AIMS AND SCOPE
The purpose of this research project was to examine the interface of cybersecurity breaches and legal liability under private law, from two perspectives. The first perspective was to conduct a legal analysis on how current private law doctrines (both particular and general torts-based liability) respond to cybersecurity breaches. In addition to a critical-comparative examination of current law, the research aimed at examining whether there is a need for a legal reform, in private law, that will craft explicit norms for cybersecurity breaches. In addition to general torts liability aspects, particular legal branches examined include (as an inconclusive list): privacy law; consumer law; software and computer law; insurance law, trade secrets and intellectual property liability regimes. The second perspective was to attempt to examine and shape legal policy proposals based on field analysis of particular industries in areas that are either related to cybersecurity or that raise cybersecurity concerns: software companies; cybersecurity companies; “the internet of things” companies; autonomous cars and more.
The goal was consequently to obtain background knowledge about the conducts, incentive schemes, technological constraints (and virtues), of “real life players”, as parameters that are fundamental for the design of legal policy in this area. By studying the particulars of specific industries and areas of activities, the research aimed at reaching detailed operational recommendations as for the scope of legal liability under private law doctrines.
The project was carried out in two main phases: a first phase comprised of organizing two international conferences (in Jerusalem and Geneva), and a second of research in action.
Cybersecurity Breaches and Private Law – Taking Stock and Looking Ahead Conference in Jerusalem (17 January 2018)
The presentations covered aspects of cybersecurity breaches in data protection dimensions, the internet of things and autonomous cars. More information and the program, together with photos, are available here.Cybersecurity Breaches and Private Law, Jerusalem (17.01.2018)
Cybersecurity Law & Policy – What Civil Liability for Cyberattacks?
Conference in Geneva (21 June 2018)
This conference deepened and extended the analysis of the issues that were explored at the conference in Jerusalem and constituted a follow-up of the Jerusalem conference. The programme, presentations and the conference report are available here. The conference took place within the framework of the University of Geneva Digital Law Summer School. It brought together some 80 participants.Cybersecurity Law & Policy, Geneva (21.06.2018)
Both conferences included policy makers and industry people including from the following institutions: ITU, Israeli Privacy Protection Authority, Microsoft, Boston University School of Law and University of Lausanne. The discussions were in a round-table format and included presentations by the project holders.
During the second phase of the project, the research teams conducted research on 2 topics that gave way to publications and conference presentation, as well as organizing workshops.
Topic 1: Product Liability in the Age of Connected Devices and Artificial Intelligence
Research by Omri Rachum-Twaig, supervision: Prof. Guy Pessach (HUJI)
In the age of connected devices and robotics, the cyberspace is no longer limited to bits and bytes. Connected devices and personal-use robots allow activities in the cyberspace to directly affect the physical space in a more concrete way than ever, not only with respect to critical infrastructures, but also at our homes, workplaces and roads. Establishing a physical-digital dichotomy becomes even more challenging in face of developing artificial intelligence technologies that disrupt the idea of agency and the involvement of human beings in the provision of services and the manufacturing of consumer products.
This project seeks to explain why current law and doctrine cannot fit with these technological advancements. Product liability regimes are commonly restricted to physical damages and cannot account for other types of damages such as privacy violations, monetary damages, denial of critical services and the like. In addition, general forms of liability in torts are not adequate for several reasons. Tort law requires agency as a precondition. However, in the age of artificial intelligence and machine learning the question of agency becomes extremely challenging and in absence of legal accountability of robots and computers, tort law cannot necessarily respond to such challenges. In addition, strict liability regimes may impose excessive burden on manufacturers or distributors of connected devices and machine learning products, since the ultimate purpose of such products is to function in an unpredictable manner that the manufacturer cannot necessarily foresee. Negligence is also insufficient because the duty of care and the standards for reasonable precautions are dependent on a baseline which is constantly changing in these technological fields.
Rachum-Twaig, Omri, “Whose Robot Is It Anyway? Liability for Artificial-Intelligence-Based Robots”, University of Illinois Law Review, Vol. 2020, forthcoming
Blog post by Omri Rachum-Twaig: “Liability for Artificial-Intelligence-Based Robots”, The Federmann Cyber Security Research Center Blog, HUJI, 14.11.2019.
Topic 2: A Technology Oriented Approach to Regulating Self-Driving Vehicles
Research by Gad Perl, supervision: Prof. Guy Pessach (HUJI)
Extensive discourse exists regarding the difficulties of adapting laws and regulations to cope with the speed of changing technologies. Views range from those who think that trying to constantly adapt our laws is a lost-cause and an impossible mission, to those who believe that the effect of new technologies is not that different from the effect of the industrial revolution and that our traditional legal systems will prevail. Within this larger discourse, we have autonomous vehicles which are an interesting test case for the ability of existing legal regimes to adapt to a disruptive technologies. From a legal perspective, autonomous cars present a multi-faceted complex issue, requiring simultaneous solutions for issues such as privacy, autonomy, tort law, labor laws and many more legal fields.
This study offers a novel methodological approach aimed at creating a regulatory system which is simultaneously comprehensive and also flexible enough to quickly adapt to changing technology. Legal scholars first attempt to understand the underlying technology behind autonomous vehicles, and only then work towards finding legal and regulatory solutions. Specifically to autonomous vehicles – I suggest that instead of looking at autonomous vehicles as “black boxes” and only through the prism of what they can do, we categorize the autonomous technologies into 4 different categories – the mechanical vehicle, the sensor array, the self-driving algorithms and finally the connectivity technologies.
Completion by Gad Perl of a PhD chapter on this topic.
Blog posts by Gad Perl:
“Difficulties Regulating Self Driving Vehicles”, The Federmann Cyber Security Research Center Blog, HUJI, 7.10.2018.
“Several Thoughts Following the Fatal Uber Accident in Tempe”, The Federmann Cyber Security Research Center Blog, HUJI, 11.04.2018.
Other publications that resulted from the project
Ferland, Justine, “Cyber insurance – What coverage in case of an alleged act of War? Questions raised by the Mondelez v. Zurich case”, Computer Law & Security Review Volume 35, Issue 4, 2019, 369- 376.
Benhamou, Yaniv; Justine Ferland, “Artificial Intelligence & Damages: Assessing Liability and Calculating the Damages”, in D’Agostino, Pina; carole Poivesan; Aviv Gaon (éd), Leading Legal Disruption: Artificial Intelligence and a Toolkit for Lawyers and the Law, Thomson Reuters Canada, forthcoming (preprint).
Other events related to the project
“Cybersecurity and Artificial Intelligence: How to allocate liability between stakeholders?”, roundtable discussion at the International Telecommunication Union (ITU) during the WSIS Forum 2019 on 8 April 2019, moderated by project holder Dr Yaniv Benhamou.
The “Cybersecurity: how to allocate liability” conference took place in Geneva on 20 June 2019.
The workshop “Smart and Autonomous Cars” took place in Jerusalem on 10 November 2019.
The workshop “What Good is this Robot if We Cannot Control It? – Smart Machines Meet Human Law” in Tel Aviv on 25 November 2019.
Following the fruitful collaboration between HUJI and UNIGE, the teams are exploring possible opportunities for joint research projects on the relevance of cyber insurance coverage for helping companies (specifically small and medium-sized entreprises) to manage cyber-risks. The team at the University of Geneva has obtained a mandate from the State of Geneva to analyze this issue which might create new opportunities for scientific interactions with HUJI in the future.
Prof. Jacques de Werra, Faculty of Law, University of Geneva (coordinator)
Prof. Guy Pessach, Faculty of Law, Hebrew University Jerusalem (coordinator)
Dr. Tamar Berenblum, Faculty of Law and the Institute of Criminology, Hebrew University Jerusalem (coordinator)
Dr. Yaniv Benhamou, Faculty of Law, University of Geneva (coordinator)
Ana Andrijevic, doctoral student, Faculty of Law, University of Geneva
Justine Ferland, Faculty of Law, University of Geneva
Prof. Danny Dolev, Cyber Security Research Center at the School of Computer Science and Engineering, Hebrew University Jerusalem
Dr. Omri Racum-Twaig, Faculty of Law, Hebrew University Jerusalem
Gadi Perl, Faculty of Law, Hebrew University Jerusalem