While questions related to UAS operations and use in government surveillance have been discussed at length, the legal ramifications of cybersecurity negligence and data breaches for UAS operators have yet to be addressed. In Part I, this article seeks to explore those areas by discussing the UAS data chain. Vulnerabilities in this data chain specific to UAS and in general are explored, followed by an examination of the state of the law related to the collection, use, retention, and dissemination of data. Part I concludes with an overview of current voluntary “Best Practice” documents offering guidance for collecting and managing data. Part II of this article applies Article III standing requirements and third-party liability limitations to the cybersecurity negligence and data breach issues. Existing federal law does not address liability for cybersecurity negligence or data breaches in UAS operations. This, combined with current interpretations of Article III standing requirements and a lack of a required standard of care for UAS operators to protect against cyber attack by third parties, results in the lack of a legal remedy for people whose private data is captured by drone and later compromised in a cybersecurity breach. Thus, it appears UAS operators are effectively shielded from liability for data breaches beyond the UAS operation and in flight data collection.
Joseph J. Vacek, The Next Frontier in Drone Law: Liability for Cybersecurity Negligence and Data Breaches for UAS Operators, 39 Campbell L. Rev. 135 (2017).