15 November 2014


'Rank Among Equals' by Ben A. McJunkin in Michigan Law Review (Forthcoming) comments 
Dignity is on the march. As illustrated by Justice Kennedy’s recent majority opinion in United States v. Windsor, the concept — once seen as exclusive to moral philosophy — has taken on increasing importance in the legal realm, particularly in the recognition of individual human rights. Jeremy Waldron's recent book, Dignity, Rank, and Rights, offers a profound and provocative take on dignity's newfound centrality to law. Waldron contends that dignity currently operates as a universal legal status that entails individual rights. He suggests that this development reflects the gradual democratization of aristocratic privilege — a kind of "leveling up" of humanity. 
This Review disentangles and separately examines the two core accounts of dignity in Waldron's work. The first, which purports to identify the nature of contemporary legal dignity as a form of status, appears to be promising step toward better understanding the role dignity plays in law. The second, Waldron's historical account of dignity's development that offers up something like an origin story for our contemporary conceptions, is more troubling. Borrowing from feminist theory and queer theory, as well as from the equality projects to which they are allied, I contend that Waldron's narratives of extending aristocratic privilege threaten to entrench inequality and injustice while limiting the potential for marginalized groups to employ dignity as a deeply remedial legal tool. I urge Waldron to revisit dignity's expressive connection to human worth, which has proven central to dignity-based antidiscrimination and antisubordination projects.


'Empirical Analysis of Data Breach Litigation' by Sasha Romanosky, David Hoffman and Alessandro Acquisti in (2014) 11(1) Journal of Empirical Legal Studies 74–104 argues
The surge in popularity of social media, e-commerce, and mobile services is proof of the benefits consumers are enjoying from information and communication technologies. However, these same technologies can create harm when personal consumer information is lost or stolen, causing emotional distress or monetary damage from fraud and identity theft. Since 2005, an estimated 543 million records have been lost from over 2,800 data breaches,  and identity theft caused $13.3 billion in consumer financial loss in 2010 (BJS 2011). In response, federal legislators have introduced numerous bills that define appropriate business practices regarding the collection and protection of consumer information,  and federal regulators have drafted privacy frameworks for consumer data protection (Department of Commerce 2010; FTC 2010). A significant concern for policymakers, therefore, is balancing ex ante regulation with ex post litigation to protect both consumer and commercial interests. For instance, the Department of Commerce inquired: “should baseline commercial data privacy legislation include a private right of action?” (Department of Commerce 2010:30). At issue is the degree to which the current liability regime sufficiently addresses modern privacy harms, or whether a new, more effective federal liability standard is required. 
On one hand, a weak litigation regime would be ineffective at deterring a firm's harmful or negligent behavior. Lawsuits that are inappropriately disposed of eliminate a plaintiff's ability to obtain appropriate relief for legitimate harms. For example, a case was successfully brought against Rite Aide for carelessly tossing pharmacy labels and employment applications in a public trash dumpster.  In the settlement, Ride Aide agreed to “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.”  Without legal action, such careless practices may have never been corrected.
On the other hand, a heavy-handed litigation regime could impose excessive legal fees and damage awards and—according to some—stifle innovation. For instance, Netflix, an online movie rental site, offered a $1 million prize to anyone who could sufficiently improve its movie recommendation algorithm. To facilitate the contest, Netflix published (what was believed to be) anonymized rental information for a sample of its users. Due to lawsuits stemming from the reidentification of these data, Netflix cancelled a subsequent contest. While the total social value of such innovation may be limited, the Netflix case provides one example of how litigation can impact firms' product development.
Our research attempts to offer novel insight into this debate by providing the first comprehensive empirical analysis of data breach litigation, and investigates the drivers, mechanisms, and outcomes of data breach litigation.
Determining whether current U.S. privacy laws are too weak or too strong is not easy. It is difficult (and perhaps impossible) to assess the aggregate costs and benefits for both consumers and firms of different privacy regimes in purely monetary terms (Romanosky & Acquisti 2009). However, even just understanding the landscape of privacy litigation is a problem. Little is known about the trends in data breach litigation—which breaches are litigated and which are not, and with what outcomes. While there exists some legal scholarship regarding data breach litigation (Citron 2007, 2011; Rice 2007; Serwin 2009), it typically examines a narrow subset of lawsuits, focusing on high-profile cases or those with published opinions. Unfortunately, given that as few as 15 percent of all federal lawsuits produce reported opinions (Hoffman et al. 2007), any conclusions reached from examining particular, high-profile cases are likely unrepresentative of the full population of data breach lawsuits. Consequently, it remains still unclear what characteristics these lawsuits actually possess, and how “successful” they have been.
To our knowledge, no empirical research involving data breach lawsuits has been conducted. The purpose of this article is to address this research and policy gap by investigating empirically a representative collection of federal data breach lawsuits and their outcomes. We overcome common sample selection issues by searching Westlaw and acquiring data directly from court dockets (PACER), in combination with other publicly available data sources.
In addition to presenting rich descriptive information about these lawsuits, we explore two sets of questions. First, what kinds of data breaches are being litigated in federal court, and why? Second, what kinds of data breach lawsuits are settling, and why? Our first question examines federal lawsuits resulting from reported data breaches, while the second question includes all known federal lawsuits related to the unauthorized disclosure of personal information.
Our analysis reveals that federal data breach lawsuits typically exhibit a number of significant characteristics. First, plaintiffs seek relief for one or more of: actual loss from identity theft (e.g., financial or medical fraud), emotional distress, cost of preventing future losses (e.g., credit monitoring and identity theft insurance), and the increased risk of future harm. Second, the lawsuits are usually private class actions, though some are brought by public entities such as the Federal Trade Commission or state attorneys general. Third, defendants are typically large firms such as banks, medical/insurance entities, retailers, or other private businesses. Fourth, complaints allege a staggering range of both common-law (tort, breach of contract) and statutory causes of action. And fifth, the vast majority of cases either settle, or are dismissed, either as a matter of law, or because the plaintiff was unable to demonstrate actual harm.
In addition, we find that that the odds of a firm being sued are 3.5 times greater when individuals suffered financial harm, but over 6 times lower when the firm provides free credit monitoring to those affected by the breach. Moreover, the odds of a firm being sued as a result of improperly disposing of data are 3 times greater relative to breaches caused by lost/stolen data, and 6 times greater when the data breach involved the loss of financial information. Our analysis suggests that defendants settle 30 percent more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. The odds of a settlement are found to be 10 times greater when the breach is caused by a cyber attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31 percent.
By providing a comprehensive empirical analysis of data breach litigation, these findings offer insight into the debate over privacy litigation versus privacy regulation. Specifically, we believe that answering these questions will help inform firms, consumers, and policymakers regarding the risks associated with the collection and use of personal information, and the characteristics and outcomes of federal data breach litigation.
The next section provides background literature related to data breaches, docket analysis, and litigation. We then examine which breaches are litigated and, conditional on suit, which cases settle. Discussions of limitations and final conclusions complete the article.

08 November 2014


'Exemplary Damages for Invasions of Privacy' by Normann Witzleb in (2014) 6(1)Journal of Media Law 69-93 comments 
As part of the [UK] government response to the Leveson Report, the Crime and Courts Act 2013 (UK) introduces new provisions on the availability of exemplary damages for media torts. This Act creates a statutory bar to the awarding of exemplary damages against a publisher who has become a member of an approved regulator but otherwise makes them available in narrowly defined circumstances. The article explores the extent to which the changes are likely to affect media publishers and, as part of this analysis, compares the new provisions with current English law as well as the relevant law in Australia, New Zealand and Canada. It also examines whether the new statutory regime is compatible with the UK’s obligations under the European Convention on Human Rights. The article concludes that the statutory measures are to be welcomed because exemplary damages have an important but limited role in deterring particularly egregious media misconduct and the provisions provide more certainty to media publishers as to when they can be ordered. The article also argues that the new provisions on exemplary damages are compatible with the UK’s obligations under the Convention.

Decent Illiberal People

'Fifteen Years Later: Reflections on Realism and Utopia in 'The Law of Peoples' by John Rawls' by Wojciech Sadurski (Sydney Law School Research Paper No. 14/93) comments 
Fifteen years ago, the last important, book-length statement about liberal values and ideals by John Rawls appeared, "The Law of Peoples". It was met with a good deal of surprise and disenchantment by many admirers of the “early Rawls" (the Rawls of "A Theory of Justice"). This essay reflects upon The Law of Peoples, and the grounds of liberal disenchantment with the book. It explores the status of "illiberal decent peoples" in the law of peoples, and connects this issue with the purposes of Rawls’ theory understood as a “realistic utopia", and argues that the inclusion of illiberal, decent peoples must be seen as a matter of moral choice rather than a concession to Realpolitik. This moral choice is supported by Rawls’ methodology in "The Law of Peoples", and in particular, the deliberately emaciated social contract, original position and reflective equilibrium. The key answers to the puzzles raised by these revisions of Rawls’ original liberal theory s are to be found, it is claimed, in the role assigned to the ideal of toleration in "The Law of Peoples". However, the use of this ideal is ill-advised as no link is demonstrated, or even asserted, between toleration and the individuals who belong to the peoples who are to be tolerated.


'Economics of Legal History' by Daniel M. Klerman in Francesco Parisi (ed) Oxford Handbook of Law & Economics (2014) surveys economic analyses of legal history.
 In order to make sense of the field and to provide examples that might guide and inspire future research, it identifies and discusses five genres of scholarship.
1) Law as the dependent variable. This genre tries to explain why societies have the laws they do and why laws change over time. Early economic analysis tended to assume that law was efficient, while later scholars have usually adopted more realistic models of judicial and legislative behavior that take into account interest groups, institutions, and transactions costs.
2) Law as an independent variable. Studies of this kind look at the effect of law and legal change on human behavior. Examples include analyses of the Glorious Revolution, legal origin, and nineteenth-century women’s rights legislation.
3) Bidirectional histories. Studies in the first two genres analyze law as either cause or effect. In contrast, bidirectional histories view law and society as interacting in dynamic ways over time. Laws change society, but change in society in turn leads to pressure to change the law, which starts the cycle over again. So, for example, the medieval communal responsibility system fostered international trade by holding traders from the same city or region collectively responsible. Nevertheless, the increase in commerce fostered by the system undermined the effectiveness of collective responsibility and put pressure on cities and nations to develop alternative enforcement institutions.
4) Private ordering. A significant body of historical work investigates the ability of groups to develop norms and practices partly or wholly independently of the state. Such norms include rules relating whaling, the governance of pirate ships, and, more controversially, medieval commercial law (the “law merchant”).
5) Litigation and Contracts. Law and economics has developed an impressive body of theories relating to litigation and the structure of contracts. These theories often shed light on legal behavior in former times, including contracts between slave ship owners and captains, and the suit and settlement decisions of medieval private prosecutors.

04 November 2014

Metadata and Discovery

A reminder about the potential for use by private investigators of metadata - on which the national Government is alas still apparently confused - is provided in AS v Murray [2013] NSWSC 733, which centres on the tort of intimidation.

The plaintiff [subject of a non-publication order under the Court Suppression and Non-Publication Orders Act 2010 (NSW)] sought to recover $26,666 claimed to have been paid to Stephen James Murray as a result of extortion. The plaintiff also sought orders restraining Murray from communicating to any person any representation in relation to the plaintiff and restraining Murray from communicating in any form with the plaintiff other than by communicating with the plaintiff's solicitors. The plaintiff sought exemplary damages against the defendant in respect of the extortion.

The judgment states that
There is no doubt that the plaintiff paid the sum of $26,666 as a result of extortion. The plaintiff gives uncontradicted evidence to that effect and there is no reason to doubt that evidence. The only real question in this case is whether the extortionist was the defendant.
The extortion began in about December 2011 when the plaintiff received, at work, an unsolicited email from a person who identified themselves as "Felicity Jones". In a series of emails the extortionist demanded $26,666 and threatened to reveal to the plaintiff's wife, family and employer personal information concerning the plaintiff, and in particular the fact that the plaintiff had joined an internet dating site, if the plaintiff did not pay the amount demanded. It was apparent from the email sent to the plaintiff that the sender had considerable information concerning the plaintiff and appeared to have obtained that information by hacking into the plaintiff's computer and mobile telephone.
Eventually arrangements were made for the money to be paid in cash by leaving it at a place nominated by the extortionist, which is what happened. The plaintiff heard nothing further until 8 November 2012 when the extortionist began to make a fresh demand for $40,000. In response, the plaintiff engaged a computer forensic expert who was able to identify the IP address from which it was highly likely that the extortionist's emails had been sent. That IP address belonged to Telstra Corporation Limited (Telstra). The plaintiff then commenced these proceedings on 9 February 2013 initially seeking preliminary discovery against Telstra for records in relation to the IP address and against Vodafone Hutchison Australia Pty Ltd (Vodafone) for records kept in relation to the mobile telephone number from which the extortionist sent the plaintiff text messages.
Metadata, in other words, with discovery by a private agent rather than by the AFP, ASIO or other government agency.

The judgment goes on to state that
Preliminary discovery against Vodafone did not lead anywhere. However, preliminary discovery against Telstra revealed that two Telstra account holders had accessed the IP address identified by the forensic expert. One account holder was the defendant. The information disclosed by Telstra also disclosed a post office box number as the billing address for that account. The second email address was said to belong to a Christopher Robbins. It may be inferred that that name is fictitious. As a result of the information provided by Telstra, the plaintiff sought preliminary discovery against the Australian Postal Corporation (Australia Post). Material produced by Australia Post showed that the post office box belonged to the defendant and gave a physical address for the defendant in Huntingdale, Victoria. Using that address, the plaintiff joined the defendant and applied for search orders, which were granted on 15 March 2013.
The independent solicitor appointed by the court sought to execute those orders on 18 March 2013. However, the defendant refused to comply with them. In the meantime, the plaintiff arranged for a private investigator to conduct surveillance of the defendant. Following the attempt to execute the search order the defendant, at approximately 9 pm on 18 March 2013, drove to a place where he worked and appeared to place something in a large bin. Subsequently the private investigator searched that bin, but only found garden refuge.
A further search order was made by the court on 20 March 2013. That order was executed on 22 March 2013. During the execution of that order the defendant claimed that his home had been burgled and that a computer had been stolen. The defendant also conceded that he worked as a private investigator and had investigated the plaintiff about four years previously. He said that he may have a file relating to that investigation, although that file could not be found. The defendant did, however, have other files relating to his work as a private investigator. The search party found an internet thumb drive. The defendant denied that he had any other means of accessing the internet. However, shortly afterwards the search party found a Netgear-Bigpond wireless server. The defendant denied that he knew the login name and password for that device. However, the IP address associated with that device is the same as the IP address that the forensic expert identified as the one from which it was highly likely the emails had been sent. The search order was also executed at other premises.
As a result of the search order two computer towers, two memory cards and a laptop were located and impounded. Among material found were copies of a number of the emails that had been sent to the plaintiff under the name Felicity Jones.
In my opinion it is clear from this material that the defendant is the extortionist. That conclusion is supported by the fact that the emails were sent from an IP address associated with the defendant and the fact that the defendant had copies of the offending emails. It is also supported by the defendant's behaviour. Although nothing was found in the bin, the defendant's behaviour in driving to it at around 9 pm at night, the claim that he had been the victim of a burglary whilst under surveillance, the absence of any evidence of a burglary and the absence of the defendant's file relating to the plaintiff, strongly suggest that that file was destroyed by the defendant. The fact that the defendant had investigated the plaintiff four years earlier explains how the defendant chose the plaintiff to be the object of his extortion.
In the email the defendant sent to my associate he complains about the way the search order was executed. However, Mr Stevens, the independent solicitor appointed to conduct the search order, has provided a detailed account of the steps he took to serve and execute the order. I accept that evidence and, in my opinion, it demonstrates that there was no unfairness in the way the order was executed.
The Court concluded that Murray committed the tort of intimidation and referred to an offence under s 249K of the Crimes Act 1900 (NSW).

The judgment states that 
By [the] unlawful threats, the defendant compelled the plaintiff to pay the sum of $26,666. The plaintiff is entitled to recover that sum as damages.
In my opinion, the plaintiff is also entitled to injunctions in the form that he seeks. There are two bases for those injunctions. First, the plaintiff is entitled to an injunction to restrain threatened further conduct that would amount to the tort of intimidation. Second, the plaintiff is entitled to restrain the defendant from using confidential information that the defendant obtained improperly by hacking into the plaintiff's computer.
As to the first basis, s 66 of the Supreme Court Act 1970 (NSW) provides: (1) The Court may, at any stage of proceedings, by interlocutory or other injunction, restrain any threatened or apprehended breach of contract or other injury. (2) Subsection (1) applies as well in a case where an injury is not actionable unless it causes damage as in other cases. ...
It will often be appropriate for the court to grant an injunction to restrain the threatened commission of a tort where damages are an inadequate remedy. In the present case, damages are clearly not an adequate remedy. The vice in the defendant's conduct is as much in the threat as in the conduct that completes the tort and there is no means by an award of damages to compensate the plaintiff for the injury caused by that threat. As to the second basis, the court will grant an injunction to restrain the publication of improperly obtained confidential information; see Meagher, Gummow and Lehane's Equity Doctrines & Remedies, 4th ed (2002) LexisNexis Butterworths at [41-045]. The information obtained by the defendant was confidential because it was personal information concerning the plaintiff. It was clearly obtained improperly because it was obtained by hacking into the plaintiff's computer.
The injunctions sought by the plaintiff are expressed very broadly. However, there is no relationship between the plaintiff and the defendant. The defendant has no reason either to contact the plaintiff or to make representations concerning the plaintiff other than in furtherance of his attempts at extortion. There are difficulties in formulating narrower injunctions which achieve the objective of preventing the defendant making further threats and carrying out those threats, and at the same time making it clear what the defendant must not do. For those reasons, in my opinion, it is appropriate to grant injunctions in the terms sought by the plaintiff.


'Justifying Children's Rights' by John William Tobin in (2013) 21 International Journal of Children's Rights aims to
 interrogate some of the central questions posed by these competing theories and assess whether the idea of human rights for children can be justified. It consists of three parts. Part I considers the preliminary question of whether such an inquiry is necessary. It concludes that an examination of the conceptual foundations of children’s rights serves two critical functions – one practical and one philosophical. From a practical perspective, it has the capacity to assist in resolving broader dilemmas with respect to the meaning of these rights and encourage more reflective practice by proponents of children’s rights (Reynaert 2012, 156). It also has the potential to dampen opponents’ skepticism about the idea of children’s rights by establishing a ‘secure intellectual standing’ that can address its ‘conceptual doubts.’ (Sen 2004, 317.) 
Tobin comments
Can the idea of human rights for children be justified? Does an answer to this question really matter? Children’s rights are, after all, already recognized in international law, most notably the Convention on the Rights of the Child (‘CRC’). They are increasingly included in national constitutions (Tobin 2005) and considered by judicial bodies at the international, regional and domestic levels (Tobin 2009; Sloth Neilsen 2008). They are also increasingly used as a policy framework by governments (Lundy 2012; Stalford 2011), a research paradigm by scholars (Reynaert 2009) and as an advocacy tool by civil society worldwide (Fernando 2001; Tobin 2011).
Despite this widespread engagement with the discourse of children’s rights some still believe that the idea of children’s rights has ‘failed to secure a coherent… intellectual foundation’ (Minnow 1995; Guggenheim 2005, ix) and ‘remains largely undertheorised’ (Dixon & Nussbaum 2012). This is not to suggest that the conceptual foundations of children’s rights have been entirely neglected. This may have been the case twenty-five years ago, when Michael Freeman lamented the absence of a ‘reasoned normative thesis’ to explain the moral grounds for children’s rights.(Freeman 1987, 300). In the intervening years, scholars, including Freeman himself, have increasingly sought to answer his question, ‘what is the moral justification for giving rights to children?’ (Freeman 1987, 304). The literature tends to fall into three broads camps – those who support the idea of rights for children because of its role in securing their dignity (Freeman 1992, 2007, 2010; Eekelaar 2008; Archard 2004); those who oppose the idea of rights for children because of their lack of capacity (Griffin 2009; Purdy 1994); and those who oppose the idea because of concerns such as the impact of rights on the family structure (Guggenheim 2005; Goldstein et al 1998; Seymour 2005), the Western origins of human rights, or a preference for alternative discourses such as obligations (O’Neil 1988, 2002) or an ethic of care (Arneil 2002; King 1997).
This paper aims to interrogate some of the central questions posed by these competing theories and assess whether the idea of human rights for children can be justified. It consists of three parts. Part I considers the preliminary question of whether such an inquiry is necessary. It concludes that an examination of the conceptual foundations of children’s rights serves two critical functions – one practical and one philosophical. From a practical perspective, it has the capacity to assist in resolving broader dilemmas with respect to the meaning of these rights and encourage more reflective practice by proponents of children’s rights (Reynaert 2012, 156). It also has the potential to dampen opponents’ skepticism about the idea of children’s rights by establishing a ‘secure intellectual standing’ that can address its ‘conceptual doubts.’ (Sen 2004, 317.)
Part II explores whether the idea of human rights for children under the CRC can be justified. A focus on the CRC has been adopted because, although this instrument has been described as ‘the unavoidable contemporary context for thinking about the status of children’ (Archard 2004, 218), its conceptual foundations have escaped the close attention of commentators. It will be argued that there is an overlapping consensus as to the conceptual foundations of children’s rights under the CRC. This consensus is facilitated by a conception of dignity in which all human beings, including children, have unique value and a conception of children as being vulnerable relative to adults yet possessing an evolving capacity for agency and autonomy. It is this conception of children, which is empirically grounded and socially constructed, that provides the foundation for the ‘special’ human rights that are granted to children under international law.
Moreover, this conception of human rights for children is grounded in an interest theory rather than the rival will theory of rights. Children may sometimes lack the capacity to exercise their rights but it is their interests, not their capacity, which found their rights. With respect to the determination of which interests justify elevation to the status of a human right, a social interest theory is preferred to other explanations, such as an ‘urgent’ (Beitz 2005, 109-10) or ‘basic’ interest theory (Buchanan & Hessler 2009, 213). This social interest theory consists of both descriptive and substantive dimensions. The former refers to the deliberative process by which interests are elevated to the status of rights, whereas the latter demands that this process should include both rights-holders and duty-bearers. However, this requirement creates a serious dilemma when seeking to justify the CRC conception of rights, because the drafting process was dominated by Western states and completely excluded children. Part III therefore uses the social interest theory of right to assess whether the conception of rights under the CRC can be justified. It concludes that this is the case and that this instrument is capable of producing a culturally sensitive, dynamic, inclusive and relational conception of rights that remedies many of the deficiencies associated with the traditional conception of human rights as being Western, adult-centric, individualistic trumps.