Taking Stock of the Emerging Regulatory Regime for Computer Security and Information Privacy

Tags: Entrepreneurship / Privacy / Technology Policy

Roundtable Series on Innovation, Entrepreneurship, and Public Policy

Only a decade ago, government regulation of computer security and online information privacy was thin and scattershot. In the 1990s, Internet policy more generally and information privacy and security issues more generally were treated as problems to be solved by markets, computer programmers, and network architects. As the Clinton Administration once put it with regard to information policy issues more generally “[t]he private sector should lead” and the government should take a hands-off approach. William J. Clinton & Albert Gore, Jr., A Framework for Global Electronic Commerce 4 (1997).

Over the last ten years, this early consensus has broken down. With ever increasing pace, state legislatures, Congress, and government agencies have much more aggressively stepped in to impose duties, liability provisions, and disclosure requirements. By so doing, policymakers are now increasingly dictating how businesses, employers, systems administrators, and software developers address privacy and data security issues.

On March 4, 2008, the Silicon Flatirons Center for Law, Technology, and Entrepreneurship will bring together approximately thirty experts for a roundtable discussion of the government’s regulation of computer security and privacy. In particular, we will focus on four areas in the context of the current regulatory environment: (1) finding the balance between workplace privacy and protecting enterprises against unproductive and even malicious employees; (2) satisfying business demands to use customer information in the face of growing government restrictions; (3) the impact of security breach notification on corporate information security programs; and (4) anti-spyware laws.

After presenting the state of regulations on this topic (including, for example, what counsel need to understand about the limits on workplace monitoring and restrictions on using customer information for direct marketing), we will assess whether these rules have improved privacy and security or instead simply imposed impractical and onerous burdens. In so doing, we will seek to evaluate how businesses are responding to the new set of regulations, including what measures, if any, corporate IT departments are taking to avoid the need for public disclosure of a security breach. Finally, we will evaluate whether and when government should regulate information security and data privacy, assessing the benefits of such measures, whether (and how) these laws influence what software developers do, and whether regulators appreciate these potential, unintended effects?

Lunch will be served, and two credits of CLE are available.

We hope you will join us.

Know What’s Next