The State of Information Security Law: A Focus on the Key Legal Trends
Why this work is in the frame
A frame that forgets how it found something cannot be audited. These are the routes that admitted this work.
Bibliographic record
Abstract
Click to increase image sizeClick to decrease image size Notes 1. "As a result of increasing interconnectivity, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities. This raises new issues for security." OECD Guidelines for the Security of Information Systems and Networks, July 25, 2002, at p. 7, available at www.oecd.org/dataoecd/16/22/15582260.pdf. 2. Although not the subject of this article, it is important to note that countries are also enacting cybercrime legislation to make clear that certain online activities are illegal and to assist law enforcement in efforts to prosecute cyber criminals. To that end, the Privacy and Computer Crime Committee of the American Bar Association Section of Science & Technology Law has recently undertaken a project to develop a Model Cybercrime Law for the UN International Telecommunication Union's (ITU) Cybersecurity Work Programme to Assist Developing Countries. See also the International Guide to Combating Cybercrime published by this Committee, available at http://www.abanet.org/dch/committee.cfm?com=ST202003. 3. See the Appendix for a compilation of some of the key laws and regulations governing information security. 4. See, e.g., EU Data Protection Directive and HIPAA, cited in the Appendix. 5. See, e.g., E-SIGN, UETA, and UN Convention cited in the Appendix. 6. See, e.g., Kimberly Kiefer and Randy V. Sabett, Openness of Internet Creates Potential for Corporate Information Security Liability, BNA Privacy & Security Law Report, Vol. 1, No. 25 at 788 (June 24, 2002); Alan Charles Raul, Frank R. Volpe, and Gabriel S. Meyer, Liability for Computer Glitches and Online Security Lapses, BNA Electronic Commerce Law Report, Vol. 6, No. 31 at 849 (August 8, 2001); Erin Kenneally, The Byte Stops Here: Duty and Liability for Negligent Internet Security, Computer Security Journal, Vol. XVI, No. 2, 2000. 7. See, e.g., Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007); Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006); and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005) (all affirming a negligence cause of action). See also, In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007) (rejecting a negligence claim due to the economic loss doctrine, but allowing a negligent misrepresentation claim to proceed). 8. See, e.g., American Express v. Vinhnee, 2005 Bankr. Lexis 2602 (9th Cir. Bk. App. Panel, 2005); Lorraine v. Markel, 2007 U.S. Dist. Lexis 33020 (D. MD. May 4, 2007). 9. Available at www.pcisecuritystandards.org. 10. Available at www.cabforum.org. 11. ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC 27001"), available for purchase at http://www.standards-online.net/InformationSecurityStandard.htm. 12. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 13. See statutes listed in the Appendix. 14. See statutes listed in the Appendix. 15. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. 1320d-2 and 1320d-4, (providing that "each person … who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards: (A) to ensure the integrity and confidentiality of the information; (B) to protect against any reasonably anticipated: (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person," at 42 U.S.C. 1320d-2(d)(2). 16. Gramm-Leach-Bliley Financial Services Modernization Act ("GLB"), Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), at §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, providing that "[E]ach financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 17. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC). 18. Final HIPAA Security Regulations, 45 C.F.R. Part 164. 19. There have also been efforts in the United States to pursue comprehensive federal privacy similar to the approach taken by many other countries. See e.g., Microsoft position paper at www.microsoft.com/presspass/download/features/2005/PrivacyLegislationCallWP.doc. Although it remains to be seen whether that approach will ultimately be adopted, it is clear that the combination of U.S. state and federal law has, in effect, imposed a comprehensive obligation of security with respect to all personal information held by all companies. 20. See, e.g., FTC enforcement actions regarding In the Matter of Sunbelt Lending Services, Inc.; In the Matter of Petco Animal Supplies, Inc.; In the Matter of MTS, Inc., d/b/a Tower records/Books/Video; In the matter of Guess?, Inc.; FTC V. Microsoft; and In the Matter of Eli Lilly and Company cited in the Appendix. 21. See, e.g., FTC enforcement actions regarding In the Matter of CardSystems Solutions, Inc.; United States v. ChoicePoint, Inc.; In the Matter of DSW Inc.; and In the Matter of BJ's Wholesale Club, Inc. cited in the Appendix. 22. See list in the Appendix. 23. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). 24. 205 Mich. App. Lexis 353 at ∗16 (Mich. App. 2005). 25. 2006 U.S. Dist. Lexis 4846 at ∗9 (D. Minn. 2006). 26. Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). 27. In Re TJX Companies Retail Security Breach Litigation, 2007 U.S. Dist. Lexis 77236 (D. Mass. October 12, 2007), at pp. 28–29. 28. Ibid. 29. The Homeland Security Act of 2002 defines the term "information system" to mean "any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, and includes—(A) computers and computer networks; (B) ancillary equipment; (C) software, firmware, and related procedures; (D) services, including support services; and (E) related resources." Homeland Security Act of 2002, Pub. L. 107-296, at Section 1001(b), amending 44 U.S.C. § 3532(b)(4). 30. See, e.g., Australia, Information Privacy Principles under the Privacy Act 1988, Principle No. 4, available at www.privacy.gov.au/publications/ipps.html; AICPA and the Canadian Institute of Chartered Accountants (CICA), Generally Accepted Privacy principles, Principle No. 8, available at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles; APEC, Privacy principles, Principle No. 7, available at http://austlii.edu.au/∼graham/APEC/APECv10.doc; US-EU Safe Harbor Privacy Principles, available at www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm; Direct Marketing Association, Online Marketing Guidelines, available at www.the-dma.org/guidelines/onlineguidelines.shtml. 31. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter "EU Data Protection Directive"). 32. EU Data Protection Directive, Preamble at Para. 46. 33. EU Data Protection Directive, Article 17(1). 34. See statutes listed in the Appendix. 35. See statutes listed in the Appendix. 36. See generally, Bruce H. Nearon, Jon Stanley, Steven W. Teppler, and Joseph Burton, Life after Sarbanes-Oxley: The Merger of Information Security and Accountability, Jurimetrics Journal, Vol. 45, 379–412 (2005). 37. American Express v. Vinhnee, 336 B.R. 437; 2005 Bankr. Lexis 2602 (9th Cir. December 16, 2006). 38. Ibid., at p. 444. 39. Ibid., at p. 445. 40. Ibid., at pp. 446–447. 41. Ibid., at p. 449. 42. See, e.g., National Association of Corporate Directors, Information Security Oversight (2007). 43. Sarbanes-Oxley Act, Section 302. 44. See, e.g., GLB Security Regulations (Federal Reserve) 12 C.F.R. 208, Appendix D-2.III(A). 45. HIPAA Security Regulations, 45 C.F.R. Section 164.308(a)(2). 46. See, FTC Decisions and Consent Decrees listed in the Appendix, including Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. 27(a), p. 7; Eli Lilly Decision at II.A. 47. FISMA, 44 U.S.C. 3544(a). 48. E. Michael Power and Roland L. Trope, Sailing in Dangerous Waters: A Director's Guide to Data Governanc e , American Bar Association (2005), p. 13; Roland L. Trope, "Directors' Digital Fiduciary Duties," IEEE Security & Privacy, January/February 2005 at p. 78. 49. Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). 50. Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005), at pp. 11–13 (noting that harm was foreseeable, but Board took no action). 51. Securing Cyberspace: Business Roundtable's Framework for the Future, Business Roundtable, May 19, 2004 at pp. 1, 2; available at www.businessroundtable.org/pdf//20040518000CyberSecurityPrinciples.pdf. The Business Roundtable is an association of chief executive officers of leading U.S. corporations with a combined workforce of more than 10 million employees in the United States. See www.businessroundtable.org. 52. Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Partnership, April 2004, pp. 12–13, available at www.cyberpartnership.org/InfoSecGov4_04.pdf. The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet, and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies, and industry experts. Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public–private partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure. Further information is available at www.cyberpartnership.org. 53. GLB Security Regulations (OCC), 12 C.F.R. Part 30, Appendix B, Part III.A and Part III.F. 54. See, e.g., Homeland Security Act of 2002 (Federal Information Security Management Act of 2002) 44 U.S.C. Section 3542(b)(1); GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part II.B; HIPAA Security Regulations, 45 C.F.R. Section 164.306(a)(1); Microsoft Consent Decree at II, p. 4. 55. See, e.g., 44 USC 3532(b)(1), emphasis added. See also FISMA, 44 U.S.C. Section 3542(b)(1). Most of the foreign privacy laws also focus their security requirements from this perspective. This includes, for example, the EU Privacy Directive, Finland's Privacy Law, Italy's Privacy Law, and the UK Privacy Law. Also in this category is the Canadian Privacy Law. 56. Although they often focus on categories of security measures to address. See, e.g., HIPAA Security Regulations, 45 C.F.R. Part 164. 57. See, e.g., FDA regulations at 21 C.F.R. Part 11 (procedures and controls); SEC regulations at 17 C.F.R. 257.1(e)(3) (procedures); SEC regulations at 17 C.F.R. 240.17a-4 (controls); GLB regulations (FTC) 16 C.F.R. Part 314 (safeguards); Canada, Personal Information Protection and Electronic Documents Act, Schedule I, Section 4.7 (safeguards); EU Data Privacy Directive, Article 17(1) (measures) available at http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf. 58. See, e.g., HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; COPPA, 15 U.S.C. 6502(b)(1)(D), and COPPA regulations 16 C.F.R. 312.8; IRS Rev. Proc. 97-22, sec. 4.01(2); SEC regulations 17 C.F.R. 257. See also UCC Article 4A, Section 202 ("commercially reasonable" security procedure), and Microsoft Consent Decree. 59. "Appropriate" security required by: HIPAA 42 U.S.C. 1302d-2, and HIPAA Security regulations, 45 CFR 164.306; EU Data Protection Directive, Article 17(1). 60. EU Data Protection Directive, Article 17(1) (emphasis added) 61. See, e.g., Belgium—Belgian Law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data, as modified by the law of 11 December 1998 Implementing Directive 95/46/EC, and the law of 26 February 2003, Chapter IV, Article 16(4); Denmark—Act on Processing of Personal Data,; Act No. 429 of 31 May 2000 (unofficial English translation), Title IV, Part 11, Section 41(3); Estonia—Personal Data Protection Act; Passed February12, 2003 (RT1 I 2003, 26, 158), entered into force October 1, 2003, Chapter 3, Sections 19(2); Greece—Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data (as amended by Laws 2819/2000 and 2915/2001); Article 10(3); Ireland—Data Protection (Amendment) Act 2003; Section 2.-(1)(d) and First Schedule Article 7; Lithuania—Law on Legal Protection of Personal Data, January 21, 2003, No. IX-1296, Official translation, with amendments April 13, 2004, Article 24(1); Netherlands—25 892—Rules for the protection of personal data (Personal Data Protection Act) (Unofficial translation); Article 13; Portugal—Act on the Protection of Personal Data (transposing into the Portuguese legal system Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data), Article 14(1); Slovakia—Act No 428 of July 3, 2002 on personal data protection; Section 15(1); Sweden—Personal Data Act (1998:204); issued April 29, 1998, Section 31; and UK—Data Protection Act 1998, Schedule 1, Part I, Seventh Principle. 62. See, e.g., Finland—The Finnish Personal Data Act (523/1999), given on 22.4.1999, Section 32(1); Germany—Federal Data Protection Act as of January 1, 2003, Section 9; Hungary—Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest, Article 10(1); Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, Sections 31 and 33; Spain—Organic Law 15/1999 of December 13 on the Protection of Personal Data, Article 9. 63. 5 USC Sec. 552a. 64. 5 U.S.C. § 552a (d)(10) (emphasis added). 65. 42 U.S.C. 1320d-2(d)(2). 66. See, Gramm-Leach-Bliley Act ("GLB"), Public Law 106-102, §§ 501 and 505(b), 15 U.S.C. §§ 6801, 6805, and implementing regulations at 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift Supervision) and 16 C.F.R. Part 314 (FTC) (emphasis added). 67. Cal. Civil Code § 1798.81.5(b). 68. See UN Convention at Article 9(3), 9(4), and ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005). See at February 1, 12 C.F.R. Part 30, Appendix B (OCC), 12 C.F.R. Part 208, Appendix D (Federal Reserve System), 12 C.F.R. Part 364, Appendix B (FDIC), 12 C.F.R. Part 568 (Office of Thrift May 16 C.F.R. Part 44 U.S.C. Section 45 C.F.R. 164. See of the on by of the Technology and Homeland Security of the Committee on the United States 21, 2007 at p. (noting that FTC under the GLB Act as a for the obligation to maintain reasonable and appropriate available at See also, of the the on Information and the Committee on U.S. House of on April 21, 2004, at p. 5 (noting that is an of reasonable and appropriate measures in of the available at See, e.g., FTC Decisions and Consent Decrees listed in the Appendix. See, e.g., National Association of Insurance for Information Model available at in at See, e.g., Consent Decrees listed in the Appendix. 78. See, e.g., Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006) and Bell v. Michigan Council, 2005 Mich. App. 353 (Mich. App. February 15, 2005). Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 (D. Minn. February 7, 2006). Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). Committee on available at See, e.g., Italy—Personal Data Protection Code, Legislative Decree No. 196 of 30 June 2003, B, § Act No 428 of July 2002 on personal data § the Appendix, Act, B, Section Act, Section the Appendix, Act, Article Act, Section Act, 16(4); Act, Section 41(3); Act, Section Act, Section 32(1); Act, Section 9; Act, Article 10(3); Act, Article 10(1); Act, Article 24(1); Act, Article 13; Act, Article 14(1); Act, Section 15(1); Act, Article 9; Act, Section 31; UK Act, Schedule 1, Part I, Seventh Act, Article 7. the Appendix, Act, Schedule 2, Section Act, Act, Schedule 1, 4.7 Principle 7, Act, Section Act, Section Act, B, Sections and Act, Sections 17 and the Appendix, Act, Section A Security § Act, Section Decree the Appendix, Decree the Appendix, Act, Section Principle 4; Act, Article Act, Article Act, Sections and Act, Section Act, Section Act, Section Act, B, Sections and Act, Sections 17 and Bruce & Digital Security in a & at p. See, e.g., HIPAA Security Regulations, 45 C.F.R. Section See, e.g., Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. p. Eli Lilly Decision at II.B; GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part See, e.g., Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at See, e.g., FISMA, 44 U.S.C. Sections and GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part See, e.g., In Electronic July 30, Financial Council, 2; available at See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations (OCC), 12 C.F.R. Part 30 Appendix B, Part Eli Lilly Decision at II.B; HIPAA Security Regulations, 45 C.F.R. Section Information Security Management Act of 2002 44 U.S.C. Section See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section Information Security Management Act of 2002 44 U.S.C. Section See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Information Security Management Act of 2002 44 U.S.C. Section See, e.g., Microsoft Consent Decree at II, p. 4; GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section See, e.g., HIPAA Security Regulations, 45 C.F.R. Section See, e.g., United States v. Cir. See, e.g., Inc. v. also v. or of to with and of See, e.g., HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part and Part FISMA, 44 U.S.C. Sections and Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of HIPAA Security Regulations, 45 CFR Section and and on HIPAA Security of & Section of Science & Technology Law, No. April 2003, at p. 2, available at See, e.g., HIPAA regulations 45 C.F.R. Sections and GLB Regulations, 12 C.F.R. 208, Appendix and 12 C.F.R. Part 30, Appendix B, Part Microsoft Consent at p. 4. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Sections and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. p. 5 and Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. 25, p. HIPAA Security Regulations, 45 C.F.R. Sections and Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. Ziff Davis Assurance of Discontinuance, Para. 25, p. 6. HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section HIPAA Security Regulations, 45 C.F.R. Section Ziff Davis Assurance of Discontinuance, and 26, pp. HIPAA Security Regulations, 45 C.F.R. Section GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., FISMA, 44 U.S.C. Section HIPAA Security Regulations, 45 C.F.R. Section Ziff Davis Assurance of Discontinuance, Para. p. 5. Ziff Davis Assurance of Discontinuance, Para. p. 7. HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4. FISMA, 44 U.S.C. Section Eli Lilly Decision at GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part Ziff Davis Assurance of Discontinuance, Para. and p. 7; Eli Lilly Decision at HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4; Ziff Davis Assurance of Discontinuance, Para. and p. 7; Eli Lilly Decision at GLB Security Regulations, 12 C.F.R. Part 30, Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section Microsoft Consent Decree at II, p. 4; Eli Lilly Decision at Microsoft Consent Decree at p. 5. Ziff Davis Assurance of Discontinuance, Para. p. 7. See, e.g., of the of the of National on 21, at See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part See, e.g., GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part HIPAA Security Regulations, 45 C.F.R. Section and GLB Security Regulations, 12 C.F.R. Part 30 Appendix B, Part Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). See Bell v. Michigan Council, 2005 Mich. App. Lexis 353 (Mich. App. February 15, 2005). See Guin v. Brazos Higher Education Service, Civ. No. 05-668, 2006 U.S. Dist. Lexis 4846 at (D. Minn. February 7, 2006) that a was the to and a of a was not a of a of reasonable The Financial is a of U.S. federal agencies, that the Board of of the Reserve Insurance the National the of the of the and the of Thrift on on in an Internet 8, 2006 at p. available at on on in an Internet 8, 2006 at p. available at Guide for the Guidelines Information Security December available at Information Security July available at See National Institute of and Management Guide for Information Technology No. available at ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements (October 2005) (hereinafter "ISO/IEC ISO/IEC § for is the and of International and is of a of the of with and a in that the The American National Institute the United States. See, The also in and in related to including The of make its with the United States. See ISO/IEC 27001, § (emphasis added). ISO/IEC 27001, § ISO/IEC 27001, § ISO/IEC 27001, § 164. ISO/IEC 27001, § ISO/IEC 27001, §§ and 6. ISO/IEC 27001, §§ and 8. ISO/IEC 27001, §§ ISO/IEC that with an International not in from legal p. 1. EU Data Protection Directive, Article 8. Article Data Protection on the processing of personal data to health in health February 15, at pp. available at (emphasis in See list of state laws in Report, Security and Laws of 15, 2005 at Appendix available at Code, § Rev. Stat. Available at www.pcisecuritystandards.org. See list in the Appendix. See, e.g., 16 CFR Section Health Insurance Portability and Accountability Act Security Regulations, 45 C.F.R. § HIPAA security regulations to in the Act Security Regulations, 12 C.F.R. Part 30 Appendix B, Part security regulations to information in the financial Homeland Security Act of 2002 § 1001(b), amending 44 U.S.C. § and § amending 44 U.S.C. § information and information systems from unauthorized and regulations, 21 C.F.R. Part 11. See, e.g., Cal. Civil Code § 1798.81.5(b). See April 2, the Matter of of the Act of of Information and Information Services, No. No. April 2, at available at (hereinafter Wolfe v. MBNA America Bank, 485 F.Supp.2d 874, 882 (W.D. Tenn. 2007). in an Internet 12, 2005 available at This was by an on on in an Internet 8, available at of No. 25, The is an See, e.g., HIPAA Security Regulations, 45 C.F.R. § at p. 6. Ibid., at p. 3. Ibid. v. National 2007 U.S. App. Lexis 2007), at p. 13. See, e.g., on of Security Breach Personal of Privacy of April 2006 (hereinafter at pp. at note , at p. a of such in the United States and a of the number of individuals Privacy at IRS Rev. Proc. § See list of statutes in the Appendix. on for Access to Information and Part of A to Appendix, at 12 C.F.R. Part 30 (OCC), 12 C.F.R. Part (Federal Reserve System), 12 C.F.R. Part (FDIC), and 12 C.F.R. Part 568 (Office of Thrift 29, Vol. No. 29, at p. (hereinafter the maintains personal information that the not in the laws the to the or of the information, than the individuals of any of the security of the See, e.g., Code § Rev. Stat. § Code, § Stat. § Code § 2007 The also any combination of of information that to or the such as and or and See, e.g., Breach to the of & Financial Services, December 15 USC Section This that with the of at 15 USC Section and are of in this and are of in this See, and of a Duty to Information Security Computer & L. See and to Law the Protection of Personal BNA Privacy & Security Law Report, 19, p. May See at on the of the Framework for Electronic and Services, with focus on the 26, available at Science and Technology Committee, House of Internet of July 24, at Para. of the Privacy of Canada, for in to Privacy available at See Privacy Breach of the Privacy available at Privacy available at See, of the Privacy to the Law of February at available at Available at Available at to information to state
Fetched live from OpenAlex and de-inverted. Abstracts are not stored in this database: the inverted indexes are 8.6 GB of the frame’s 9.3 GB of text, and the host has 13 GB free.
Full frame distilled prediction
Teacher imitationNot calibrated prevalence, not ground truth. Human validation pending. Learned from the 10,348 direct Codex labels and 10,348 direct Gemma labels. Candidate is the union of thresholded teacher heads; consensus is their intersection. These outputs are machine_predicted_unvalidated and are not human labels or direct frontier model labels.
Codex and Gemma teacher scores by category
| Category | Codex | Gemma |
|---|---|---|
| Metaresearch | 0.001 | 0.000 |
| Meta-epidemiology (narrow) | 0.000 | 0.000 |
| Meta-epidemiology (broad) | 0.000 | 0.000 |
| Bibliometrics | 0.000 | 0.000 |
| Science and technology studies | 0.001 | 0.000 |
| Scholarly communication | 0.000 | 0.001 |
| Open science | 0.000 | 0.000 |
| Research integrity | 0.000 | 0.000 |
| Insufficient payload (model declined to judge) | 0.000 | 0.000 |
Machine scores (provisional)
The two teacher heads of the student model, read on this work. A score orders the frame for review; it never asserts a category, and the validation status ships verbatim with every row.
Baseline scores from an immature model (maturity gate not passed, 7 training rounds). Scores rank; they never assert a category.
score_only:v0-immature-baseline · verbatim from the scoring run: score_only means the number may rank works, and no category label ships from it