CYSE 406

Cyber Law

Students will gain a broad knowledge of constitutional, civil, criminal, and related legal considerations that arise in the context of work or citizenship in an increasingly cyber/digital world.   Whether the student seeks a career in the public or private sector, the student will gain insight into both the limits and authorities on government or private sector activities, from the creation and protection of intellectual property, to the investigation of unlawful cyber activities, to the considerations of cyber operations in an increasingly dangerous world.  This broadened awareness will help students successfully navigate and strengthen personal and professional choices as they move ahead.

Course Material

Assignment 1

Privacy and Personal Data Protection in New Virginia

Memorandum

To: The Honorable Governor of New Virginia

From: Stevie Johnson, Intern, Office of the Governor

Date: November 6, 2025

Subject: Privacy and Personal Data Protection in New Virginia

 

  1. Overview

Privacy is the right of individuals to control the collection, use, and disclosure of their personal information. In the digital age, personal data is collected and processed by governments, businesses, and online platforms at unprecedented levels. According to Kesan and Hayes, the widespread use of networked technologies and data analytics has increased the risk of unauthorized access, misuse, and exploitation of personal data. Inadequate privacy protections can result in identity theft, financial fraud, discrimination, and loss of trust in both public and private institutions (Kesan and Hayes 2022).

Protecting privacy requires more than securing data, it also involves ensuring fairness, transparency, and accountability in how personal information is gathered and shared. As Kesan and Hayes explained, without strong legal safeguards, individuals lose control over their digital identities and sensitive personal information.

Recent incidents in New Virginia, where citizens financial and medical data have been exposed through data breaches, have heightened public concern, As more daily activities from banking to healthcare move online, personal data has become a valuable asset for both legitimate and malicious actors. Citizens now expect their state government to safeguard this information as part of its responsibility to ensure public security in the digital age.

  1. Biometric Data and Personally Identifiable Information (PII)

Biometric data refers to unique physical or behavioral traits such as fingerprints, facial recognition data, iris scans, or voice patterns used to identify individuals. Because these characteristics are permanent and unique, the misuse or theft of biometric data poses severe and lasting risks; once exposed, biometric identifiers cannot be changed like passwords (Kesan and Hayes 2022).

Personally Identifiable information (PII) includes any data that can identify or locate an individual, such as names, addresses, Social Security numbers, driver’s license information, and financial account details. According to Kesan and Hayes, personally Identifiable information is routinely gathered and examined on various platforms, which increases its worth but also exposes it to potential security breaches and improper use. Strong privacy safeguards such as clear consent, limited data collection, and robust cybersecurity standards are essential to prevent harm to individuals and maintain public confidence.

Biometric technologies are increasingly used in workplaces, airports, schools, and smartphones, making them part of daily life. However, when databases storing biometric data are compounded as seen in several high-profile corporate breaches affected, individuals face long-term risks since their physical identifiers cannot be replaced.

III. The General Data Protection Regulation (GDPR)

 The European Union’s General Data Protection Regulation (GDPR), enacted in 2018, is one of the most comprehensive and influential data privacy laws worldwide. The European Commission stated that the GDPR is based on important principles like lawfulness, fairness, transparency, limited purpose, minimizing data collection, accuracy, restricted storage, integrity, and accountability. It also gives people essential rights, like accessing their personal information, correcting mistakes, asking for deletion (“the right to be forgotten”) and objecting to certain ways their data is used (European Commission 2025).

The GDPR applies to all organizations processing the personal data of EU residents, regardless of where the organization is based. Its enforcement mechanism includes substantial fines for violations, which encourage compliance and strengthen data protection culture. The GDPR demonstrates how privacy can be treated as a fundamental right and serves as a valuable model for jurisdictions, such as New Virginia, seeking to modernize their data protection frameworks.

  1. What Other States Are Doing

Several U.S. states have enacted privacy and data- protection laws to fill gaps in federal regulation. For instance, North Carolina’s Identity theft protection act mandates responsible data security measures, breach notifications, and restriction on the use of personal information (Ferguson III 191). Other states such as California, Colorado, and Virginia have established laws granting consumer rights to access, delete, and limit the sharing of personal data (NCSL 2022). The California Consumer Privacy act (CCPA) allows residents to opt out of the sale of their data, while Colorado Privacy act requires companies to conduct data protection assessments for high- risk processing. These state laws also impose penalties for noncompliance, sealing a nationwide trend towards empowering consumers and holding business accountable for digital misconduct. These initiatives demonstrate growing recognition that privacy protections are essential to safeguard citizens in a data-driven economy.

  1. Recommendation

New Virginia should enact a comprehensive personal-data protection law modeled after effective frameworks such as the GDPR and state level statutes. A state privacy law would ensure transparency in data practices, require informed consent, and hold organizations accountable for misuse or neglect. On the other hand, a state-by-state approach can create inconsistencies that complicate business operations and compliance. However, this decentralized approach also allows states to innovate and tailor protections to their citizens specific needs, potentially influencing future federal legislation.

Acting now would position New Virginia as a leader in privacy and cybersecurity policy, strengthen residents’ trust in government, business, and offer immediate protection

while federal legislation remains uncertain. Though compliance may impose short term costs on business, long term benefits are stronger consumer protection, legal clarity, and enhanced public confidence outweigh the challenges (Ogletree Deakins).

 Works Cited

 

Tasks with Directions:

In Module Five we looked at instances of persons who disseminated/leaked/published classified information for what they considered to be righteous reasons.  A recent Washington Post article that we read discussed how Daniel Hale was sentenced to 45 months in prison for releasing secret information about drone warfare, and how the judge in his case stated the “disclosure of documents went beyond his ‘courageous and principled’ stance on drones.”  The article goes on to address arguments from both sides of Hale’s prosecution/defense – some advocating why what he did was wrong and dangerous, and others suggesting it was justified and good. 

In your first post, draft a well-written, persuasive post that argues either in favor of or against the propriety of what Hale did as it relates to the release of the drone documents.  Support your position from information in the article, the module, and perhaps elsewhere in the course and outside the course (being sure to cite properly).  Feel free to suggest what the rules should be when someone violates the law but does so because he/she believes it is necessary to bring about positive change.

While Daniel Hale may have acted from a place of personal conviction, his decision to leak classified drone warfare documents was improper and dangerous. National security cannot function on individual discretion; it relies on adherence to protocols that protect sensitive information. As the judge in Hale’s case noted, his disclosure “went well beyond” a principled objection he revealed highly classified documents that risked exposing intelligence methods and operations (Washington Post, 2021).

There are legal and ethical channels available for whistleblowers, such as reporting concerns through inspectors general or congressional oversight committees. Hale ignored those avenues, instead choosing to unilaterally release materials to the press. While public debate on drone warfare is necessary, that debate must not be initiated by compromising national defense.

Allowing individuals to break the law simply because they believe they are serving a greater good set a dangerous precedent. If personal conscience becomes the standard, the rule of law collapses into subjective morality. That doesn’t mean we ignore context; sentencing should weigh intent and public interest. However, consequences must remain real and serious to deter future breaches.

In a democratic society, change must come through lawful means not by endangering lives or intelligence capabilities. Hale’s motives may have been sincere, but his actions undermined the very system he hoped to reform.