Derek E. Bambauer (University of Arizona – James E. Rogers College of Law) has posted “Cybersecurity for Idiots” (106 Minnesota Law Review Headnotes __ (2021 Forthcoming)) on SSRN. Here is the abstract:
Cybersecurity remains a critical issue facing regulators, particularly with the advent of the Internet of Things. General-purpose security regulators such as the Federal Trade Commission continually struggle with limited resources and information in their oversight. This Essay contends that a new approach to cybersecurity modeled on the negligence per se doctrine in tort law will significantly improve cybersecurity and reduce regulatory burdens. It introduces a taxonomy of regulators based upon the scope of their oversight and the pace of technological change in industries within their purview. Then, the Essay describes negligence per se for cybersecurity, which establishes a floor for security precautions that draws upon extant security standards. By focusing on the worst offenders, this framework improves notice to regulated entities, reduces information asymmetries, and traverses objections from legal scholars about the cost and efficacy of cybersecurity mandates. The Essay concludes by offering an emerging case study for its approach: regulation of quasi-medical devices by the Food and Drug Administration. As consumer devices increasingly offer functionality for both medical and non-medical purposes, the FDA will partly transition to a general-purpose regulator of information technology, and the negligence per se model can help the agency balance security precautions with promoting innovation.