All posts in Privacy and Security

Privacy Cartoon: Privacy Budget vs. Security Budget

Daniel Solove
Founder of TeachPrivacy

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading

The Future of the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Future of the FTC

Co-authored by Professor Woodrow Hartzog

The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?

Continue Reading

Notable Privacy and Security Books from 2016

Daniel Solove
Founder of TeachPrivacy

Here are some notable books on privacy and security from 2016. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

6 Great TV Series About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

TVIn previous posts, I have listed some of my favorite novels and movies about privacy and security issues.  I don’t want to leave out TV, as there are some great TV series too.

 

Continue Reading

The Funniest Hacker Stock Photos 2.0

Daniel Solove
Founder of TeachPrivacy

Security Training

Back by popular demand, it’s time for another round of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I  frequently find myself in need of a good hacker photo.

But good hacker photos are hard to find.  I often browse through countless images, each one more ridiculous than the next.

Last year, I brought you some of the funniest hacker stock photos I found. There are more . . . oh so many more!  Here are the lucky “winners” this year. Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness TrainingA dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

The 5 Things Every Privacy Lawyer Needs to Know about the FTC: An Interview with Chris Hoofnagle

Daniel Solove
Founder of TeachPrivacy

Privacy and Security Training

The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score. Continue Reading

Notable Privacy and Security Books from 2015

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

For several years, I have been posting about notable books on privacy and security, and this post lists some of the notable books from 2015.  To see a more comprehensive list of nonfiction works about privacy and security, you might consult this resource page that Professor Paul Schwartz and I maintain: Nonfiction Privacy + Security Books.

Now, without further ado, here are some of the many privacy and security books published in 2015:

Continue Reading

What Can We Learn From Bad Passwords?

Daniel Solove
Founder of TeachPrivacy

Title

By Daniel J. Solove

The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015.  The list is compiled annually by examining passwords leaked during a particular year.  Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.

Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

title image

A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

The Scope and Potential of FTC Data Protection

Daniel Solove
Founder of TeachPrivacy

FTC Privacy and Security

I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015).  I wrote the article with Professor Woodrow Hartzog.

FTC StatueThe article addresses  the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”).  We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.

The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.

GW Law Review FTC Symposium

Here is a table of contents of the issue, along with links to where you can access each essay and article.

Continue Reading

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

Daniel Solove
Founder of TeachPrivacy

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

By Daniel J. Solove

Proponents for allowing government officials to have backdoors to encrypted communications need to read Franz Kafka.  Nearly a century ago, Kafka deftly captured the irony at the heart of their argument in his short story, “The Burrow.”

After the Paris attacks, national security proponents in the US and abroad have been making even more vigorous attempts to mandate a backdoor to encryption.

Continue Reading

Does Cybersecurity Law Work Well? An Interview with Ed McNicholas

Daniel Solove
Founder of TeachPrivacy

Does Cybersecurity Law Work Well?  An Interview with Ed McNicholas

By Daniel J. Solove

“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law. 

McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).   The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go.  It is an extremely useful volume that I’m delighted I have on my desk.  If you practice in this field, get this book.  

Continue Reading

K-12 Schools Must Teach Data Privacy and Security

Daniel Solove
Founder of TeachPrivacy

K-12 Schools Must Teach Data Privacy and Security

By Daniel J. Solove

It is essential that children learn about data privacy and security.  Their lives will be fully enveloped by technologies that involve data.  But far too little about these topics is currently taught in most schools. 

Fortunately, there is a solution, one that I’m proud to have been involved in creating.  The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.

The Privacy K-12 Curriculum Matrix is free.  It can be used by any school, educator, or parent.  It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels.  It includes suggestions for appropriate learning activities for each grade level.

Continue Reading

Alan Westin’s Privacy and Freedom

Daniel Solove
Founder of TeachPrivacy

Alan Westin Privacy and Freedom

Alan Westin Privacy and FreedomI am pleased to announce that Alan Westin’s classic work, Privacy and Freedom, is now back in print.  Originally published in 1967, Privacy and Freedom had an enormous influence in shaping the discourse on privacy in the 1970s and beyond, when the Fair Information Practice Principles (FIPPs) were developed.

The book contains a short introduction by me.  I am truly honored to be introducing such a great and important work.  When I began researching and writing about privacy in the late 1990s, I kept coming across citations to Westin’s book, and I was surprised that it was no longer in print.  I tracked down a used copy, which wasn’t as easy to do as today.  What impressed me most about the book was that it explored the meaning and value of privacy in a rich and interdisciplinary way.

A very brief excerpt from my intro:

At the core of the book is one of the most enduring discussions of the definition and value of privacy. Privacy is a very complex concept, and scholars and others have struggled for centuries to define it and articulate its value. Privacy and Freedom contains one of the most sophisticated, interdisciplinary, and insightful discussions of privacy ever written. Westin weaves together philosophy, sociology, psychology, and other disciplines to explain what privacy is and why we should protect it.

Alan WestinI was fortunate to get to know Alan Westin, as I began my teaching career at Seton Hall Law School in Newark, New Jersey, and Alan lived and worked nearby.  I had several lunches with him, and we continued our friendship when I left to teach at George Washington University Law School.  Alan was kind, generous, and very thoughtful. He was passionate about ideas.  I miss him greatly.

So it is a true joy to see his book live on in print once again.

Here’s the blurb from the publisher:

Continue Reading

Privacy+Security Forum Chart of Session Times + Speakers

Daniel Solove
Founder of TeachPrivacy

Privacy+Security Forum

I’m very excited that the 1st annual Privacy + Security Forum (Oct. 21-23 in Washington, DC) is finally beginning!

We have about 190 speakers and 60+ sessions.

Session Descriptions: Session Descriptions Guide
Readings: Readings for each session are on our schedule page
Session Times and Location: Session Times and Location Chart.

Below is a chart with session titles, speakers, times, and room assignments.  I designed this chart to be easy to access online.

Continue Reading

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel Solove
Founder of TeachPrivacy

sunken safe harbor

By Daniel J. Solove

In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.

[Press Release]  [Opinion]

The Safe Harbor Arrangement

The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US.  Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data.  The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.

Continue Reading

Phishing Your Employees: 3 Essential Tips

Daniel Solove
Founder of TeachPrivacy

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.

1. Be careful about data collection and discipline

Think about the data that you gather about employee performance on simulated phishing.  It can be easy to overlook the implications of maintaining and using this data.  I look at it through the lens of its privacy risks.  This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences.  How long will the data be kept?  What will be done with it?  How securely will it be kept?  What if it were compromised and publicized online?

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

Should the FTC Kill the Password? The Case for Better Authentication

Daniel Solove
Founder of TeachPrivacy

title image

Co-authored by Professor Woodrow Hartzog.

Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.

Continue Reading

OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

OPM Fallout

By Daniel J. Solove

Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.

general devels

News

Mayer Brown survey of executives: 25% of organizations lack both a CPO and CIO (March 2015)

stats

Continue Reading

Going Bankrupt with Your Personal Data

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Baseball’s “Hacking” Case: Are You a Hacker Too?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

 

I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident.  At the outset, apologies for the feature photo above.  It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection.  I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.

Continue Reading

The OPM Data Breach: Harm Without End?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:

If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”

Continue Reading

Boards of Directors Must Grapple with Privacy and Cybersecurity

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Privacy and cybersecurity have become issues that should be addressed at the board level. No longer minor risks, privacy and cybersecurity have become existential issues. The costs and reputational harm of privacy and security incidents can be devastating.

Yet not enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.

Continue Reading

Green Eggs and Ham: How Not to Market and Invade Privacy

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Dr. Seuss’s Green Eggs and Ham is a timeless classic that is read to millions of children. At first the simple rhymes and cute drawings are alluring. But parents will soon discover the book’s terrifying equation: The tiresome repetition of the book multiplied by the number of times a child will want the book read. The result is mind-numbing and will make parents curse the day they decided to make the book part of their child’s library.

Continue Reading

Health Data Security in Crisis, Phase 2 Audits, and Other HIPAA Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Co-authored with Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. We have split the health/HIPAA material from our updates on other topics. To see our updates for other topics, click here.

For a PDF version of this post, and for archived issues of previous posts, click here.

Continue Reading

5 Great Novels About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

I am a lover of literature (I teach a class in law and literature), and I also love privacy and security, so I thought I’d list some of my favorite novels about privacy and security.

I’m also trying to compile a more comprehensive list of literary works about privacy and security, and I welcome your suggestions.

Continue Reading

Big Data, Big Data Breaches, Big Fines and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove
Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. This post includes developments from the first part of 2015. For a PDF version of this post, and for archived issues of previous posts, click here.

NOTE: Health privacy and security issues will now be covered in a separate update post. 

Continue Reading

Drones, Data Breaches, Cramming, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

drones and data breaches

by Daniel J. Solove

This post is co-authored with Professor Paul M. Schwartz.

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here.

We became quite busy after the last update, so we’re a bit backlogged. We are catching up on developments late last year and we have a lot of material. We will release the next issue soon, as there is too much material to fit into this issue.

For a PDF version of this post, click here.

Continue Reading