Author: Sasha Romanosky


Two Law School Rumors

Over the past couple of years, I’ve heard the same two reoccurring rumors and I’m wondering what opinions, of any, law professors have about them.

The first is that there is a slow but systematic trend in law schools to train students in quantitative methods. If this is true, my question is: to what extent are schools fulfilling this? That is, are they just encouraging students to take basic statistics classes, or are there more systematic efforts to require (for example) econometric classes? (Yes, I see that there is growing empirical legal research, but this seems to come from faculty, rather than law students.)

The second relates to the hiring of new faculty within law schools. On one hand, I see increased competition from JD/PhDs (suggesting that a JD is becoming necessary but not sufficient), while on the other hand, I’ve heard that law schools are becoming more interdisciplinary and even hiring those without a JD, but who have a PhD in another field. Can both of these be true, or am I wildly mistaken?

(If this has already been discussed, I’m happy enough if someone posts a link.)


Privacy vs. Security vs. Anonymity

When I first began my PhD, I was keen to properly sort and define any new terms and reconcile them with my own education and experience. Three terms that always seemed to be intermingled were: Privacy, Security and Anonymity. Certainly they are related, but I wanted to be a little more specific and understand exactly when and how they overlapped.

First, let’s establish some basic definitions. For the purpose of this blog post, the following definitions will suffice (I’ll address alternative definitions later):
• Privacy: having control over one’s personal information or actions
• Security: freedom from risk or danger
• Anonymity: being unidentifiable in one’s actions

Next, create a Venn diagram with three overlapping circles (each circle representing one term). Then, within each area, try to provide examples that reflecte those properties. That is, imagine some situation where you would have security without privacy, or security without anonymity. When can you have all three? When can you be anonymous but lack privacy?

This may not be as easy as it seems. Certainly it helps once the definitions are set, but if nothing else, I think it’s a useful way to separate and identify the essence of these words (at least, as each of us sees them) and the contexts in which they may or may not exist. Before you continue, take a minute, examine the diagram above, and try to think of examples to fit each area.

Read More


Economic Analysis of Tort Law, Why Bother?

In previous posts (here and here), I suggested that analytical modeling can be useful to better understand data breaches, information disclosure laws and the costs to both companies and individuals because of these laws. I’d like to now expand on those ideas.

To be clear, there are many kinds of models and modeling approaches but what I’m interested in is the economic analysis of tort law. For those not aware, this approach is concerned with the cost of accidents to an injurer and a victim and it analyzes how various policy rules (typically regulation or liability) can minimize the sum of those costs.

The way I’ve come to interpret and apply models (e.g. mathematical equations) is to illustrate how agent’s incentives change under different policy interventions. For example, if companies are forced to notify consumers of a data breach, will they be induced to spend more or less money protecting consumer data? Will individuals take more or less care once notified? Will these actions together increase or decrease overall social costs?

Read More


Evolution of Privacy Breach Litigation?

In addition to empirical work on data breaches and breach disclosure laws, I’ve also become very interested in data breach litigation. While plaintiffs have seen very little success with legal actions brought against companies that suffer data breaches, I still believe there is some very interesting empirical work that can be done regarding these lawsuits.

In a recent post, Daniel Solove cited  a paper by Andrew Serwin (found here) who described in great detail the legal theories and statutes  that plaintiffs use when bringing legal actions against companies that suffer data breaches. It isn’t my purpose to repeat that work, but rather to identify an interesting pattern that appears to have emerged over the past 5 to 10 years of privacy breach litigation. Special thanks to Paul Bond of Reed Smith LLP who first brought this to my attention. 

Category 1: You lost my data, now I will sue you.
This first category could be characterized by what is classically considered a data breach: plaintiffs suing a company simply because their personally identifiable information (PII) was lost, stolen, or improperly disposed. For example, Choicepoint, TJX, Hannaford, Heartland, etc. Plaintiffs claim that this disclosure of data has harmed, or will harm them, and that they are justified in seeking relief for actual fraud losses, monitoring costs, future expected loss, or emotional distress. Plaintiffs bring these actions under many kinds of tort and contract theories, but generally lose because they’re unable to prove a harm that’s legally recognized (as we discuss further below). The defining characteristic of this category is that the burden lies with the alleged victims to show they were harmed in a legally meaningful way.

Read More


When is the Class in a Class Action Too Big?

This story of the Wal-Mart sex discrimination class action has made recent news. What is of interest to me is Wal-Mart’s claim that the size of the class is too big for litigation and how others feel this case may have a large impact on the practical size of class action lawsuits, in general. This NYT article describes how Wal-Mart has over one million employees, and alleges discrimination against hundreds of thousands of female employees.

Now, from the data breach lawsuits that I am examining (if we consider the class to be all those whose information was lost or stolen) I find an average class size of over 5 million, with a median of 200k and maximum of 130 million. I also count over 15 suits with class sizes greater than one million people. Now, to be fair, I don’t know the portion of classes that were actually certified, and this would likely be very small.

Suddenly, a couple hundred thousand in Wal-Mart’s case doesn’t seem all that big. And yet, I’ve never heard any data breach news story that commented on the class size or how it might question Rule 23 of the Federal Rules of Civil Procedure.

I’d love to hear anyone’s thoughts on why this might be. Is the difference simply that the Supreme Court is involved?


Three Policy Interventions for Reducing Privacy Harms

Thanks so much to Danielle and Concurring Opinions for inviting me to blog. This is an exciting opportunity and I look forward to sharing my thoughts with you. Hopefully you will find these posts interesting.

There are many policy interventions that legislators can impose to reduce harms caused by one party to another. Two that are very often compared are safety regulations (mandated standards) and liability. They lend themselves well to comparison because they’re generally employed on either side of some harmful event (e.g. data breach or toxic spill): ex ante regulations are applied before the harm, and ex post liability is applied after the harm.

A third approach, one that we might consider ‘sitting between’ regulation and liability, is information disclosure (e.g. data breach disclosure (security breach notification) laws). I’d like to take a few paragraphs to compare these alternatives in regards to data breaches and privacy harms.

Three Interventions


Read More


Evaluating Data Breach Disclosure Laws

I imagine most of you have received one or more letters from companies informing you that they lost your personal information. If so, what, if anything, did you do about it? Did you check your credit history?; close a financial account?; something else?; or nothing at all? If you did act, you likely did it to reduce your risk of suffering identity theft. My research question is: did it work? This is something that I’ve been examining for a number of years now.

In a paper coauthored with Rahul Telang and Alessandro Acquisti at Carnegie Mellon University, we empirically examine the effect of data breach disclosure (security breach notification) laws on identity theft. For a policy researcher, this represents a fantastic opportunity: a clear policy intervention (adoption of laws across different states), a heated controversy regarding the benefits and consequences of the laws that is both practically and academically interesting, good field data, and a powerful empirical analysis methodology to leverage (criminology).

An initial version of the paper used consumer reported identity theft data collected from the FTC from 2002-2006. Using just these data, we found a negative but not statistically significant result. In fact, I was quoted as saying, “we find no evidence that the laws reduce identity theft.” And it was true, we didn’t.

Read More