Paper

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

mdecrow@maine.edu Article, Paper , , , , , ,

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

Joe Jambor

 

Abstract

The Change Healthcare breach in February 2024 exposed the protected health information of 190 million individuals and cost UnitedHealth Group nearly $3 billion. The breach occurred because two-factor authentication was turned off on a single portal, but was ultimately destructive because once the intruder was inside the system, there was little that could be done to stop them. This Article argues that cybersecurity insurers are uniquely positioned to prevent breaches like this one by driving adoption of Zero Trust Architecture (ZTA), the “never trust, always verify” framework codified in NIST Special Publication 800-207, by requiring its implementation as a condition of coverage. Despite its proven success rate, full ZTA adoption remains critically low, with only ten percent of large enterprises projected to reach a mature Zero Trust posture by the end of this year, as cost, institutional resistance, and legacy technology continue to impede progress. Market incentives alone have failed to move the needle. Drawing on four intersecting bodies of law; the contractual doctrine of conditions precedent in insurance agreements, federal sectoral cybersecurity regulatory frameworks including the FTC Safeguards Rule and HIPAA’s Security Rule, the state insurance regulatory architecture under the McCarran-Ferguson Act, and the rapidly evolving common law standard of reasonable cybersecurity, this Article establishes that insurer-mandated ZTA requirements are legally permissible, practically achievable through a phased implementation framework tailored to enterprises of all sizes, and essential to stabilizing the cyber insurance market while reducing legal liability for insureds.

Continue reading

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors Introduction

mdecrow@maine.edu Article, Paper , , , ,

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors

John Blegen

 

Introduction

In March of 2026, FBI Director Kash Patel, while speaking before the House Permanent Select Committee on Intelligence made a brazen admission. When asked by Ron Wyden, a Democratic senator from Oregon, whether the FBI purchases Cell Phone Location Data from internet advertisers, Patel replied:

“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”

Ron Wyden replied that if true, this practice by the FBI would constitute “an outrageous end run around the Fourth Amendment [that is] particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”[1]

This FBI practice is not just an “outrageous end run around the Fourth Amendment,” but an outright violation of Americans’ Fourth Amendment right to privacy against unwarranted government surveillance.

In Carpenter, the Supreme Court held that it is illegal for the government to access cell phone location data information without a warrant.[2] Carpenter mentions no exception to this rule for information that has been purchased from wireless carriers or data brokers. It is not the property rights wireless carriers possess over this information that the Fourth Amendment protects; it is the right to privacy against unchecked government surveillance as ensured by the Constitution.

Patel’s argument would be the same as saying, the government is free to pay a private thug to break into a suspect’s apartment and acquire his wardrobe, or his private collection of firearms, or his diary, or any other piece of evidence without a warrant, so long as they do not do so themselves. It is a brazen admission of the FBI’s intent to not follow the Constitution.[3]

What allows Patel to be brazen enough to make such a statement is the fact that there currently exists no legal mechanism by which the public can validate their right to privacy against government surveillance. This is the case due to decades of congressional lethargy on the issue of data and tech surveillance, as well as the Federal Trade Commission’s refusal to enforce what little data protection laws do exist.[4]

It is also the result of years of the Supreme Court hollowing out plaintiffs’ ability to bring lawsuits against the federal government for violations of the Constitution.[5]  Such civil suits may be brought pursuant to 42 U.S.C. § 1983, which allows suits against states for actions taken in violation of individuals’ Federal Rights, and Bivens actions, which are the equivalent of a 1983 lawsuit against the federal government.

This paper contends that 1983 actions could provide a fruitful method for individuals to validate their right to privacy and push privacy forward against government surveillance, as well as third-party surveillance conducted by AI-surveillance companies like Palantir, which synthesizes mass amounts of data from across various sources into one “fusion” profile and Clearview AI, which provides facial recognition software to law enforcement agencies, both at the state and federal level.

As I will explain below, Section 1983 is an effective tool to limit both these private companies and the government because precedent has held that government contractors may also be subject to a Section 1983 lawsuit when they are performing government functions.

This paper also examines Bivens actions, with the caveat that Bivens law has been deeply neutered by Supreme Court precedent, making it effectively impossible to bring a lawsuit against the federal government for violation of federal rights, even though 1983 allows the same to be done against the states – as implausible as that sounds.

Continue reading

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

mdecrow@maine.edu Article, Paper , , , ,

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

Michael Moran

 

With the upcoming sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA), congressional debate weighing national security and surveillance capabilities against civil liberties has returned, emerging around the capital like cicadas with increasing volume and urgency.[1] Amidst increasingly ubiquitous surveillance applied both at home and abroad, the “data broker loophole” has attracted particular scrutiny from lawmakers and privacy advocates.[2] This loophole allows law enforcement and intelligence agencies to circumvent a warrant requirement by purchasing commercially available personal data. At a time of heightened state surveillance capability and documented governmental data aggregation[3], introducing elements of Salomé Viljoen’s relational theory of data governance could constructively restructure this debate, weighing public safety needs against the collective harm of surveillance programs.

Current debates around FISA are still rooted in historical comparisons of public safety against individual data rights, but reframing that debate to consider these rights collectively may lead to a more durable solution.[4] Viljoen’s framework for data governance calls for a population-level lens of surveillance harm, and democratic mechanisms to evaluate privacy and data rights and uses in a more inclusive and responsive manner.[5] Reforms to increase transparency and advocacy in the Foreign Intelligence Surveillance Court (FISC), alongside the introduction of a data-governance entity, standalone, or within the FTC, could facilitate societal conversations around surveillance, rebuild public trust, and avoid the high stakes, all-or-nothing reauthorization cycles we face today.

In this article, I first define the data broker loophole in the context of FISA reauthorization and then outline the fundamentals of Viljoen’s relational theory of data governance. Next, I address why focusing on closing data pipelines or data broker loopholes is insufficient alone, without accompanying reforms that incorporate relational data governance. I then briefly propose some institutional reforms to incorporate democratic mechanisms into existing foreign surveillance oversight.

Continue reading

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

mdecrow@maine.edu Paper , , ,

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

Caroline Aiello

 

I. Introduction

Nearly every modern privacy law restricts or seeks to limit how much data companies can collect and how they can process that data. Collectively, these provisions are known as data minimization standards. A foundational feature of privacy law, the concept of data minimization dates back to the earliest guidance and drafting of privacy laws. Widely considered a pivotal segment of a law, determining its effectiveness and severity, these provisions are hotly contested by industry leaders and consumer advocates throughout the legislative process.

For all the attention devoted to crafting an effective data minimization standard, legislators have overlooked a fundamental lesson from constitutional law: vague standards without concrete rules and meaningful remedies do not protect rights. The Fourth Amendment’s journey from an ineffective guarantee to an enforceable constitutional protection illustrates this principle. For over a decade after the 1949 holding in Wolf v. Colorado, the Supreme Court acknowledged the application of a prohibition on unreasonable searches and seizures to the states but declined to impose the exclusionary rule as a remedy.[1] During that period, the Court assumed that alternative mechanisms like tort suits and disciplinary actions would deter misconduct. As Justice Murphy warned in his dissent in Wolf, such alternatives were “deceptive,” and that alternatives to exclusion were effectively no remedy at all.[2]

This Article argues that federal data privacy legislation must learn from the Fourth Amendment’s institutional history. A federal privacy law’s data minimization standard should not merely set vague standards and hope that disclosure requirements, consent mechanisms, and scattered enforcement actions will protect consumer privacy. Instead, Congress should establish specific, substantive data minimization requirements that enumerate prohibited uses of personal data, backed by federal enforcement authority and meaningful penalties that create genuine deterrence. Just as the exclusionary rule transformed the Fourth Amendment from an aspirational principle into an enforceable right, federal substantive standards with robust remedies can transform data minimization from a theoretical protection into a practical safeguard.

This Article proceeds in five parts. Part II introduces data minimization, explaining the mechanical components of the law and what business practices they regulate. Part III analyzes and introduces current data minimization laws and enforcement actions both in the United States and internationally. Part IV examines the Wolf v. Colorado to Mapp v. Ohio progression, detailing how the Supreme Court’s twelve-year experiment with state-level Fourth Amendment enforcement failed and why federalization of the exclusionary rule ultimately proved necessary. Part V makes the affirmative case for federal substantive data minimization standards, proposing specific prohibited uses rather than reliance on interpretation of a reasonableness principle, and arguing for enforcement mechanisms that go beyond nominal accountability. Part VI addresses counterarguments, including concerns about business flexibility and innovation. The Article concludes by explaining how Congress can avoid repeating constitutional history’s mistakes and instead create a federal privacy framework that makes data minimization rights real rather than rhetorical.

Continue reading

“Segregate-and-Suppress:” A Solution in Search of a Solution

mdecrow@maine.edu Paper , , , , , ,

“Segregate-and-Suppress:” A Solution in Search of a Solution

Viv Daniel

 

 I. Introduction

The following paper is an analysis of Eric Goldman’s 2025 article published in the Stanford Technology Law Review, The “Segregate-and-Suppress” Approach to Regulating Child Safety Online.[1] Goldman’s article identifies an emerging legislative trend meant to protect children online, which he terms “segregate-and-suppress,” and argues that this legislative strategy is misguided because it damages privacy online, it is detrimental to the online information ecosystem, and it hurts many of the very children it was designed to protect. A segregate-and-suppress law is a law targeting publishers of content and information via websites and/or apps, which requires a publisher to distinguish between users on the basis of age, and to limit access to content for users deemed to be minors.[2]

This paper will begin by describing the problem that segregate-and-suppress was created to solve, to give context to the creation and implementation of these laws. Next, it will provide examples of the kinds of laws which fall under Goldman’s scrutiny and describe Goldman’s critiques of segregate-and-suppress and his alternative suggestions to it. Finally, this paper will evaluate the strength of Goldman’s arguments and proposed alternate solutions. This paper posits that, while Goldman’s argument is valuable to an honest debate of the topic, it would be strengthened by acknowledging the extent of the problem segregate-and-suppress is meant to solve, and by giving more consideration to the breadth of compromise-driven solutions available to alleviate threats to children’s safety online.

Continue reading

The Privacy Parlay: How Data Mining and Targeted Ads Drive Gambling Addiction

mdecrow@maine.edu Paper , , , ,

The Privacy Parlay: How Data Mining and Targeted Ads Drive Gambling Addiction

Emily Weisser

 

I. Introduction

In the digital age, the gambler is not just the person placing the bets, they are also the data being wagered on. Every click, swipe, and deposit becomes part of a high-stakes game where the house rarely loses. Much like a parlay bet–where every leg must hit for the gambler to win–the modern gambling industry relies on data collection and targeted advertising to increase the number of returning customers, boosting its own profits while building a predictive framework that treats users as inputs rather than individuals. In this “privacy parlay,” the odds are overwhelmingly in favor of the house– the gambling operator.

The first leg of this parlay is the mining of consumer data, drawn from government-mandated identity verification information and voluntary interactions. Operators combine this data to build comprehensive behavioral profiles. The second leg involves monetizing this data through micro-targeted advertising, designed to exploit psychological vulnerabilities and nudge users toward repeated engagement. The third leg uses these insights to promote repeat play, conflating addiction with ordinary customer loyalty.

Despite the immense power of this system, the current regulatory landscape offers fragmented, inconsistent protection for consumers, leaving critical gaps in oversight. This essay explores data-driven gambling in the post-Professional and Amateur Sports Protection Act (“PASPA”) era and discusses the argument that a unified federal framework is necessary to regulate the privacy parlay–ensuring that data-driven gambling operates transparently, ethically, and in a manner that protects consumers from exploitation.

Continue reading

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

mdecrow@maine.edu Paper , , ,

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

Tommy Scherrer

 

The word “privacy” appears nowhere in the Constitution, yet the Supreme Court has recognized that a constitutional right to privacy emerges from certain “penumbras, formed by emanations” of guarantees in the Bill of Rights.[1] Of these guarantees, that of the Fourth Amendment provides the clearest architecture for a right to privacy by recognizing the individual citizen’s dominion over their “persons, houses, papers, and effects,” and requiring the government to justify any intrusion.[2] This article argues for a restoration of the American privacy regime to this original foundation: enforceable boundaries that empower individuals to control access to their lives.

I. Introduction

The Court complicated the foundations of American privacy rights in Katz v. United States when it reimagined privacy rights as a matter of “reasonable expectations.”[3] That formulation was intended to liberalize the Fourth Amendment and extend its protections beyond physical trespass. However, by grounding privacy rights in what a small group of lawyers believe society recognizes as “reasonable,” the Court detached protection from the concrete boundaries of the Constitution and created an ambiguous standard. As we journey further into the 21st century, and state and private surveillance become normalized as necessary to a secure society, our general expectation of privacy is shrinking rapidly, and our rights are shrinking with it.

The text of the Constitution protects citizens through their persons, homes, papers, and effects—real places and things that anchor enforceable boundaries. Katz inverted that logic by replacing hardline rules with shifting baselines and mistaking trust for consent to surveillance. In the decades that followed, this logic hardened into the third-party doctrine, which holds that any information shared with others loses constitutional protection.[4] The consequences of this doctrine are especially harsh in today’s world, when nearly all personal information flows through third parties. If privacy rights are to remain a foundation of democratic life, they need to be grounded in some sort of enforceable boundary. Because today’s data and the inferences drawn from it can reach further into private life than any physical trespass, the protections of the Fourth Amendment must be interpreted with that reality in mind.

Continue reading

Data Sovereignty in the Age of Digital Nationalism: The Case of TikTok and the Global Fragmentation of the Internet

mdecrow@maine.edu Paper , , , , ,

Data Sovereignty in the Age of Digital Nationalism: The Case of TikTok and the Global Fragmentation of the Internet

Aysha Vear

 

I. Introduction

Social media has significantly changed the ways in which individuals both receive information and exchange it. As these applications and platforms have increasingly become part of the everyday lives of citizens and further incorporated into their daily interactions, the issue of social media regulation has been a clear focal point of legal and political discourse. Today there exists a growing concern about American citizens’ data with respect to Chinese influence and intrusion. Consequently, the House of Representatives presented a bill in 2024 to mitigate these fears. H.R. 7521 would force the foreign ownership of TikTok, a social media platform controlled by Chinese parent company ByteDance, to divest or face a broad federal ban.[1]

TikTok is centered on short videos created and uploaded by users who are able to create, share and interact with networks of content,[2] and it has quickly become one of the most popular apps in the United States.[3]  It is “a mass marketplace of trends and ideas and has become a popular news source for young people”[4] with sixty-two percent of eighteen to twenty-nine year olds saying that they use the app[5] which reached a billion users in 2021.[6]  The app got its start in the U.S. as an app called “Musical.ly” but was acquired by the Chinese company ByteDance in 2018 and rebranded as TikTok.[7] ByteDance is headquartered in Beijing and it launched “Douyin,” the Chinese TikTok equivalent in 2016 prior to the “Musical.ly” acquisition. It is this affiliation with China and the Chinese app that flagged concern for United States government officials and this case represents a growing trend of national governments asserting greater control over digital platforms and the content which citizens consume.

This highlights a growing trend toward countries treating data governance as a national security issue. Data sovereignty is a concept that refers to “a state’s sovereign power to regulate not only cross-border flow of data through uses of internet filtering technologies and data localization mandates, but also speech activities . . . and access to technologies.”[8] Governments are introducing laws to prevent foreign control over citizen data, such as China’s Data Security Law and India’s restriction on data localization. Given that these laws have different aims and approaches to governance as well as shifting priorities, they have increased geopolitical competition between the U.S., China, and the EU. While data sovereignty is a necessary framework for global internet governance, its implementation must balance security concerns with the need to prevent a fragmentation of the internet as we know it. More countries are scrambling to control the flow of data in and out of their national borders and, as such, “the rise in data localization policies has been a contributing factor in declining internet freedom.”[9] This paper will explore the different approaches of the United States, China, and the European Union in controlling cross-border data flows. Next, looking through a specific lens at the TikTok forced divestiture and attacks on other Chinese entities, it will explore the growing trend of data sovereignty and attempt to find the balance in national security and digital openness. Finally, the paper will suggest possible solutions for the growing need for better collaboration in the digital sphere.

Continue reading

Privacy in Death: Conserving your Power in Legacy

mdecrow@maine.edu Paper , , , , ,

Privacy in Death: Conserving your Power in Legacy

Gabriel Siwady-Kattan

 

Introduction

Throughout our lives, we store everything online. This means that not only can a person keep physical assets in a bank; they can also have digital assets available online for access and distribution. Who should be able to access those assets when we die? The IRS defines a digital asset as “a digital representation of value recorded on a cryptographically secure distributed ledger or similar technology” and names as examples convertible virtual currency and cryptocurrency, stablecoins, and Non-Fungible Tokens (NFTs).[1] The IRS further elaborates that “[i]f a particular asset has characteristics of a digital asset, [then] it’s treated as one for federal income tax purposes.”[2] Beyond digital assets that have a financial component to them, however, are also images, videos, digital documents, and electronically-stored music. These could be held by any person, and in our modern age, most people have an account where their digital information is stored, whether in an Apple, Google, Facebook, or Instagram account. The existence of digital assets has brought many issues, including how to deal with the distribution of digital assets at the time of death.

To deal with this issue, the Uniform Law Commission (ULC) drafted the Uniform Fiduciary Access to Digital Access Act (hereinafter referred to as the Digital Assets Act).[3] This Act essentially treated digital assets as it would any other kind of traditional property a person held at the time of their death.[4] This meant that an executor had near unsupervised power to access, manage, and distribute a decedent’s digital assets.[5] Under the Digital Assets Act, an executor had the same access to digital assets as an owner had at the time of their death.[6]

Naturally, this “open-access approach” could raise personal privacy concerns. What if, in the process of getting a decedent’s affairs in order, an executor came across communications with a third party? What if that communication shed light on an unknown aspect of the deceased’s life? What if that communication was meant to remain confidential? And what about that third party’s identity?

On top of these personal privacy concerns, the Digital Assets Act’s provisions were contrary to some tech companies’ terms of use agreements. For example, tech companies have their own ways of managing the content on their platform, and often control or limit the agency a user or consumer might have over their own communications. To this end, tech companies almost always require users to agree to a terms of use agreement, which typically includes provisions on how and to whom data may be shared.

Continue reading

Privacy Needs Security, Security Needs Privacy

mdecrow@maine.edu Paper , , , , ,

Privacy Needs Security, Security Needs Privacy 

William O’Reilly

 

     I.         Introduction

Security Operations Centers (SOC) for enterprises across the country are in need of professionals. They need professionals to fill the roles that already exist, and they need to add roles to deal with the changing regulatory landscape. For an enterprise, the best practice is an investment in “people, process, and technology.[1] It is true that people are the most expensive part of an SOC.[2] However, the reason there is a shortage is not because enterprises around the US are skimping on their labor. There simply are not enough trained professionals. The training to be a cybersecurity professional is not easy, nor is it cheap. Enterprises are in danger from their absence of professionals, and it may be worth it for them to shoulder the cost of education and certification in pursuit of their goal of self-preservation. One cost the enterprise will have to face in hiring professionals is the establishment of career potential and pay There is also an ongoing cost for organizations that need to have instances of training to level up their employees over time.[4] Training also assists with retention of personnel, making it a necessary cost to the enterprise.[5] Finally, burgeoning privacy laws create burdens and liabilities that the SOC in its present form is only partially equipped to deal with. Fortunately, over 20% percent of enterprises plan to increase their investment in cybersecurity post breach.[6] That investment should include privacy professionals.

Potential employees have costs associated with education and skill development. The cost of training, education, and certifications can be a limit on professionals entering the cybersecurity industry. No SOC will have the same composition or volume, but most SOC services demand certain roles be filled by professionals with specific training. Legislation is also demanding those roles be filled.[7] Each of these professions has specific responsibilities, which require specific skills, and each of those skills can be represented through certifications.[8] Each of these certifications has a cost. Laying out this cost may illustrate one reason for the dearth in skilled professionals and may show an enterprise the value that a professional expects to get out of their investment.

Continue reading