All posts in Data Security

Phishing Cartoon: Signs of a Phishing Scam

Daniel Solove
Founder of TeachPrivacy

Misspelled words and bad grammar are tell-tale signs of phishing.   Why don’t phishers learn spelling and grammar?  Can’t they afford a copy of Strunk and White?

Phishers don’t need to spell better because their poorly-written schemes still fool enough people.  It’s just math for the phishers — a numbers game.   If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do.   That’s why it is essential to train people — again and again.

Continue Reading

Law Firm Cybersecurity: An Industry at Serious Risk

Daniel Solove
Founder of TeachPrivacy

Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.

Continue Reading

Epilogue to the St. Louis Cardinals Baseball Hacking Case

Daniel Solove
Founder of TeachPrivacy

St Louis Cardinals Hacking Baseball

A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros.   There is now an epilogue to report in the case.  The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball.  The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.

According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”

As I wrote in my piece about the case, there are several lessons to be learned.  One lesson is that it is a myth that hacking and computer crime must be hi-tech.  Here, Correa’s hacking was nothing sophisticated — he just used another person’s password.  The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password.  In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information.  The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data.  The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.

Continue Reading

The Funniest Hacker Stock Photos 3.0

Daniel Solove
Founder of TeachPrivacy

Hacker Santa

It’s time for a third installment of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.   There are so many absurd ones that I can make enough Funniest Hacker Stock Photo posts to keep pace with Disney in making new Star Wars movies!

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

So without further ado, here are this year’s pictures:

Hacker Stock Photo #1

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

This hacker hacks the Amish way — without the use of technology or electricity.   Who needs a computer when a good old magnifying glass will suffice?  The key to this technique is to be very sneaky.  For seasoned hackers who steadfastly believe in doing things the old-fashioned way, this is how it is done!   As this hacker says: “Yes, grandson, we had to walk six miles in the snow and hack with magnifying glasses . . . you young folks have it so easy these days!”

Hacker Stock Photo #2

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

Why use just one magnifying glass when you can use two?  Magnifying glasses are really important to read tiny text on computer screens.  Figuring out how to enlarge the font in Windows can be tricky, and good hackers figure out “hacks” to make things faster and easier.

Hacker Stock Photo #3

Funniest Hacker Stock Photos -- TeachPrivacy Information Security Awareness Training

I’m not entirely sure what this guy is doing, but I presume that he’s so good of a hacker than he can hack with the screen facing in the wrong direction.  The only problem is that there’s nothing on his computer screen — I think he needs to stop smiling and start working a bit harder.

Hacker Stock Photo #4

Funniest Hacker Stock Photos

In an earlier edition of this series, I commented extensively on hacker gloves.  In this edition, it’s time to turn to the masks hackers wear.  I’ve always wondered why so many hackers wear masks.  Isn’t a good hacker supposed to be hard to trace?  After extensive research, I have learned that hackers wear masks because when they hack from halfway across the world and try to conceal their tracks, they might somehow mess up and accidentally expose their faces from their webcams.   Or, maybe it’s just a fashion statement.  I still have more research to do about this very important question — I’m just waiting for some funding to support this important research.

Regarding the mask above, it’s part of a new trend.  Ordinary hackers wear ninja masks, but that’s starting to become a bit passe among hacker fashion experts.  Trend leaders are wearing much more elaborate masks these days.

Continue Reading

Notable Privacy and Security Books from 2016

Daniel Solove
Founder of TeachPrivacy

Here are some notable books on privacy and security from 2016. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

When Do Data Breaches Cause Harm?

Daniel Solove
Founder of TeachPrivacy

 

Harm has become the key issue in data breach cases. During the past 20 years, there have been hundreds of lawsuits over data breaches. In many cases, the plaintiffs have evidence to establish that reasonable care wasn’t used to protect their data. But the cases have often been dismissed because courts conclude that the plaintiffs have not suffered harm as a result of the breach. Some courts are beginning to recognize harm, leading to significant inconsistency and uncertainty in this body of law.

Continue Reading

Hacking Cartoon: All Too Easy

Daniel Solove
Founder of TeachPrivacy

Cartoon Hacker Quits - TeachPrivacy Security Awareness Training

Hacking is easy.  My latest cartoon is based on the fact that many hacking attacks involve rather simple and common tactics.  Why try the hard stuff when the easy stuff works so well?  All it takes is for one person to fall for a social engineering trick, and the hackers can break in.

Continue Reading

Black Mirror: A Powerful Look at the Dark Side of Privacy, Security, and Technology

Daniel Solove
Founder of TeachPrivacy

Black Mirror Review

In a series of posts, I have written about some of my favorite media regarding privacy and security: TV shows, movies, and novels. When I wrote about TV shows, a number of people recommended the show Black Mirror. I have now seen all the episodes thus far, and I am happily adding it to the list. Black Mirror is essential watching in the canon for anyone interested in privacy, security, technology, and the future.

Continue Reading

Phishing Cartoon: Why Do Phishers Keep Sending Obvious Scam Emails?

Daniel Solove
Founder of TeachPrivacy

Phishing Cartoon

Why do phishers waste their time with such obvious phishing scams when they can do so much better?

One possible answer: They don’t have to do better.  They send out so many emails that they only need a very low percentage of people to click.  And people always do.  In fact, if phishing emails became more effective, phishers might get too many clicks and might not be able to process it all!

To break into an organization, all the phishers need to do is to catch just one person. They don’t need to overphish the seas.  Victims are plentiful enough!

Don’t assume that people won’t fall for obvious phishing scams — they do.  That’s why it is essential to train people.  I am pleased to announce that TeachPrivacy now is offering a phishing simulator service.  We’ve teamed up with QuickPhish to provide a platform where organizations can conduct simulated phishing exercises for their workforce.  A great way to teach people not to fall for phishing emails is through direct experience.  When people wrongly click, our training can follow to teach them how to improve.

Phishing Simulator

Continue Reading

Clearing Up the Fog of Cloud Service Agreements

Daniel Solove
Founder of TeachPrivacy

cloud

Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.

Continue Reading

The Funniest Password Recovery Questions and Why Even These Don’t Work

Daniel Solove
Founder of TeachPrivacy

Passwords

 

A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:

In what city were you born?

What is your mother’s maiden name?

Where did you go to high school?

Continue Reading

Ransomware: A Cartoon to Brighten More Bad News

Daniel Solove
Founder of TeachPrivacy

Ransomware cartoon

I have good news and bad news about ransomware.  First, the good news — here’s a cartoon I created.  I hope you enjoy it, because that’s the only good news i have.  Now, for the bad news . . .

The Bad News: Be Afraid, Very Afraid

Everyone seems to be afraid of ransomware these days, but is the fear justified?  Is ransomware more about hype than harm?   Unfortunately, a recent study of international companies conducted by Malwarebytes provides some startling statistics to back up the fears.  According to the study, 40% of companies worldwide and more than 50% of the US companies surveyed experienced a ransomware incident in the last year.

The stakes are very high — 3.5% of companies surveyed even indicated that lives were also at stake which was exemplified by a recent attack in Marin, California where doctors lost access to patient records for over 10 days.

Continue Reading

Passwords Cartoon – Security Awareness Training

Daniel Solove
Founder of TeachPrivacy

Cartoon Passwords - TeachPrivacy Security Awareness Training 01

Here’s a cartoon I created to illustrate the importance of security awareness training.  I hope you find it amusing.

Continue Reading

Attorney Confidentiality, Cybersecurity, and the Cloud

Daniel Solove
Founder of TeachPrivacy

Law firm data security

There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations.  This issue is especially acute when it comes to using the cloud to store privileged documents.  A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality.  In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain.

Continue Reading

New Resource Page: How to Make Security Training Effective

Daniel Solove
Founder of TeachPrivacy

Effective Security Training

I recently created a new resource page —  How to Make Security Training Effective.  The page contains my advice for how  to make security training memorable and effective in changing behavior.

Training the workforce is an essential way to protect data security, but not all training endeavors are successful.  Poor training is akin to shouting into the void.  This resource page is designed to provide some tips and advice about training that I’ve learned from being an educator for more than 15 years.  Continue Reading

New Resource Page: Security Awareness Training FAQ

Daniel Solove
Founder of TeachPrivacy

Security Awareness Training FAQ 01

What laws require security awareness training?  What topics do the laws require to be covered?  What should be covered?  How frequently should training be given?

I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more.  I discuss various legal and industry requirements for security awareness training.  I also discuss best practices.  I hope that you find this resource to be useful.

Continue Reading

The Solution to All Privacy and Data Security Problems Worldwide

Daniel Solove
Founder of TeachPrivacy

Solution to Privacy and Security Problems 02
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.

Without further ado . . .

Read the Solution to All Privacy and Data Security Problems Worldwide

Don’t collect personal data.

Further Elaboration

April Fool’s!

There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training!  And that’s no joke.

With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).

Continue Reading

Ransomware on a Rampage

Daniel Solove
Founder of TeachPrivacy

Ransomware Training 01

Ransomware is on a rampage!  Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.

Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.

Ransomware Malware Training

Ransomware has the potential to attack the Internet of Things.  In one instance, a researcher was able to infect a TV with ransomware.

Ransomware is now attacking smart phones.

Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system.  The computer network was down for more than a week, and patients had to be transferred to other hospitals.

Continue Reading

The Funniest Hacker Stock Photos 2.0

Daniel Solove
Founder of TeachPrivacy

Security Training

Back by popular demand, it’s time for another round of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I  frequently find myself in need of a good hacker photo.

But good hacker photos are hard to find.  I often browse through countless images, each one more ridiculous than the next.

Last year, I brought you some of the funniest hacker stock photos I found. There are more . . . oh so many more!  Here are the lucky “winners” this year. Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness TrainingA dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

Information Security Training: Focus on the Human Problem

Daniel Solove
Founder of TeachPrivacy

Information Security Awareness Training Plan B

I created a new poster about information security training, which is debuting at the RSA conference.  This poster is based on the fact that the vast majority of information security incidents and data breaches occur because of human mistakes.   Information security is only in small part a technology problem; it is largely a human problem.

If you’re at RSA and are interested in information security awareness training, please drop by the TeachPrivacy booth at Moscone North 4802.

RSA Conference 2016

You can pick up a copy of this poster.  And you can also learn about our newest training, which includes a really neat Where’s Waldo style game where users spot privacy and security risks.

Continue Reading

Spot the Privacy and Security Risks Training Game

Daniel Solove
Founder of TeachPrivacy

Spot the Risks Privacy and Information Security Awareness Training

I’m pleased to announce a new training program:  Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete.  Trainees are asked to spot the risks in an office.  Feedback is provided about each risk so trainees learn many of the most important best practices.

Continue Reading

Notable Privacy and Security Books from 2015

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

For several years, I have been posting about notable books on privacy and security, and this post lists some of the notable books from 2015.  To see a more comprehensive list of nonfiction works about privacy and security, you might consult this resource page that Professor Paul Schwartz and I maintain: Nonfiction Privacy + Security Books.

Now, without further ado, here are some of the many privacy and security books published in 2015:

Continue Reading

What Can We Learn From Bad Passwords?

Daniel Solove
Founder of TeachPrivacy

Title

By Daniel J. Solove

The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015.  The list is compiled annually by examining passwords leaked during a particular year.  Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.

Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

title image

A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

New Privacy and Security Awareness Training Programs

Daniel Solove
Founder of TeachPrivacy

security awareness training

I created some new training programs last year, and here are some of the highlights:

Security Training Malware -- Ransomware Attack

The Ransomware Attack (~5 mins)

This short program (~5 minutes) consists of an interactive cartoon vignette about malware.  The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware.  The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.

Module Lifecycle of Personal Data 01

The Life Cycle of Personal Data (~ 15 mins)

This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data.  The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.

Continue Reading

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Daniel Solove
Founder of TeachPrivacy

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations19 Green Bag 2d 223 (2016).  Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law.  Here’s the abstract:

There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.

Continue Reading

3 Types of Incidents Account for 86% of HIPAA Data Breaches

Daniel Solove
Founder of TeachPrivacy

HIPAA Data BreachA new report by Verizon, the PHI Data Breach report, analyzes 1,931 data breaches of protected health information (PHI) under HIPAA,  The incidents occurred between 1994 and 2014, with most occurring from 2004-2014.  An article from Computer World sums up the findings of the report.

Verizon 2016 Healthcare ReportOne interesting statistic is that 392 million PHI records were compromised in these breaches, more than the entire population of the United States.

The report notes that 3 types of incident account for 86% of the data breaches:

(1) Lost or stolen portable electronic devices

(2) Sending records to the wrong individual

(3) Improper access to PHI by employees

What do these things have in common?

These are problems that deal with the human factor.  The problems are preventable, and the risk of them can be significantly reduced through training.

To train on these things, organizations must do more then merely say: “Be careful” or “Do not do.”  The training must have an impact on people.  And education is most effective with repetition. People must be repeatedly educated, over and over again.

Continue Reading

Is HIPAA Enforcement Too Lax?

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

The Scope and Potential of FTC Data Protection

Daniel Solove
Founder of TeachPrivacy

FTC Privacy and Security

I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015).  I wrote the article with Professor Woodrow Hartzog.

FTC StatueThe article addresses  the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”).  We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.

The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.

GW Law Review FTC Symposium

Here is a table of contents of the issue, along with links to where you can access each essay and article.

Continue Reading

Blogging Highlights 2015: Cybersecurity Issues

Daniel Solove
Founder of TeachPrivacy

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security:

The Worst Password Ever Created

worst password ever created

Should the FTC Kill the Password?
The Case for Better Authentication

title image

Continue Reading

Ransomware’s Dilemma: Pay It or Not?

Daniel Solove
Founder of TeachPrivacy

Ransomware cybersecurity training

Ransomware is one of the most frightening scourges to hit the Internet.  Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them.  If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.

Ransomware cybersecurity training

Ransomware began to emerge in 2009, and it has been rapidly on the rise.  Recently, it was ranked as the number one threat involving mobile malware.  According to one estimate, “at least $5 million is extorted from ransomware victims each year.”

Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.

Ransomware Cryptolocker security training 01CryptoLocker was eventually defeated.  But new variants of ransomware started popping up more frequently.

Continue Reading

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

Daniel Solove
Founder of TeachPrivacy

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

By Daniel J. Solove

Proponents for allowing government officials to have backdoors to encrypted communications need to read Franz Kafka.  Nearly a century ago, Kafka deftly captured the irony at the heart of their argument in his short story, “The Burrow.”

After the Paris attacks, national security proponents in the US and abroad have been making even more vigorous attempts to mandate a backdoor to encryption.

Continue Reading

Does Cybersecurity Law Work Well? An Interview with Ed McNicholas

Daniel Solove
Founder of TeachPrivacy

Does Cybersecurity Law Work Well?  An Interview with Ed McNicholas

By Daniel J. Solove

“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law. 

McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).   The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go.  It is an extremely useful volume that I’m delighted I have on my desk.  If you practice in this field, get this book.  

Continue Reading

K-12 Schools Must Teach Data Privacy and Security

Daniel Solove
Founder of TeachPrivacy

K-12 Schools Must Teach Data Privacy and Security

By Daniel J. Solove

It is essential that children learn about data privacy and security.  Their lives will be fully enveloped by technologies that involve data.  But far too little about these topics is currently taught in most schools. 

Fortunately, there is a solution, one that I’m proud to have been involved in creating.  The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.

The Privacy K-12 Curriculum Matrix is free.  It can be used by any school, educator, or parent.  It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels.  It includes suggestions for appropriate learning activities for each grade level.

Continue Reading

Great Fictional Works About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

At my annual event, the Privacy+Security Forum, which was held last month, one of the sessions  involved privacy and security in fiction. The panelists had some terrific readings suggestions, and I thought I’d share with you the write-up that they generated for their session. The speakers were:

Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law

Heather West, Senior Policy Manager & Americas Principal, Mozilla

Kevin Bankston, Director, Open Technology Institute and Co-Director, Cybersecurity Initiative, New America

Joseph Jerome, Policy Counsel at Future of Privacy Forum

Continue Reading

The Growing Problems with the Sectoral Approach to Privacy Law

Daniel Solove
Founder of TeachPrivacy

Sectoral Omnibus Privacy Regulation

By Daniel J. Solove

The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries.  In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries.  The US is an outlier from the way most countries regulate privacy.

About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach.  Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs.  Industries could lobby and exert their influence much more on laws focused on their industry.  Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.

But today, ironically, the sectoral approach is not doing many organizations any favors.  There are still gaps in protection under the US approach, but these have narrowed.  In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws.  The result is a ton of complexity, inconsistency, and uncertainty in the law.

Continue Reading

Alan Westin’s Privacy and Freedom

Daniel Solove
Founder of TeachPrivacy

Alan Westin Privacy and Freedom

Alan Westin Privacy and FreedomI am pleased to announce that Alan Westin’s classic work, Privacy and Freedom, is now back in print.  Originally published in 1967, Privacy and Freedom had an enormous influence in shaping the discourse on privacy in the 1970s and beyond, when the Fair Information Practice Principles (FIPPs) were developed.

The book contains a short introduction by me.  I am truly honored to be introducing such a great and important work.  When I began researching and writing about privacy in the late 1990s, I kept coming across citations to Westin’s book, and I was surprised that it was no longer in print.  I tracked down a used copy, which wasn’t as easy to do as today.  What impressed me most about the book was that it explored the meaning and value of privacy in a rich and interdisciplinary way.

A very brief excerpt from my intro:

At the core of the book is one of the most enduring discussions of the definition and value of privacy. Privacy is a very complex concept, and scholars and others have struggled for centuries to define it and articulate its value. Privacy and Freedom contains one of the most sophisticated, interdisciplinary, and insightful discussions of privacy ever written. Westin weaves together philosophy, sociology, psychology, and other disciplines to explain what privacy is and why we should protect it.

Alan WestinI was fortunate to get to know Alan Westin, as I began my teaching career at Seton Hall Law School in Newark, New Jersey, and Alan lived and worked nearby.  I had several lunches with him, and we continued our friendship when I left to teach at George Washington University Law School.  Alan was kind, generous, and very thoughtful. He was passionate about ideas.  I miss him greatly.

So it is a true joy to see his book live on in print once again.

Here’s the blurb from the publisher:

Continue Reading

Privacy+Security Forum Chart of Session Times + Speakers

Daniel Solove
Founder of TeachPrivacy

Privacy+Security Forum

I’m very excited that the 1st annual Privacy + Security Forum (Oct. 21-23 in Washington, DC) is finally beginning!

We have about 190 speakers and 60+ sessions.

Session Descriptions: Session Descriptions Guide
Readings: Readings for each session are on our schedule page
Session Times and Location: Session Times and Location Chart.

Below is a chart with session titles, speakers, times, and room assignments.  I designed this chart to be easy to access online.

Continue Reading

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel Solove
Founder of TeachPrivacy

sunken safe harbor

By Daniel J. Solove

In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.

[Press Release]  [Opinion]

The Safe Harbor Arrangement

The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US.  Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data.  The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.

Continue Reading

Phishing Your Employees: 3 Essential Tips

Daniel Solove
Founder of TeachPrivacy

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.

1. Be careful about data collection and discipline

Think about the data that you gather about employee performance on simulated phishing.  It can be easy to overlook the implications of maintaining and using this data.  I look at it through the lens of its privacy risks.  This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences.  How long will the data be kept?  What will be done with it?  How securely will it be kept?  What if it were compromised and publicized online?

Continue Reading

6 Great Films About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel Solove

I previously shared 5 of my favorite novels about privacy and security, and I’d now like to share 6 of my favorite films about these topics — because I just couldn’t whittle the list down to 5.

I was thinking about my favorite films because I’ve been putting together a session at my Privacy+Security Forum event next month — the “Privacy and Security Film and TV Club” — where a group of experts will share their favorite films and TV series that have privacy and security themes.

Without further ado, here are my film choices:

Continue Reading

PCI Training: Reducing the Risk of Phishing Attacks

Daniel Solove
Founder of TeachPrivacy

PCI Training Payment Card Data Risks

PCI Logo PCI TrainingThe Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.

A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.

PCI Training Phishing Statistics

According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”

Continue Reading

Start with Security: The FTC’s Data Security Guidance

Daniel Solove
Founder of TeachPrivacy

FTC Start with Security 03

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - FTC - Data Security

Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security.  Our suggestions include:

  1. Do more proactive enforcement
  2. Take on more data security cases
  3. Push companies toward improved authentication – moving beyond mere passwords
  4. Restrict the use of Social Security numbers for authentication purposes
  5. Develop a theory of data stewardship for third parties

Please check out our essay for our explanation of the above agenda and a lot more detail.

Continue Reading

New Security Training Program: Social Engineering: Spies and Sabotage

Daniel Solove
Founder of TeachPrivacy

Module Data Security Spies and Sabotage 02

I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.

After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.

Social Engineering Training Spies 01

Continue Reading

The High Cost of Phishing and the ROI of Phishing Training

Daniel Solove
Founder of TeachPrivacy

Phishing Training 01

A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face.  Phishing is an enormous problem, and it is getting worse.

Phishing threats -- Verizon report 2015 threats

In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.

Continue Reading