Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data
“… nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does. Personal data is harmful when its use causes harm or creates a risk of harm. It is not harmful if it is not used in a way to cause harm or risk of harm.” Lire
Strategic Data Access Management
“An employee may be attacked by a potentially sophisticated adversary whose goal is to steal all their data. Therefore, the firm trades off the efficiency benefit of the more permissive data access architecture with the adversarial risk it incurs. We characterize the firm’s optimal data access architecture and investigate how it depends both on the adversarial environment […]
Auditors’ Response to Cybersecurity Risk: Human Capital Investment and Cross-Client Influence
“Our evidence also implies that client firms that share the same audit office as breached firms increase their disclosure of cybersecurity risk and their demand for cybersecurity human capital. Reconciling with the Bayesian learning theory, these effects only manifest for auditors located in states that have been only sporadically exposed to data breaches.” Lire
The AI ESG Protocol: Evaluating and Disclosing the ESG Implications of AI Capabilities, Assets, and Activities
“There is currently limited information on and a lack of a unified approach to AI and ESG, and a need for tools for systematically assessing and disclosing the ESG related impacts of AI and data capabilities. I here propose the AI ESG protocol, which is a flexible high-level tool for evaluating and disclosing such impacts…” […]
The GDPR and Unstructured Data: Is Anonymization Possible?
“This article examines the two contrasting approaches for determining identifiability that are prevalent today: (i) the risk-based approach and (ii) the strict approach in the Article 29 Working Party’s Opinion on Anonymization Techniques (WP 216). Through two case studies, we illustrate the challenges encountered when trying to anonymize unstructured datasets. We show that, while the risk-based approach […]
The UK reform of data protection: impact on data subjects, harm prevention, and regulatory probity
“… the proposed reforms risk (1) undermining the data subjects’ rights that were ensured with the adoption of the EU GDPR into UK law; (2) introducing an accountability framework that is inadequate to address harm prevention; and (3) eroding the regulatory probity of the Information Commissioner’s Office (ICO). We also comment on the analysis of the expected […]
Data Privacy, Human Rights, and Algorithmic Opacity
“… in a world where algorithmic opacity has become a strategic tool for firms to escape accountability, regulators in the EU, the US, and elsewhere should adopt a human-rights-based approach to impose a social transparency duty on firms deploying high-risk AI techniques.” Lire