Finding the Best of the Imperfect
Alternatives for Privacy,
Health IT, and Cybersecurity
Peter Swire
Moritz College of Law
Wisconsin Symposium in Honor of Neil Komesar
October 20, 2012
To Begin
• 2003 Law of Cybersecurity Course
• Theory and practice
Overview
• Market and government failures
• Examples
• HIPAA medical privacy
• Health IT and 2009 funding
• Internet privacy
• Cybersecurity
• Role of courts
• Conclusion
The Test of a First-Rate Intelligence
•
•
•
•
Market failures and welfare economics
Government failures and public choice
Coase and Williamson
The test of a first-rate intelligence
• These two ideas all-too-often incompatible, at
least in D.C.
• “My ultimate goal is to aid the reformation of
society”
• So, I suggest the following description …
“ A Raging Moderate”
• Passionate commitment to reform society
• Acute awareness of market failures
• Acute awareness of government failures
• I find this congenial
• OIRA does as well
HIPAA Privacy Rule
•
•
•
•
1999-2000 HHS reg
Clearly had flaws
But Congress couldn’t do it
And electronic payments compelled action,
so
“Tasks that strain the abilities of an institution
may wisely be assigned to it anyway if the
alternatives are worse”
Health IT in ARRA
•
•
•
•
Bipartisan support for EHRs, not manila folders
Need standards for interoperability
The market didn’t do it, even with jawboning
Recovery Act
• $19 billion
• “Meaningful use”
• Tipping point for adoption, so
“The analysis converges with Ronald Coase’s
famous transaction cost approach”
Internet Privacy
• Market failure – hard for consumer to monitor
data flows
• Government failure – hard to dictate acceptable
technology, quickly and accurately
• 1997 paper on “Markets, Self-Regulation, and
Government Enforcement in the Protection of
Personal Information”
• But, self-regulation only works here when have a
credible threat of government action, so …
• Speaking prose
Cybersecurity
• 2003 course
• Market failures – externalities
• Government failures – like privacy only worse
• “First, do no harm” – don’t create backdoors
to help surveillance
• Large bank CISO, so
“Quite commonly … institutions move together”
The Courts
• Some information policy issues have specific
factual triggers and/or harms
• Defamation
• Data breach
• Violate a promise – Section 5 FTCA
• IP and infringement
• Many, though, concern design of complex, fastchanging IT systems
• Judicial management through “structural
reform” suits?
• I’m skeptical
.
Conclusion
• Imperfect Alternatives and 2003 course
• An analytic approach for a wide range of
issues
• And, a call for something too rare in a
divided political world, the passion and
humility of “raging moderation”