The increased use of credit card transactions, online banking, and Internet commerce generates an enormous amount of sensitive data and raises questions about legal mechanisms to protect and secure this information.
On March 19, the Brooklyn Journal of Corporate, Financial & Commercial Law hosted a symposium, “Data Security and Data Privacy in the Payment System” to consider the manner in which consumers and financial institutions contract for data privacy and data security, possible regulatory responses to the limitations of contract-based regimes, and the possibility of a coordinated regulatory architecture to deal with and minimize the harm caused by security breaches. The symposium was organized by Brooklyn Law School Professors Edward Janger and Derek Bambauer.
The first panel, “Common Law Regulation: Contract, Tort, and Property,” examined norm formation through common law and focused on the question of how to assign liability. Professor Chris Jay Hoofnagle from UC Berkeley Law presented the results of a study on identity theft he conducted that examined how credit grantors verify information in cases of new account fraud. He found that credit grantors are not adequately verifying the information presented to them, even when it is flagged as potentially fraudulent by credit reporting agencies. He suggested the use of tort law, specifically, that credit issuers be held strictly liable for granting credit in cases of new account fraud in order to encourage them to complete the necessary due diligence before granting credit.
Professor Juliet M. Moringiello of the Widener University School of Law considered the use of contract law to govern account fraud through the creation of an implied warranty of payment data security. She drew an analogy to the implied warranty of habitability under real estate law, explaining that it paralleled the evolution of the payment system.
Professor James Grimmelmann of New York Law School provided additional insight as a commentator. He explained that the credit grantors can reduce fraud by using the information they collect to better verify accounts. He mentioned that he had participated in Professor Hoofnagle’s study, and his candid discussion of this personal experience with new account fraud emphasized how easily fraud can occur and how difficult it can be to resolve.
The second panel, “Regulatory Institutions,” considered regulatory responses to data breaches.
Professor Sarah Jane Hughes of the Indiana University Maurer School of Law explained that an article by Professor Edward Janger and Professor Paul M. Schwartz on data security breaches referring to these incidents as “data spills” inspired her to consider parallels between data security breaches and maritime law.
BLS Professor Janger discussed the regulation of data privacy and data security and argued for a stronger regulatory architecture. He said that contract law is not a good framework to control issues of data privacy and data security because consumers are bad at negotiating non-price terms in contracts. He argued for regulation through a consumer protection agency.
Professor Frank A. Pasquale of Seton Hall Law School, serving as the commentator, helped to synthesize the presentations, and described the use of maritime pollution conventions and metaphors of environmentalism to understand issues of intellectual property online. He acknowledged the difficulty of valuing the harms and resolving problems in any kind of spill—data or environmental.
In the third panel, “Towards a Coordinated Regulatory Architecture,” Professor Adam J. Levitin from the Georgetown University Law Center discussed the allocation of liability as it pertains to payment card fraud. He proposed various solutions to realign payment card fraud liability with the least cost avoider, the party who can most inexpensively prevent a social cost, through antitrust exemptions and antitrust enforcement.
BLS Professor Derek Bambauer discussed the need for a combination of harm prevention and loss mitigation to improve data privacy and security and considered the use of rules and standards to govern data security. Through examples, he showed why standards may be preferable for developers and provided several scenarios to encourage compliance with government encryption standards.
Professor Melissa B. Jacoby of UNC-Chapel Hill, a visiting professor at Brooklyn Law School, served as moderator of the panel and a lively question and answer session that wrapped up the symposium.
View video of the event.