110 likes | 240 Views
Finding the Best of the Imperfect Alternatives for Privacy, Health IT, and Cybersecurity Peter Swire Moritz College of Law Wisconsin Symposium in Honor of Neil Komesar October 20, 2012. To Begin. 2003 Law of Cybersecurity Course Theory and practice. Overview.
E N D
Finding the Best of the Imperfect Alternatives for Privacy, Health IT, and Cybersecurity Peter Swire Moritz College of Law Wisconsin Symposium in Honor of Neil Komesar October 20, 2012
To Begin • 2003 Law of Cybersecurity Course • Theory and practice
Overview • Market and government failures • Examples • HIPAA medical privacy • Health IT and 2009 funding • Internet privacy • Cybersecurity • Role of courts • Conclusion
The Test of a First-Rate Intelligence • Market failures and welfare economics • Government failures and public choice • Coase and Williamson • The test of a first-rate intelligence • These two ideas all-too-often incompatible, at least in D.C. • “My ultimate goal is to aid the reformation of society” • So, I suggest the following description …
“ A Raging Moderate” • Passionate commitment to reform society • Acute awareness of market failures • Acute awareness of government failures • I find this congenial • OIRA does as well
HIPAA Privacy Rule • 1999-2000 HHS reg • Clearly had flaws • But Congress couldn’t do it • And electronic payments compelled action, so • “Tasks that strain the abilities of an institution may wisely be assigned to it anyway if the alternatives are worse”
Health IT in ARRA • Bipartisan support for EHRs, not manila folders • Need standards for interoperability • The market didn’t do it, even with jawboning • Recovery Act • $19 billion • “Meaningful use” • Tipping point for adoption, so • “The analysis converges with Ronald Coase’s famous transaction cost approach”
Internet Privacy • Market failure – hard for consumer to monitor data flows • Government failure – hard to dictate acceptable technology, quickly and accurately • 1997 paper on “Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information” • But, self-regulation only works here when have a credible threat of government action, so … • Speaking prose
Cybersecurity • 2003 course • Market failures – externalities • Government failures – like privacy only worse • “First, do no harm” – don’t create backdoors to help surveillance • Large bank CISO, so • “Quite commonly … institutions move together”
The Courts • Some information policy issues have specific factual triggers and/or harms • Defamation • Data breach • Violate a promise – Section 5 FTCA • IP and infringement • Many, though, concern design of complex, fast-changing IT systems • Judicial management through “structural reform” suits? • I’m skeptical • .
Conclusion • Imperfect Alternatives and 2003 course • An analytic approach for a wide range of issues • And, a call for something too rare in a divided political world, the passion and humility of “raging moderation”