Papers

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

mdecrow@maine.edu Article, Paper , , , , , ,

Mandating Zero Trust Architecture as a Condition of Cybersecurity Coverage

Joe Jambor

 

Abstract

The Change Healthcare breach in February 2024 exposed the protected health information of 190 million individuals and cost UnitedHealth Group nearly $3 billion. The breach occurred because two-factor authentication was turned off on a single portal, but was ultimately destructive because once the intruder was inside the system, there was little that could be done to stop them. This Article argues that cybersecurity insurers are uniquely positioned to prevent breaches like this one by driving adoption of Zero Trust Architecture (ZTA), the “never trust, always verify” framework codified in NIST Special Publication 800-207, by requiring its implementation as a condition of coverage. Despite its proven success rate, full ZTA adoption remains critically low, with only ten percent of large enterprises projected to reach a mature Zero Trust posture by the end of this year, as cost, institutional resistance, and legacy technology continue to impede progress. Market incentives alone have failed to move the needle. Drawing on four intersecting bodies of law; the contractual doctrine of conditions precedent in insurance agreements, federal sectoral cybersecurity regulatory frameworks including the FTC Safeguards Rule and HIPAA’s Security Rule, the state insurance regulatory architecture under the McCarran-Ferguson Act, and the rapidly evolving common law standard of reasonable cybersecurity, this Article establishes that insurer-mandated ZTA requirements are legally permissible, practically achievable through a phased implementation framework tailored to enterprises of all sizes, and essential to stabilizing the cyber insurance market while reducing legal liability for insureds.

Continue reading

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors Introduction

mdecrow@maine.edu Article, Paper , , , ,

The Blueprint for a Civil Rights Lawsuit against Government Surveillance Contractors

John Blegen

 

Introduction

In March of 2026, FBI Director Kash Patel, while speaking before the House Permanent Select Committee on Intelligence made a brazen admission. When asked by Ron Wyden, a Democratic senator from Oregon, whether the FBI purchases Cell Phone Location Data from internet advertisers, Patel replied:

“We do purchase commercially available information that’s consistent with the constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”

Ron Wyden replied that if true, this practice by the FBI would constitute “an outrageous end run around the Fourth Amendment [that is] particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information.”[1]

This FBI practice is not just an “outrageous end run around the Fourth Amendment,” but an outright violation of Americans’ Fourth Amendment right to privacy against unwarranted government surveillance.

In Carpenter, the Supreme Court held that it is illegal for the government to access cell phone location data information without a warrant.[2] Carpenter mentions no exception to this rule for information that has been purchased from wireless carriers or data brokers. It is not the property rights wireless carriers possess over this information that the Fourth Amendment protects; it is the right to privacy against unchecked government surveillance as ensured by the Constitution.

Patel’s argument would be the same as saying, the government is free to pay a private thug to break into a suspect’s apartment and acquire his wardrobe, or his private collection of firearms, or his diary, or any other piece of evidence without a warrant, so long as they do not do so themselves. It is a brazen admission of the FBI’s intent to not follow the Constitution.[3]

What allows Patel to be brazen enough to make such a statement is the fact that there currently exists no legal mechanism by which the public can validate their right to privacy against government surveillance. This is the case due to decades of congressional lethargy on the issue of data and tech surveillance, as well as the Federal Trade Commission’s refusal to enforce what little data protection laws do exist.[4]

It is also the result of years of the Supreme Court hollowing out plaintiffs’ ability to bring lawsuits against the federal government for violations of the Constitution.[5]  Such civil suits may be brought pursuant to 42 U.S.C. § 1983, which allows suits against states for actions taken in violation of individuals’ Federal Rights, and Bivens actions, which are the equivalent of a 1983 lawsuit against the federal government.

This paper contends that 1983 actions could provide a fruitful method for individuals to validate their right to privacy and push privacy forward against government surveillance, as well as third-party surveillance conducted by AI-surveillance companies like Palantir, which synthesizes mass amounts of data from across various sources into one “fusion” profile and Clearview AI, which provides facial recognition software to law enforcement agencies, both at the state and federal level.

As I will explain below, Section 1983 is an effective tool to limit both these private companies and the government because precedent has held that government contractors may also be subject to a Section 1983 lawsuit when they are performing government functions.

This paper also examines Bivens actions, with the caveat that Bivens law has been deeply neutered by Supreme Court precedent, making it effectively impossible to bring a lawsuit against the federal government for violation of federal rights, even though 1983 allows the same to be done against the states – as implausible as that sounds.

Continue reading

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

mdecrow@maine.edu Article, Paper , , , ,

Using the Current FISA Reauthorization Debate to Close the Data Broker Loophole and Introduce Relational Data Governance Over Mass Surveillance Programs

Michael Moran

 

With the upcoming sunset of Section 702 of the Foreign Intelligence Surveillance Act (FISA), congressional debate weighing national security and surveillance capabilities against civil liberties has returned, emerging around the capital like cicadas with increasing volume and urgency.[1] Amidst increasingly ubiquitous surveillance applied both at home and abroad, the “data broker loophole” has attracted particular scrutiny from lawmakers and privacy advocates.[2] This loophole allows law enforcement and intelligence agencies to circumvent a warrant requirement by purchasing commercially available personal data. At a time of heightened state surveillance capability and documented governmental data aggregation[3], introducing elements of Salomé Viljoen’s relational theory of data governance could constructively restructure this debate, weighing public safety needs against the collective harm of surveillance programs.

Current debates around FISA are still rooted in historical comparisons of public safety against individual data rights, but reframing that debate to consider these rights collectively may lead to a more durable solution.[4] Viljoen’s framework for data governance calls for a population-level lens of surveillance harm, and democratic mechanisms to evaluate privacy and data rights and uses in a more inclusive and responsive manner.[5] Reforms to increase transparency and advocacy in the Foreign Intelligence Surveillance Court (FISC), alongside the introduction of a data-governance entity, standalone, or within the FTC, could facilitate societal conversations around surveillance, rebuild public trust, and avoid the high stakes, all-or-nothing reauthorization cycles we face today.

In this article, I first define the data broker loophole in the context of FISA reauthorization and then outline the fundamentals of Viljoen’s relational theory of data governance. Next, I address why focusing on closing data pipelines or data broker loopholes is insufficient alone, without accompanying reforms that incorporate relational data governance. I then briefly propose some institutional reforms to incorporate democratic mechanisms into existing foreign surveillance oversight.

Continue reading

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

mdecrow@maine.edu Paper , , ,

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

Caroline Aiello

 

I. Introduction

Nearly every modern privacy law restricts or seeks to limit how much data companies can collect and how they can process that data. Collectively, these provisions are known as data minimization standards. A foundational feature of privacy law, the concept of data minimization dates back to the earliest guidance and drafting of privacy laws. Widely considered a pivotal segment of a law, determining its effectiveness and severity, these provisions are hotly contested by industry leaders and consumer advocates throughout the legislative process.

For all the attention devoted to crafting an effective data minimization standard, legislators have overlooked a fundamental lesson from constitutional law: vague standards without concrete rules and meaningful remedies do not protect rights. The Fourth Amendment’s journey from an ineffective guarantee to an enforceable constitutional protection illustrates this principle. For over a decade after the 1949 holding in Wolf v. Colorado, the Supreme Court acknowledged the application of a prohibition on unreasonable searches and seizures to the states but declined to impose the exclusionary rule as a remedy.[1] During that period, the Court assumed that alternative mechanisms like tort suits and disciplinary actions would deter misconduct. As Justice Murphy warned in his dissent in Wolf, such alternatives were “deceptive,” and that alternatives to exclusion were effectively no remedy at all.[2]

This Article argues that federal data privacy legislation must learn from the Fourth Amendment’s institutional history. A federal privacy law’s data minimization standard should not merely set vague standards and hope that disclosure requirements, consent mechanisms, and scattered enforcement actions will protect consumer privacy. Instead, Congress should establish specific, substantive data minimization requirements that enumerate prohibited uses of personal data, backed by federal enforcement authority and meaningful penalties that create genuine deterrence. Just as the exclusionary rule transformed the Fourth Amendment from an aspirational principle into an enforceable right, federal substantive standards with robust remedies can transform data minimization from a theoretical protection into a practical safeguard.

This Article proceeds in five parts. Part II introduces data minimization, explaining the mechanical components of the law and what business practices they regulate. Part III analyzes and introduces current data minimization laws and enforcement actions both in the United States and internationally. Part IV examines the Wolf v. Colorado to Mapp v. Ohio progression, detailing how the Supreme Court’s twelve-year experiment with state-level Fourth Amendment enforcement failed and why federalization of the exclusionary rule ultimately proved necessary. Part V makes the affirmative case for federal substantive data minimization standards, proposing specific prohibited uses rather than reliance on interpretation of a reasonableness principle, and arguing for enforcement mechanisms that go beyond nominal accountability. Part VI addresses counterarguments, including concerns about business flexibility and innovation. The Article concludes by explaining how Congress can avoid repeating constitutional history’s mistakes and instead create a federal privacy framework that makes data minimization rights real rather than rhetorical.

Continue reading

“Segregate-and-Suppress:” A Solution in Search of a Solution

mdecrow@maine.edu Paper , , , , , ,

“Segregate-and-Suppress:” A Solution in Search of a Solution

Viv Daniel

 

 I. Introduction

The following paper is an analysis of Eric Goldman’s 2025 article published in the Stanford Technology Law Review, The “Segregate-and-Suppress” Approach to Regulating Child Safety Online.[1] Goldman’s article identifies an emerging legislative trend meant to protect children online, which he terms “segregate-and-suppress,” and argues that this legislative strategy is misguided because it damages privacy online, it is detrimental to the online information ecosystem, and it hurts many of the very children it was designed to protect. A segregate-and-suppress law is a law targeting publishers of content and information via websites and/or apps, which requires a publisher to distinguish between users on the basis of age, and to limit access to content for users deemed to be minors.[2]

This paper will begin by describing the problem that segregate-and-suppress was created to solve, to give context to the creation and implementation of these laws. Next, it will provide examples of the kinds of laws which fall under Goldman’s scrutiny and describe Goldman’s critiques of segregate-and-suppress and his alternative suggestions to it. Finally, this paper will evaluate the strength of Goldman’s arguments and proposed alternate solutions. This paper posits that, while Goldman’s argument is valuable to an honest debate of the topic, it would be strengthened by acknowledging the extent of the problem segregate-and-suppress is meant to solve, and by giving more consideration to the breadth of compromise-driven solutions available to alleviate threats to children’s safety online.

Continue reading

The Privacy Parlay: How Data Mining and Targeted Ads Drive Gambling Addiction

mdecrow@maine.edu Paper , , , ,

The Privacy Parlay: How Data Mining and Targeted Ads Drive Gambling Addiction

Emily Weisser

 

I. Introduction

In the digital age, the gambler is not just the person placing the bets, they are also the data being wagered on. Every click, swipe, and deposit becomes part of a high-stakes game where the house rarely loses. Much like a parlay bet–where every leg must hit for the gambler to win–the modern gambling industry relies on data collection and targeted advertising to increase the number of returning customers, boosting its own profits while building a predictive framework that treats users as inputs rather than individuals. In this “privacy parlay,” the odds are overwhelmingly in favor of the house– the gambling operator.

The first leg of this parlay is the mining of consumer data, drawn from government-mandated identity verification information and voluntary interactions. Operators combine this data to build comprehensive behavioral profiles. The second leg involves monetizing this data through micro-targeted advertising, designed to exploit psychological vulnerabilities and nudge users toward repeated engagement. The third leg uses these insights to promote repeat play, conflating addiction with ordinary customer loyalty.

Despite the immense power of this system, the current regulatory landscape offers fragmented, inconsistent protection for consumers, leaving critical gaps in oversight. This essay explores data-driven gambling in the post-Professional and Amateur Sports Protection Act (“PASPA”) era and discusses the argument that a unified federal framework is necessary to regulate the privacy parlay–ensuring that data-driven gambling operates transparently, ethically, and in a manner that protects consumers from exploitation.

Continue reading

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

mdecrow@maine.edu Paper , , ,

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

Tommy Scherrer

 

The word “privacy” appears nowhere in the Constitution, yet the Supreme Court has recognized that a constitutional right to privacy emerges from certain “penumbras, formed by emanations” of guarantees in the Bill of Rights.[1] Of these guarantees, that of the Fourth Amendment provides the clearest architecture for a right to privacy by recognizing the individual citizen’s dominion over their “persons, houses, papers, and effects,” and requiring the government to justify any intrusion.[2] This article argues for a restoration of the American privacy regime to this original foundation: enforceable boundaries that empower individuals to control access to their lives.

I. Introduction

The Court complicated the foundations of American privacy rights in Katz v. United States when it reimagined privacy rights as a matter of “reasonable expectations.”[3] That formulation was intended to liberalize the Fourth Amendment and extend its protections beyond physical trespass. However, by grounding privacy rights in what a small group of lawyers believe society recognizes as “reasonable,” the Court detached protection from the concrete boundaries of the Constitution and created an ambiguous standard. As we journey further into the 21st century, and state and private surveillance become normalized as necessary to a secure society, our general expectation of privacy is shrinking rapidly, and our rights are shrinking with it.

The text of the Constitution protects citizens through their persons, homes, papers, and effects—real places and things that anchor enforceable boundaries. Katz inverted that logic by replacing hardline rules with shifting baselines and mistaking trust for consent to surveillance. In the decades that followed, this logic hardened into the third-party doctrine, which holds that any information shared with others loses constitutional protection.[4] The consequences of this doctrine are especially harsh in today’s world, when nearly all personal information flows through third parties. If privacy rights are to remain a foundation of democratic life, they need to be grounded in some sort of enforceable boundary. Because today’s data and the inferences drawn from it can reach further into private life than any physical trespass, the protections of the Fourth Amendment must be interpreted with that reality in mind.

Continue reading