Human Rights and Cybersecurity Due Diligence: A Comparative Study (pdf)

Article PDF cannot be displayed. You can download it here:

https://repository.law.umich.edu/cgi/viewcontent.cgi?article=1191&context=mjlr

Human Rights and Cybersecurity Due Diligence: A Comparative Study

University of Michigan Journal of Law Reform Volume 50 Issue 4 Article 1 2017 Human Rights and Cybersecurity Due Diligence: A Comparative Study Scott J. Shackelford Indiana University Kelley School of Business Follow this and additional works at: https://repository.law.umich.edu/mjlr Part of the Business Organizations Law Commons, Human Rights Law Commons, and the Internet Law Commons Recommended Citation Scott J. Shackelford, Human Rights and Cybersecurity Due Diligence: A Comparative Study, 50 U. MICH. J. L. REFORM 859 (2017). Available at: https://repository.law.umich.edu/mjlr/vol50/iss4/1 This Article is brought to you for free and open access by the University of Michigan Journal of Law Reform at University of Michigan Law School Scholarship Repository. It has been accepted for inclusion in University of Michigan Journal of Law Reform by an authorized editor of University of Michigan Law School Scholarship Repository. For more information, please contact . HUMAN RIGHTS AND CYBERSECURITY DUE DILIGENCE: A COMPARATIVE STUDY Scott J. Shackelford JD, PhD* ABSTRACT No company, just like no nation, is an island in cyberspace; the actions of actors from hacktivists to nation-states have the potential to impact the bottom line, along with the human rights of consumers and the public writ large. To help meet the multifaceted challenges replete in a rapidly globalizing world—and owing to the relative lack of binding international law to regulate both cybersecurity and the impact of business on human rights—companies are reconceptualizing what constitutes “due diligence.” This Article takes lessons from both the cybersecurity and human rights due diligence contexts to determine areas for cross-pollination in an effort to provide firms with a more comprehensive view of due diligence best practices divorced from a particular technological or cultural context. In so doing, this Article uses the Guiding Principles on Business and Human Rights as a starting point, marrying this framework with the relevant cybersecurity literature and the overarching analytical framework of polycentric governance. Ultimately, this Article argues that organizations should take a wider view of enterprise risk management that combines their cybersecurity and human rights aspirations given the growing extent to which these fields are becoming interlinked under the umbrella of sustainable development. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I. DEFINING KEY TERMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A. The Multifaceted Cyber Threat Facing the Private Sector and “Cyber Peace” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B. Global Approaches to “Sustainable Development” . . . . . . C. Introducing Polycentrism . . . . . . . . . . . . . . . . . . . . . . . . . . . II. HUMAN RIGHTS DUE DILIGENCE PRIMER . . . . . . . . . . . . . . . III. UNPACKING CYBERSECURITY DUE DILIGENCE . . . . . . . . . . . IV. LINKING HUMAN RIGHTS AND CYBERSECURITY UNDER SUSTAINABLE DEVELOPMENT . . . . . . . . . . . . . . . . . . . . . . . . . . CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860 862 862 865 867 868 874 879 883 * Associate Professor of Business Law and Ethics, Indiana University Kelley School of Business; Senior Fellow, Center for Applied Cybersecurity Research; Research Fellow, Harvard Belfer Center on Science and International Affairs; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance. 859 860 University of Michigan Journal of Law Reform [VOL. 50:4 “Companies have a responsibility to respect human rights, which means to act with due diligence to avoid infringing on the rights of others.”1 INTRODUCTION No company, just like no nation, is an island in cyberspace; the actions of actors from hacktivists to nation states have the potential to impact the bottom line, along with the human rights of consumers and the public writ large. A case in point is the alleged Russian penetration of the Democratic National Committee’s servers during the 2016 campaign, raising the specter of cyber insecurity, civil rights violations, and rising geopolitical tensions in a single episode.2 To help meet the multifaceted challenges replete in a rapidly globalizing world—and owing to the relative lack of binding international law regulating both cybersecurity and the intersection of business on human rights—companies and countries are reconceptualizing what constitutes “due diligence.”3 This Article takes lessons from both the cybersecurity and human rights due diligence contexts to determine areas for cross-pollination in an effort to provide firms with a more comprehensive view of due diligence best practices divorced from a particular technological or cultural context.4 In so doing, this Article uses the Guiding Principles on Business and Human Rights5 as a starting point, marrying this 1. INST. FOR HUMAN RIGHTS & BUS., THE “STATE OF PLAY” OF HUMAN RIGHTS DUE DILIANTICIPATING THE NEXT FIVE YEARS, 1 (2011), http://www.ihrb.org/pdf/The_ State_of_Play_of_Human_Rights_Due_Diligence.pdf. 2. See Ellen Nakashima, Russian Government Hackers Penetrated DNC, Stole Opposition Research on Trump, WASH. POST (June 14, 2016), https://www.washingtonpost.com/world/ national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-ontrump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html. 3. See Jamie D. Prenkert & Scott J. Shackelford, Business, Human Rights, and the Promise of Polycentricity, 47 VAND. J. TRANSNAT’L L. 451, 452 (2014). 4. See, e.g., Human Rights Due Diligence, BUS. & HUMAN RTS. RES. CTR., http://businesshumanrights.org/en/un-guiding-principles/implementation-tools-examples/implementa tion-by-companies/type-of-step-taken/human-rights-due-diligence (last visited Apr. 16, 2017) (“According to the UN Guiding Principles Reporting Framework, human rights due diligence is: ‘An ongoing risk management process . . . in order to identify, prevent, mitigate and account for how [a company] addresses its adverse human rights impacts. It includes four key steps: assessing actual and potential human rights impacts; integrating and acting on the findings; tracking responses; and communicating about how impacts are addressed.’ ”). This approach was chosen given the tendency of organizations to consider due diligence from an, at times, myopic lens that can be far too narrow given the multifaceted risks facing firms. See, e.g., Peter Howson, Identifying and Minimizing the Strategic Risks from M&A, in APPROACHES TO ENTERPRISE RISK MANAGEMENT 153, 154 (2010). 5. See, e.g., JOHN G. RUGGIE, JUST BUSINESS: MULTINATIONAL CORPORATIONS AND HUMAN RIGHTS 78 (2013) (“The overriding lesson I drew . . . was that a new regulatory dynamic was GENCE: SUMMER 2017] Human Rights and Cybersecurity 861 framework with the relevan (...truncated)