All posts in Cybersecurity

Law Firm Cybersecurity: An Industry at Serious Risk

Daniel Solove
Founder of TeachPrivacy

Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.

Continue Reading

Epilogue to the St. Louis Cardinals Baseball Hacking Case

Daniel Solove
Founder of TeachPrivacy

St Louis Cardinals Hacking Baseball

A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros.   There is now an epilogue to report in the case.  The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball.  The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.

According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”

As I wrote in my piece about the case, there are several lessons to be learned.  One lesson is that it is a myth that hacking and computer crime must be hi-tech.  Here, Correa’s hacking was nothing sophisticated — he just used another person’s password.  The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password.  In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information.  The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data.  The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.

Continue Reading

The Funniest Hacker Stock Photos 3.0

Daniel Solove
Founder of TeachPrivacy

Hacker Santa

It’s time for a third installment of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.   There are so many absurd ones that I can make enough Funniest Hacker Stock Photo posts to keep pace with Disney in making new Star Wars movies!

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

So without further ado, here are this year’s pictures:

Hacker Stock Photo #1

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

This hacker hacks the Amish way — without the use of technology or electricity.   Who needs a computer when a good old magnifying glass will suffice?  The key to this technique is to be very sneaky.  For seasoned hackers who steadfastly believe in doing things the old-fashioned way, this is how it is done!   As this hacker says: “Yes, grandson, we had to walk six miles in the snow and hack with magnifying glasses . . . you young folks have it so easy these days!”

Hacker Stock Photo #2

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

Why use just one magnifying glass when you can use two?  Magnifying glasses are really important to read tiny text on computer screens.  Figuring out how to enlarge the font in Windows can be tricky, and good hackers figure out “hacks” to make things faster and easier.

Hacker Stock Photo #3

Funniest Hacker Stock Photos -- TeachPrivacy Information Security Awareness Training

I’m not entirely sure what this guy is doing, but I presume that he’s so good of a hacker than he can hack with the screen facing in the wrong direction.  The only problem is that there’s nothing on his computer screen — I think he needs to stop smiling and start working a bit harder.

Hacker Stock Photo #4

Funniest Hacker Stock Photos

In an earlier edition of this series, I commented extensively on hacker gloves.  In this edition, it’s time to turn to the masks hackers wear.  I’ve always wondered why so many hackers wear masks.  Isn’t a good hacker supposed to be hard to trace?  After extensive research, I have learned that hackers wear masks because when they hack from halfway across the world and try to conceal their tracks, they might somehow mess up and accidentally expose their faces from their webcams.   Or, maybe it’s just a fashion statement.  I still have more research to do about this very important question — I’m just waiting for some funding to support this important research.

Regarding the mask above, it’s part of a new trend.  Ordinary hackers wear ninja masks, but that’s starting to become a bit passe among hacker fashion experts.  Trend leaders are wearing much more elaborate masks these days.

Continue Reading

When Do Data Breaches Cause Harm?

Daniel Solove
Founder of TeachPrivacy

 

Harm has become the key issue in data breach cases. During the past 20 years, there have been hundreds of lawsuits over data breaches. In many cases, the plaintiffs have evidence to establish that reasonable care wasn’t used to protect their data. But the cases have often been dismissed because courts conclude that the plaintiffs have not suffered harm as a result of the breach. Some courts are beginning to recognize harm, leading to significant inconsistency and uncertainty in this body of law.

Continue Reading

Hacking Cartoon: All Too Easy

Daniel Solove
Founder of TeachPrivacy

Cartoon Hacker Quits - TeachPrivacy Security Awareness Training

Hacking is easy.  My latest cartoon is based on the fact that many hacking attacks involve rather simple and common tactics.  Why try the hard stuff when the easy stuff works so well?  All it takes is for one person to fall for a social engineering trick, and the hackers can break in.

Continue Reading

Black Mirror: A Powerful Look at the Dark Side of Privacy, Security, and Technology

Daniel Solove
Founder of TeachPrivacy

Black Mirror Review

In a series of posts, I have written about some of my favorite media regarding privacy and security: TV shows, movies, and novels. When I wrote about TV shows, a number of people recommended the show Black Mirror. I have now seen all the episodes thus far, and I am happily adding it to the list. Black Mirror is essential watching in the canon for anyone interested in privacy, security, technology, and the future.

Continue Reading

Phishing Cartoon: Why Do Phishers Keep Sending Obvious Scam Emails?

Daniel Solove
Founder of TeachPrivacy

Phishing Cartoon

Why do phishers waste their time with such obvious phishing scams when they can do so much better?

One possible answer: They don’t have to do better.  They send out so many emails that they only need a very low percentage of people to click.  And people always do.  In fact, if phishing emails became more effective, phishers might get too many clicks and might not be able to process it all!

To break into an organization, all the phishers need to do is to catch just one person. They don’t need to overphish the seas.  Victims are plentiful enough!

Don’t assume that people won’t fall for obvious phishing scams — they do.  That’s why it is essential to train people.  I am pleased to announce that TeachPrivacy now is offering a phishing simulator service.  We’ve teamed up with QuickPhish to provide a platform where organizations can conduct simulated phishing exercises for their workforce.  A great way to teach people not to fall for phishing emails is through direct experience.  When people wrongly click, our training can follow to teach them how to improve.

Phishing Simulator

Continue Reading

Clearing Up the Fog of Cloud Service Agreements

Daniel Solove
Founder of TeachPrivacy

cloud

Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.

Continue Reading

The Funniest Password Recovery Questions and Why Even These Don’t Work

Daniel Solove
Founder of TeachPrivacy

Passwords

 

A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:

In what city were you born?

What is your mother’s maiden name?

Where did you go to high school?

Continue Reading

Ransomware: A Cartoon to Brighten More Bad News

Daniel Solove
Founder of TeachPrivacy

Ransomware cartoon

I have good news and bad news about ransomware.  First, the good news — here’s a cartoon I created.  I hope you enjoy it, because that’s the only good news i have.  Now, for the bad news . . .

The Bad News: Be Afraid, Very Afraid

Everyone seems to be afraid of ransomware these days, but is the fear justified?  Is ransomware more about hype than harm?   Unfortunately, a recent study of international companies conducted by Malwarebytes provides some startling statistics to back up the fears.  According to the study, 40% of companies worldwide and more than 50% of the US companies surveyed experienced a ransomware incident in the last year.

The stakes are very high — 3.5% of companies surveyed even indicated that lives were also at stake which was exemplified by a recent attack in Marin, California where doctors lost access to patient records for over 10 days.

Continue Reading

Passwords Cartoon – Security Awareness Training

Daniel Solove
Founder of TeachPrivacy

Cartoon Passwords - TeachPrivacy Security Awareness Training 01

Here’s a cartoon I created to illustrate the importance of security awareness training.  I hope you find it amusing.

Continue Reading

Attorney Confidentiality, Cybersecurity, and the Cloud

Daniel Solove
Founder of TeachPrivacy

Law firm data security

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Continue Reading

5 Great TV Series About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

TVIn previous posts, I have listed some of my favorite novels and movies about privacy and security issues.  I don’t want to leave out TV, as there are some great TV series too.

 

Continue Reading

New Resource Page: How to Make Security Training Effective

Daniel Solove
Founder of TeachPrivacy

Effective Security Training

I recently created a new resource page —  How to Make Security Training Effective.  The page contains my advice for how  to make security training memorable and effective in changing behavior.

Training the workforce is an essential way to protect data security, but not all training endeavors are successful.  Poor training is akin to shouting into the void.  This resource page is designed to provide some tips and advice about training that I’ve learned from being an educator for more than 15 years.  Continue Reading

New Resource Page: Security Awareness Training FAQ

Daniel Solove
Founder of TeachPrivacy

Security Awareness Training FAQ 01

What laws require security awareness training?  What topics do the laws require to be covered?  What should be covered?  How frequently should training be given?

I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more.  I discuss various legal and industry requirements for security awareness training.  I also discuss best practices.  I hope that you find this resource to be useful.

Continue Reading

Ransomware on a Rampage

Daniel Solove
Founder of TeachPrivacy

Ransomware Training 01

Ransomware is on a rampage!  Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.

Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.

Ransomware Malware Training

Ransomware has the potential to attack the Internet of Things.  In one instance, a researcher was able to infect a TV with ransomware.

Ransomware is now attacking smart phones.

Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system.  The computer network was down for more than a week, and patients had to be transferred to other hospitals.

Continue Reading

The Funniest Hacker Stock Photos 2.0

Daniel Solove
Founder of TeachPrivacy

Security Training

Back by popular demand, it’s time for another round of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I  frequently find myself in need of a good hacker photo.

But good hacker photos are hard to find.  I often browse through countless images, each one more ridiculous than the next.

Last year, I brought you some of the funniest hacker stock photos I found. There are more . . . oh so many more!  Here are the lucky “winners” this year. Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness TrainingA dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

Information Security Training: Focus on the Human Problem

Daniel Solove
Founder of TeachPrivacy

Information Security Awareness Training Plan B

I created a new poster about information security training, which is debuting at the RSA conference.  This poster is based on the fact that the vast majority of information security incidents and data breaches occur because of human mistakes.   Information security is only in small part a technology problem; it is largely a human problem.

If you’re at RSA and are interested in information security awareness training, please drop by the TeachPrivacy booth at Moscone North 4802.

RSA Conference 2016

You can pick up a copy of this poster.  And you can also learn about our newest training, which includes a really neat Where’s Waldo style game where users spot privacy and security risks.

Continue Reading

Spot the Privacy and Security Risks Training Game

Daniel Solove
Founder of TeachPrivacy

Spot the Risks Privacy and Information Security Awareness Training

I’m pleased to announce a new training program:  Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete.  Trainees are asked to spot the risks in an office.  Feedback is provided about each risk so trainees learn many of the most important best practices.

Continue Reading

What Can We Learn From Bad Passwords?

Daniel Solove
Founder of TeachPrivacy

Title

By Daniel J. Solove

The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015.  The list is compiled annually by examining passwords leaked during a particular year.  Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.

Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

title image

A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

New Privacy and Security Awareness Training Programs

Daniel Solove
Founder of TeachPrivacy

security awareness training

I created some new training programs last year, and here are some of the highlights:

Security Training Malware -- Ransomware Attack

The Ransomware Attack (~5 mins)

This short program (~5 minutes) consists of an interactive cartoon vignette about malware.  The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware.  The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.

Module Lifecycle of Personal Data 01

The Life Cycle of Personal Data (~ 15 mins)

This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data.  The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.

Continue Reading

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Daniel Solove
Founder of TeachPrivacy

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations19 Green Bag 2d 223 (2016).  Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law.  Here’s the abstract:

There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.

Continue Reading

Is HIPAA Enforcement Too Lax?

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

Blogging Highlights 2015: Cybersecurity Issues

Daniel Solove
Founder of TeachPrivacy

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security:

The Worst Password Ever Created

worst password ever created

Should the FTC Kill the Password?
The Case for Better Authentication

title image

Continue Reading

Ransomware’s Dilemma: Pay It or Not?

Daniel Solove
Founder of TeachPrivacy

Ransomware cybersecurity training

Ransomware is one of the most frightening scourges to hit the Internet.  Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them.  If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.

Ransomware cybersecurity training

Ransomware began to emerge in 2009, and it has been rapidly on the rise.  Recently, it was ranked as the number one threat involving mobile malware.  According to one estimate, “at least $5 million is extorted from ransomware victims each year.”

Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.

Ransomware Cryptolocker security training 01CryptoLocker was eventually defeated.  But new variants of ransomware started popping up more frequently.

Continue Reading

10 Implications of the New EU General Data Protection Regulation (GDPR)

Daniel Solove
Founder of TeachPrivacy

EU GDPR Training General Data Protection Regulation

EU Flag EU Privacy TrainingLast week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries.  Clocking in at more than 200 pages, this is quite a document to digest.  According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”

The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year.  It will has substantial implications for any global company doing business in the EU.  The GDPR is anticipated to go into effect in 2017.

Here are some of the implications I see emerging from the GDPR as well as some questions for the future:

1. Penalties and Enforcement

Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.”  Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.”  The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”

These are huge penalties.  Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO).  Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling.  The CEO will stand up immediately and say: “Excuse me, but I must take this call.  It’s my CPO calling!”

EU Privacy Training Money

To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent.  Will the new GDPR change enforcement?  With such huge fines, the payoff for enforcement will be enormous.  We could see a new enforcement culture emerge, with more robust and consistent enforcement.  If privacy isn’t much of a priority of upper management at some global companies, it will be soon.

Continue Reading

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

Daniel Solove
Founder of TeachPrivacy

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

By Daniel J. Solove

Proponents for allowing government officials to have backdoors to encrypted communications need to read Franz Kafka.  Nearly a century ago, Kafka deftly captured the irony at the heart of their argument in his short story, “The Burrow.”

After the Paris attacks, national security proponents in the US and abroad have been making even more vigorous attempts to mandate a backdoor to encryption.

Continue Reading

Does Cybersecurity Law Work Well? An Interview with Ed McNicholas

Daniel Solove
Founder of TeachPrivacy

Does Cybersecurity Law Work Well?  An Interview with Ed McNicholas

By Daniel J. Solove

“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law. 

McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).   The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go.  It is an extremely useful volume that I’m delighted I have on my desk.  If you practice in this field, get this book.  

Continue Reading

K-12 Schools Must Teach Data Privacy and Security

Daniel Solove
Founder of TeachPrivacy

K-12 Schools Must Teach Data Privacy and Security

By Daniel J. Solove

It is essential that children learn about data privacy and security.  Their lives will be fully enveloped by technologies that involve data.  But far too little about these topics is currently taught in most schools. 

Fortunately, there is a solution, one that I’m proud to have been involved in creating.  The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.

The Privacy K-12 Curriculum Matrix is free.  It can be used by any school, educator, or parent.  It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels.  It includes suggestions for appropriate learning activities for each grade level.

Continue Reading

Modernizing Electronic Surveillance Law

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.

This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.

Continue Reading

Great Fictional Works About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

At my annual event, the Privacy+Security Forum, which was held last month, one of the sessions  involved privacy and security in fiction. The panelists had some terrific readings suggestions, and I thought I’d share with you the write-up that they generated for their session. The speakers were:

Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law

Heather West, Senior Policy Manager & Americas Principal, Mozilla

Kevin Bankston, Director, Open Technology Institute and Co-Director, Cybersecurity Initiative, New America

Joseph Jerome, Policy Counsel at Future of Privacy Forum

Continue Reading

Privacy+Security Forum Chart of Session Times + Speakers

Daniel Solove
Founder of TeachPrivacy

Privacy+Security Forum

I’m very excited that the 1st annual Privacy + Security Forum (Oct. 21-23 in Washington, DC) is finally beginning!

We have about 190 speakers and 60+ sessions.

Session Descriptions: Session Descriptions Guide
Readings: Readings for each session are on our schedule page
Session Times and Location: Session Times and Location Chart.

Below is a chart with session titles, speakers, times, and room assignments.  I designed this chart to be easy to access online.

Continue Reading

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel Solove
Founder of TeachPrivacy

sunken safe harbor

By Daniel J. Solove

In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.

[Press Release]  [Opinion]

The Safe Harbor Arrangement

The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US.  Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data.  The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.

Continue Reading

Phishing Your Employees: 3 Essential Tips

Daniel Solove
Founder of TeachPrivacy

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.

1. Be careful about data collection and discipline

Think about the data that you gather about employee performance on simulated phishing.  It can be easy to overlook the implications of maintaining and using this data.  I look at it through the lens of its privacy risks.  This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences.  How long will the data be kept?  What will be done with it?  How securely will it be kept?  What if it were compromised and publicized online?

Continue Reading

PCI Training: Reducing the Risk of Phishing Attacks

Daniel Solove
Founder of TeachPrivacy

PCI Training Payment Card Data Risks

PCI Logo PCI TrainingThe Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.

A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.

PCI Training Phishing Statistics

According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”

Continue Reading

Start with Security: The FTC’s Data Security Guidance

Daniel Solove
Founder of TeachPrivacy

FTC Start with Security 03

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - FTC - Data Security

Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security.  Our suggestions include:

  1. Do more proactive enforcement
  2. Take on more data security cases
  3. Push companies toward improved authentication – moving beyond mere passwords
  4. Restrict the use of Social Security numbers for authentication purposes
  5. Develop a theory of data stewardship for third parties

Please check out our essay for our explanation of the above agenda and a lot more detail.

Continue Reading

The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.

Daniel Solove
Founder of TeachPrivacy

FTC 01by Daniel J. Solove

The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015).  The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.

Background

Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security.  Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Deception and unfairness are two independent bases for FTC enforcement.  During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled.  Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.

Among the arguments made by Wyndham, three are most worth focusing on:

FTC PNG 02a(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.

(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.

(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.

The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals.  Here is a very brief overview of the 3rd Circuit’s reasoning.

Continue Reading

Should the FTC Kill the Password? The Case for Better Authentication

Daniel Solove
Founder of TeachPrivacy

title image

Co-authored by Professor Woodrow Hartzog.

Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.

Continue Reading

Understanding the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Privacy Training Blog FTC

by Daniel J. Solove

Privacy Awareness Training Blog TRUSTe FTC WebinarI recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security.   The webinar is free and is archived at TRUSTe’s site.

Here is a brief synopsis of the webinar:

For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security.  What are the standards that the FTC is developing for privacy and data security?  What sources does the FTC use for the standards it develops?

A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.

My webinar was written up at the Wall Street Journal.  If you’re interested in seeing it, it’s free and available here.   Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.

Continue Reading

OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

OPM Fallout

By Daniel J. Solove

Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.

general devels

News

Mayer Brown survey of executives: 25% of organizations lack both a CPO and CIO (March 2015)

stats

Continue Reading

Security Experts Critique Government Backdoor Access to Encrypted Data

Daniel Solove
Founder of TeachPrivacy

Data Ballby Daniel J. Solove

In a recent report, MIT security experts critiqued calls by government law enforcement for backdoor access to encrypted information.  As the experts aptly stated:

“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information — even encrypted information. They argue that the growing use of encryption will neutralize their investigative capabilities. They propose that data storage and communications systems must be designed for exceptional access by law enforcement agencies. These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

The report is called Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications and is by Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner.

Continue Reading

Mr. Robot: My Review of the New TV Series

Daniel Solove
Founder of TeachPrivacy

Mr Robot 01by Daniel J. Solove

I’ve really been enjoying the new TV series Mr. Robot on USA. Network.  It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security  geeks.

Mr Robot 05aThe protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City.  The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person.  Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone.  But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.

Elliot is very smart and clever, and he sees many around him as idiots.  He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people.  He lives most of his life inside his head.  The show presents the stark contrast between what he says to others and what he is thinking.  In one scene, we see him speaking to his psychiatrist, telling her hardly anything.  But we hear his thoughts and know that he is pondering quite a lot.
Continue Reading

Going Bankrupt with Your Personal Data

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Baseball’s “Hacking” Case: Are You a Hacker Too?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

 

I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident.  At the outset, apologies for the feature photo above.  It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection.  I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.

Continue Reading