James X. Dempsey

Jim Dempsey is senior policy advisor to the Stanford Program on Geopolitics, Technology and Governance and a lecturer at the UC Berkeley School of Law, where he teaches a course on cybersecurity law in the LLM program. Until May 2021, Jim was Executive Director of the Berkeley Center for Law & Technology. In 2012, after Senate confirmation, he was appointed by President Barack Obama as a part-time member of the U.S. Privacy and Civil Liberties Oversight Board, an independent agency within the federal government charged with advising senior policymakers and overseeing the nation’s counterterrorism programs. He served in that position until January 2017, while also running BCLT.

From 1997 to 2014, Dempsey was at the Center for Democracy & Technology (CDT), a non-profit public policy organization focused on privacy and other issues affecting the internet, where he held a number of leadership positions. Prior to that he was deputy director of the Center for National Security Studies (1995-1997) and assistant counsel to the House Judiciary Committee (1985-1995), focusing on privacy, FBI oversight, and surveillance issues. 

Jim graduated from Yale College and Harvard Law School.

BOOKS:

• Cybersecurity Law Fundamentals, with John P. Carlin (2d ed. IAPP, 2024) 
• Bulk Collection: Systematic Government Access to Private-Sector Data (ed., with Fred H. Cate) (Oxford, 2017) 
• Terrorism and the Constitution (with David Cole) (New Press, 2006)

ARTICLES AND PAPERS

• Challenging the Machine: Contestability in Government AI Systems - Recommendations and Summary of Workshop on Advanced Automated Systems, Contestability, and the Law (with Susan Landau, Ece Kamar and Steven M. Bellovin (June 2024)
• Recommendations for Government Development and Use of Advanced Automated Systems to Make Decisions about Individuals (with Susan Landau, Ece Kamar and Steven M. Bellovin) (March 2024)
• Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor (Jan. 2024)
• Generative AI: The Security and Privacy Risks of Large Language Models (Apr. 2023)
• Adversarial Machine Learning and Cybersecurity: Risks, Challenges, and Legal Implications (April 2023) (with Micah Musser et al.)
• Vulnerability Disclosure and Management for AI/ML Systems: A Working Paper with Policy Recommendations (Nov. 10, 2021) (with Andrew J. Grotto)
• Data Collection: Lessons of Cost-Benefit Analysis, Skepticism, and Legal Transparency, 12 Georgetown Journal of National Security Law & Policy 127 (2021)
• Breaking the Privacy Gridlock: A Broader Look at Remedies (April, 2021) (with Chris Jay Hoofnagle, Ira S. Rubinstein, and Katherine J. Strandburg)
• Cybersecurity Information Sharing Governance Structures: An Ecosystem of Diversity, Trust, and Tradeoffs (with Elaine M. Sedenberg), in Rewired: Cybersecurity Governance (2018) 
• The Path to ECPA Reform and the Implications of United States v. Jones, Univ. of San Francisco L. Rev. (2012) 
• Privacy as an Enabler, Not an Impediment: Building Trust into Health Information Exchange, Vol, 28, no. 2, Health Affairs (2009) (with Deven McGraw, Leslie Harris and Janlori Goldman) 

COMMENTARY

• The FCC issues cybersecurity model for the mobile telecommunications industry, IAPP (Oct. 2, 2024)
• Cybersecurity and the cloud: Lessons from FCC cloud breach enforcement, IAPP (Sept. 19, 2024)
• Stitching Together the Cybersecurity Patchwork Quilt: Infrastructure, Lawfare (Sept. 18, 2024)
• Stitching Together the Cybersecurity Patchwork Quilt: Data, Lawfare (Aug. 30, 2024)
• Making Attestation Work for Software Security, Lawfare (July 18, 2024)
• Challenging the Machine: Insights from a Workshop on Contestability of Advanced Automated Systems (with Susan Landau), Lawfare (June 21, 2024)
• Major trends in U.S. cybersecurity law and policy (with John P. Carlin), IAPP (April 24, 2024)
• Challenging the Machine: Contestability in Government AI Systems (with Susan Landau), Lawfare (March 11, 2024)
• A Cyber Threat to U.S. Drinking Water, Lawfare (Dec. 21, 2023)
• Enforcement of Cybersecurity Regulations: Part 3, Lawfare (Apr. 14, 2023)
• Addressing the Security Risks of AI, Lawfare (Apr. 11, 2023)
• Enforcement of Cybersecurity Regulations: Part 2, Lawfare (Mar. 21, 2023)
• Enforcement of Cybersecurity Regulations: Part 1, Lawfare (Mar. 21, 2023)
• Cybersecurity’s Third Rail: Software Liability, Lawfare (Mar. 2, 2023)
• One Small Legislative Step for Cybersecurity, Lawfare (Jan. 9, 2023)
• The FTC’s rapidly evolving standards for MFA, IAPP Privacy Perspectives (Nov. 8, 2022)
• Cybersecurity Regulation: It’s Not ‘Performance-Based’ If Outcomes Can’t Be Measured, Lawfare (Oct. 6, 2022)
• Third circuit shows how to establish standing in data breach cases, IAPP Privacy Perspectives (Sept. 9, 2022)
• Preemption of State Cybersecurity Laws: It’s Complicated, Lawfare (Aug. 24, 2022)
• A Quick Take on the FTC’s Privacy and Security Rulemaking, (Aug. 12, 2022)
• FTC signals expanded breach notice obligations, IAPP Privacy Perspectives (June 10,2022) 
• Medical Device Security Offers Proving Ground for Cybersecurity Action, Lawfare (June 9, 2022)
• Exceptions in new US state privacy laws leave data without security coverage, IAPP Privacy Perspectives (May 17, 2022)
• Cybersecurity and the ‘Good Cause’ Exception to the APA, Lawfare  (April 29, 2022)
• Key data security insights from FTC CafePress settlement, IAPP Privacy Advisor (March 22, 2022)
• Cybersecurity Tools Lie Unused in Federal Agencies’ Toolboxes, Lawfare (Feb. 22, 2022)
• Managing the Cybersecurity Vulnerabilities of Artificial Intelligence, Lawfare (Nov. 17,2021)
• Mitigating Big Data’s Unintended Consequences, Luohan on Air Podcast (September 4, 2021) 
• Regulatory Alchemy: Turning Cybersecurity Guidelines Into Rules, Lawfare Blog (June 1, 2021)
• A Broader Look at Privacy Remedies, Lawfare Blog (April 7, 2021)
• The New IOT Security Act Shows the Limits of Congressional Policymaking for Cybersecurity, Lawfare Blog (December 22, 2020)
• The Strategic Vision Behind the TikTok, WeChat Bans, Lawfare Blog (August 11, 2020)
• Bans on Foreign Equipment in U.S. Critical Infrastructure, Lawfare Blog (May 19, 2020)
• Why the Fifth Circuit HIPAA case doesn’t mean ‘game over’ for HHS data security enforcement, IAPP blog (Mar. 31, 2021) 
• Section 702 Renewal: Opportunities Lost and Gained, American Constitution Society blog (Jan. 28, 2018)