Who sends the notice?
Who gets the notice?
What information must the notice include?
When must the notice be sent?
How is the notice sent?
How does the data breach law interact with other data privacy laws?
The party most likely to be subject to a data breach law’s requirements is the data owner. Most of the data breach laws in the United States require third parties who maintain data owned by someone else to notify the data owner in the event of a breach, and then it will be the responsibility of the data owner to follow the notification requirements. Data owners are thus generally responsible for notifications, even if the data owner entered into an agreement with a third party to process or store some of its data.
In a minority of states, the data breach law appears to not apply to breaches of government systems. New Mexico is the only one that explicitly states that the data breach provisions do not apply to government agencies (N.M. Stat. § 57-12C-12). Most of the other laws in this category instead use language referencing business and exclude government agencies by implication. In Connecticut, there is a data breach law that applies to state contractors (Conn. Gen. Stat. § 4e-70), and the primary data breach law applies only to persons doing business in the state (Conn. Gen. Stat. § 36a-701b), so breaches at the state agencies themselves seem to not be subject to either set of requirements. Some states that subject government agencies to the same notification requirements do so in a separate section specifically about government data breaches.
There are three main recipients of data breach notifications: the consumer, the state Attorney General, and credit reporting agencies. State data breach laws always address notification to the information subject, as this is part of the laws’ fundamental purpose. Thirty-two states require notification also be submitted to the AG’s office or other government agency. While most states allow the AG notification to be made at the same time as the notice to consumers, Maryland and New Jersey both require the AG to be notified before the consumers are notified.
One of the points where states differ is when a notification requirement is triggered. Commonly, a data breach law’s notification requirements will not apply in the absence of a certain type of risk or injury. The data breach laws of nine states are written broadly enough that the notification requirement appears to be triggered by the mere inclusion of personal information in a breach,[ but most states require something more. In thirteen states, the data holder must notify when the compromised information has or could result in identity theft or similar fraud affecting the information subject. Eighteen breach notification laws are triggered when the breach creates a risk of harm for the information subject. Most of the states that focus on harm look for a reasonable risk of harm. The requirement in Alabama, though, is triggered by a substantial risk of harm, and the requirement in South Carolina is triggered by a material risk of harm. Notification requirements in Arizona and Iowa are triggered based on the likelihood of financial harm specifically (Arizona 18-552; Iowa 715C.2). In Wyoming, a breach is defined as including an unauthorized data acquisition that “causes or is reasonably believed to cause loss or injury” to a state resident (Wyoming 40-12-501). Fourteen states focus on the risk of misuse of the information rather than harm or identity theft. Only eleven states require data owners to document instances where they determined that a notification was not required.
A failure to notify data subjects of a breach in a timely manner is generally considered to be a violation of a data breach law. Thirty-two of the data breach laws analyzed for this article (31 states plus DC) do not provide a specific timeframe, instead requiring the notice to be made without unreasonable delay. Texas requires notifications to be sent “as quickly as possible,” while New Hampshire uses the language “as soon as possible.” The unreasonable delay language is preferable to the latter two, because it allows for reasonableness considerations to be a factor in enforcement.
Forty-two of the
analyzed data breach laws include language suggesting that a reasonable delay
would include time to recover from the breach. This is commonly phrased to
include time to determine the scope of the breach and time to restore system
integrity. All of the analyzed data breach laws included explicit language
allowing for delays due to a law enforcement investigation related to the
clock” for data breaches often starts running at the discovery of the breach.
As noted above, thirty-four data breach laws use flexible language for
notification deadlines, most commonly “without unreasonable delay.” The other
sixteen are divided across 30 days, 45 days, 60 days, and 90 days. As the below
figure shows, 45 days is the most common deadline.
Figure 2. Deadlines for notification
There are some states that require the data owner to investigate the data breach, and subsequent deadlines may be based on the date that investigation is completed. Maryland, for example, requires a “reasonable and prompt investigation” (Maryland 14-3504). The notification clock in Maryland starts upon completion of this investigation. Maryland is one of the states that does not use “without unreasonable delay” language, instead requiring that notices be sent within 45 days. Many other states reference investigations by the data owner without creating a formal requirement.
Data breach laws also differ in how they address interactions with other laws. There are four major sources of law that data breach laws might address: consumer protection law, contract law, local law, and federal law. Twenty-four of the analyzed data breach statutes say that a violation of the data breach law is an unfair or deceptive act or an unlawful trade practice under state law. Texas also references the state deceptive trade practice law, but only for a violation of the prohibition on unauthorized possession or use of personal information. Seventeen data breach laws emphasize that the requirements of the data breach law cannot be waived by contract, and seven data breach laws explicitly state that the data breach law preempts local ordinances. Data breach laws vary on which federal laws or guidelines they address, but two common players are the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). The GLBA addresses data privacy issues affecting financial institutions, and HIPAA concerns medical information.
Interaction with federal law and privacy standards gets a little linguistically sticky. Thirty-four data breach laws indicate that if the data owner is regulated by the specified laws, compliance with those laws counts as compliance with the data breach law. In six data breach laws, the language indicates that entities are exempt from application of the law if they are regulated by and comply with other specified laws. Twelve data breach laws use broader language that seemingly allows for an exemption from the data breach law just for being regulated by specified laws or entities. Three of those, though, limit the exemption to the requirement to notify credit report agencies (CRA) about the breach. The data breach laws of New Hampshire, West Virginia, and the District of Columbia say that the CRA notification requirement does not apply to entities regulated by Title V of the GLBA, which also addresses CRA notifications. Similarly, California’s exemption only applies to the provisions about data security. These exemptions apply to entities regulated by California’s Confidentiality of Medical Information Act, California’s Financial Information Privacy Act, and HIPAA (Cal. Civ. Code § 1798.81.5). Outside of data security requirements, other references within California’s law follow the more common “compliance there is compliance here” model.
More detailed analysis is available in the posting on SSRN.
None of the information in this post constitutes legal advice.
A funny thing about “being” a writer is that you are able to constantly reaffirm your status merely by writing. I am also a lawyer, which requires a higher standard of proof. In law, reaffirming your status mostly involves giving the state bar association money every couple of years… And also dropping $500 on Continuing Legal Education when you realize that your CLE credits are due in one month and you haven’t taken adequate advantage of the free credits that are occasionally available.
Being an academic is similar to being a lawyer, but much harder to quantify. There is no annual membership renewal, unless you count the application fees for AALS if you’re chronically on the market (*raises hand*). There is a high barrier to entry, especially for those of us who chose law schools based on scholarship offers instead of placement.
This space is intended to be a way for me to learn how to take up more space. I hate attention. I have always hated attention. One day, I’ll scan some of my earliest examples of this in a fit of exhibitionist irony. The main reason I am able to reveal any personal thoughts here is that I am going to continue to operate on the assumption that no one will read anything I write.
There is a Little Golden Book at my parents’ house that is about a little girl who lives on a farm. At some point, my parents decided to paint white out over the girl’s name and write my name instead. The character’s name was probably Karen or Sue or something, but now and forever more, she is Carol to me, her name written in ballpoint over bumpy white out. It made me uncomfortable. I didn’t like having this story character named after me.
I never told them how I felt about it though, which of course came back to bite me later.
I think it was for my eighth birthday that my parents bought me an official customized storybook. The main character was a girl named Carol with brown hair. Carol liked dogs and the circus. I don’t think I’d ever been to the circus by that point in my life, but that was the story they bought. It’s a cute idea. And I hated it. It made me so uncomfortable, and I never told them. Still haven’t, so *waves* Hi Mom!
There are probably a lot of reasons for this. Childhood medical trauma is at the top of my list of suspects for why I hate attention. The main marker for PTSD that I’m missing is that I don’t have any pre-trauma memories to compare anything to. Every year, I went to Children’s Hospital for painful tests. When your earliest memories of it being your turn for something involve needles and catheters, you quickly stop wanting it to ever be your turn. I hated Januaries, because one of those days, I was going to be taken out of school early, and then my mom would drive me to Arkansas Children’s Hospital.
So I’m blogging mostly because I hate attention and I should probably get over that. I turned out to be really good at school, and I didn’t really mind that attention… Eventually. According to my parents, I came home from school bawling my eyes out one day when I was six years old. The teacher had announced to everyone that we’d be taking a standardized test soon. I was understandably upset, since the word “test” to me was medical. Between sobs, I managed to explain to my parents that I didn’t want anyone sticking more needles up my butt. Technically it was a cystogram, so it was a catheter instead of a needle and my urethra instead of my butt… But I think a six year old can be forgiven for conflating those things.
I’ve always been pretty good with words, so I may as well use it and create something. Things that I will write about will probably get drawn from a couple of lists.
Some things that are meaningful to me:
Some things that I know:
Internet Law and Policy
A strange game. The only winning move is not to play.