by Don Blumenthal ¹

• ¹ University of Michigan

This course examines security issues related to the safeguarding of sensitive personal and corporate information against inadvertent disclosure; policy and societal questions concerning the value of security and privacy regulations, the real-world effects of data breaches on individuals and businesses, and the balancing of interests among individuals, government, and enterprises; current and proposed laws and regulations that govern data security and privacy; private-sector regulatory efforts and self-help measures; emerging technologies that may affect security and privacy concerns; and issues related to the development of enterprise data security programs, policies, and procedures that take into account the requirements of all relevant constituencies, e.g., technical, business, and legal.

Course Description

As data collection and information networks expand (and stories of security breaches and the misuse of personal information abound), data security and privacy issues are increasingly central parts of the information policy landscape. Legislators, regulators, businesses, and other institutions of all kinds are under increasing pressure to draft and implement effective laws, regulations, and security and privacy programs under rapidly changing technological, business, and legal conditions. A strong need is arising for individuals with the training and skills to work in this unsettled and evolving environment.

This course will examine: 1) security issues related to the safeguarding of sensitive personal and corporate information against inadvertent disclosure; 2) policy and societal questions concerning the value of security and privacy regulations, the real world effects of data breaches on individuals and businesses, and the balancing of interests among individuals, government, and enterprises; 3) current and proposed laws and regulations that govern information security and privacy; 4) private sector regulatory efforts and self-help measures; 5) emerging technologies that may affect security and privacy concerns; and 6) issues related to the development of enterprise data security programs, policies, and procedures that take into account the requirements of all relevant constituencies; e.g., technical, business, and legal.

This course is intended for students and professionals in information policy, public policy, law, business, computer science, and information science who have an interest in work or research in security and privacy fields, or in support of those fields. It also will be relevant to individuals with interests in other fields in which traditional responsibilities may have new security considerations; e.g., programming.

The course will include individual reading and writing assignments, class discussion, case studies, and a group assignment. Students will have some latitude to tailor the assignments to their skills and interests.

Course Objectives

The growth of importance of information security and privacy matters in the government and enterprise arenas has significantly broadened the scope of individuals who must be aware of relevant issues as part of their work. Security is becoming more of an element of existing roles such as records management, and new security roles such as Chief Information Security Officer are appearing in the enterprise. Finally, security considerations may become new elements of traditional responsibilities (e.g., programmers historically have been expected to document code, but now should be aware that failure to document may be a factor in a law enforcement investigation of whether a data breach was foreseeable).

This course will examine legal, policy, and enterprise issues and problems related to security and privacy. Electronic data will be the focus but other forms of information also will be considered. Discussions will take general approaches and also focus on specific technologies.