From Corporate Law to Cybersecurity Scholar – Getting to Know Andrea Matwyshyn

By TAP Staff Blogger

Posted on April 15, 2013


University of Pennsylvania’s Andrea Matwyshyn is an assistant professor in the Legal Studies and Business Ethics Department in the Wharton School and an affiliate of the Center for Technology, Innovation and Competition at the UPENN Law School. Andrea’s research focuses on data privacy and information security law. She recently spoke with TAP on her recent work on children’s online privacy and cybersecurity.

TAP: What inspired you to work in academia?

ANDREA MATWYSHYN: I decided to become a lawyer at the ripe age of 8, but it wasn’t until my junior year in college that I recognized that my ideal career was in academia. I always knew that I enjoyed writing, but in college I noticed in myself a certain (perhaps overzealous) tenacity in researching topics that interested me, particularly legal topics. Legal academia seemed the perfect fit.

TAP: You are currently an assistant professor in the Legal Studies and Business Ethics Department in the Wharton School and an affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania Law School. How did you end up here?

MATWYSHYN: My research on data privacy and information security law is interdisciplinary, and my career has always straddled law, technology, and business. After law school, I practiced corporate and securities law and worked with companies pushing forward the bleeding edge of technology—both entrepreneurs and publicly-traded multinationals. It was during this time that I realized the importance of privacy and information security to our economy, as well as the inadequacy of current legal approaches. I left law practice to teach at Northwestern University Law School and then, when I joined the University of Florida Law School faculty, I also became the executive director of an interdisciplinary center devoted to technology privacy research.

The information security industry has exploded while I have been at Wharton, and it is projected to exceed $125 billion by 2015 according to some estimates. Also, because interest in the areas I study crosses disciplinary boundaries, interacting with my colleagues in other departments at Wharton has exposed me to rich bodies of research in marketing, management and other disciplines that directly intersect with the legal literature on privacy and security.

TAP: In your paper, “Generation C: Childhood, Code, and Creativity,” you discuss how children today have a special relationship to technology. What is that relationship, and how is it different from previous generations?

MATWYSHYN: In Generation C, I explain how questions of children’s privacy and identity formation are impacted by children’s use of technology, something the press has also recently begun to explore. I argue that our current legal regimes are not prepared to address these technology-driven dynamics—dynamics which impact child development and children’s attempts at entrepreneurship. For example, although it is a core principle of contract law that minors lack capacity to enter into contracts and that courts can set these contracts aside at the minor’s request, this principle does not seem to have filtered into digital spaces. Children agree to contracts allowing their data to be collected and shared without scrutiny, and yet, in physical spaces, these children would be deemed to lack capacity to enter into agreements.

TAP: To address this, you proposed a legal paradigm of childhood that simultaneously focuses on childhood privacy and creating a space for creative tinkering leading to entrepreneurship in adulthood. Can you expand on this for us?

MATWYSHYN: I proposed expressly extending the minority doctrine in contract law into digital spaces in order to improve children’s privacy. This extension would offer a critical tool for helping children—particularly children not covered by the Children’s Online Privacy Protection Act—to maintain control over their digital identities. A digital extension of the minority doctrine acknowledges children’s online identity experimentation as a normal developmental stage, and it offers children a counterweight against progressively greater information collection by websites. It strikes me as problematic that a child’s Facebook posts at 15 will be used by prospective employers to determine that child’s job prospects at 22. Yet, the Federal Trade Commission appears to have allowed archiving of data for such purposes for at least seven years. Also, because children will increasingly experiment with code (while technology will simultaneously increasingly track this experimentation), children are more likely to run afoul of copyright law and anti-circumvention restrictions. However, childhood tinkering with code is a common experience many of the most successful technology entrepreneurs credit with preparing them for their later business success. Therefore, I advocated crafting a childhood defense in copyright law to limit damages arising from children’s tinkering to actual damages resulting from any infringement or circumvention. In this way, we put a thumb on the scale in favor of future technology entrepreneurship. I’m currently expanding this article into a book.

TAP: You’ve also spent time researching cybercrime. In a recent article in the Wharton Magazine, you said there is an overall “knowledge deficit” that exists among businesses and the government when it comes to cyberrisk. Can you explain this in more detail?

MATWYSHYN: Companies and agencies frequently choose not to invest in information security improvements because they mistakenly believe this choice to be costless: the benefits of better information security don’t immediately show up in the bottom line, and few legal consequences are currently associated with information loss. However, information compromises result in damage to goodwill and potentially breach promises of nondisclosure made to business partners and consumers. Exposure of sensitive research and development information in data breaches may also be indicative of a general failure to engage in the reasonable efforts of confidentiality required for trade secret protection. Similarly, companies and agencies frequently don’t recognize that more data collection equates to greater information risks. The more data aggregated in a single location, the more attractive that target becomes for malicious hackers.

TAP: What topics are you currently working on for upcoming papers?

MATWYSHYN: My article Hacking Speech, forthcoming in NORTHWESTERN LAW REVIEW examines the First Amendment status of informational or instructional speech, such as security vulnerability disclosures. It offers a “repurposed speech scale” to guide future First Amendment cases in this space. A second article, The Law of the Zebra, forthcoming in BERKELEY TECHNOLOGY LAW JOURNAL, examines the circuit split on the relationship of contract breach and the Computer Fraud and Abuse Act (CFAA). It argues that cases of “contract hackers”—defendants whose alleged breach of the CFAA arises from their losing authorization because of a breach of contract—are deeply problematic and disrupt the traditional contract remedy/criminal law distinction. A third piece forthcoming in SOUTHERN CALIFORNIA LAW REVIEW, Privacy, the Hacker Way, offers a contract-based approach to “reasonable data stewardship”—crafting an implied legal floor for contractual warranties of data privacy and information security. I’m also currently finishing an article on privacy of consumer databases in bankruptcy and secured transactions, and I’m starting to explore the intersection of health data privacy and the legal implications of the “quantified self” movement.

TAP: In your opinion, what tech issue is currently not visible enough in policy debate, but should be?

MATWYSHYN: The most troubling immediate issue in my mind is the (mis)crafting of policy issues around information security and national defense. The “cybersecurity” issues Congress is currently considering legislating are frequently wrongly divorced from the broader information security issues those of us in the private sector have grappled with for over a decade. The private and public/national defense regulatory aspects of information security must be carefully considered in tandem; any other approach will only make the situation worse.

I am deeply concerned that legislators view information security issues as a new Cold War and believe that the same types of approaches are appropriate. They are not. Issues around information security compromises sponsored by foreign governments reflect dramatically different issues than those of traditional warfare. During the last year, I have talked to DC policy makers who appear to lack rudimentary knowledge of information security history, terminology and principles, yet these individuals are nevertheless quick to voice strident opinions about how to regulate “cybersecurity.”

TAP: What are you passionate about outside of tech policy?

MATWYSHYN: I care very much about improving the success of girls and women in technology entrepreneurship. My dissertation research quantitatively explored the psychological and sociological drivers of teens’ interest in technology careers, and it normatively assessed the success of various educational intervention strategies. The key finding of my dissertation was the importance of informal technology mentorship for encouraging teens’ interest in technology careers. However, the challenges don’t end simply by encouraging more girls to opt-in to technology business; many structural barriers exist in later years.

In my free time, I am a film festival buff and try to see as many documentaries as possible. My favorite documentaries tend to be the ones about technology.