Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Daniel Solove
Founder of TeachPrivacy

 

 

Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?

I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group.  I am particularly interested in the insurer’s perspective, so I interviewed Katherine.

Continue Reading

Game of Risks: An Interview with Adam Levin on the HBO Breach, Cybersecurity Insurance, and Cyber Risks

Daniel Solove
Founder of TeachPrivacy

 

Recently, HBO suffered a massive data breach. The hackers stole unreleased episodes of Game of Thrones and have been leaking them before they are broadcast. Episodes of other shows were also stolen. The hackers grabbed 1.5 terabytes of data including sensitive internal documents.

 

Continue Reading

Cybersecurity vs. Humans: The Human Problem Requires a Human Answer

Daniel Solove
Founder of TeachPrivacy

Data Security Human Error - Security Awareness Training

According to a recent Ponemon Institute study, the odds of an organization having a data breach are 1 in 4.  The study also found that the average cost of a data breach is $3.62 million in 2017.  That’s a drop of 10%, but the size of data breaches has increased.

The Human Problem

The vast majority of information security incidents and data breaches occur because of human mistakes.   Information security is only in small part a technology problem; it is largely a human problem.  The biggest risks to security are human errors — people putting data where it doesn’t belong, people not following policies, people losing portable electronic devices with data on them, people falling for phishing and social engineering schemes.

Having a robust technical cybersecurity infrastructure is very important, but it alone isn’t enough.  A recent Harvard Business Review article by Dante Disparte and Chris Furlow reinforces this point quite well.  “Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene. The danger is in thinking that these risks can be perfectly ‘managed’ through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens.”

The Human Answer

In addition to technology, effectively preventing and dealing with data breaches involves humans.  The problem is the humans, but so is the answer.

According to the Ponemon study, there were significant data breach cost reductions for having an incident response team, extensively using encryption, and engaging in workforce training.

Continue Reading

Cartoon on Big Data and Information Gathering

Daniel Solove
Founder of TeachPrivacy

 

Cartoon on Big Data and Data Collection - TeachPrivacy Privacy Awareness Training

Here’s a cartoon I created about Big Data and information gathering that I haven’t yet posted.  Hope you enjoy it!

I recently compiled some of my cartoons into booklets.   You can download them for free here:

Privacy Cartoon Book

Privacy Cartoon Book - TeachPrivacy Training 01a

HIPAA Cartoon Book

HIPAA Cartoon Book - TeachPrivacy Training 02c

Continue Reading

The Hidden Force That Will Drive GDPR Privacy Compliance

Daniel Solove
Founder of TeachPrivacy

GDPR Compliance

 

The clock is ticking on getting ready to comply with the EU General Data Protection Regulation (GDPR). EU regulators will start enforcing it on May 25, 2018.

GDPR is less than a year away, and it’s quite a challenge to get ready for. Becoming compliant is not something that can be achieved overnight, or in a week, or in a month, or even in quarter.  A lot of privacy and security controls must be put into place or adapted to satisfy new EU standards and rights.

.

Continue Reading

Privacy and Security in Health Tech: Improving Transparency About Practices

Daniel Solove
Founder of TeachPrivacy

Many app developers overlook privacy and security by failing to do one of the most basic first steps of data protection – informing consumers of their practices. For example, in a study published in 2016 in the Journal of the American Medical Association, 80% of diabetes apps surveyed didn’t have a notice informing consumers about privacy practices.  Another recent study of thousands of apps involving all topics revealed that nearly 50% lacked a privacy notice. A study by the Future of Privacy Forum in 2016 revealed that “only 70% of top health and fitness apps had a privacy policy.”

Continue Reading

Preparing for GDPR: A Year to Batten Down the Hatches

Daniel Solove
Founder of TeachPrivacy

The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.  The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.

Continue Reading

A Guide to Grading Exams

Daniel Solove
Founder of TeachPrivacy

 

This post is a reprise of a post I wrote many years ago that has remained popular.  I thought I’d repost it now, during exam grading season, to help professors who want to learn the science and art of grading exams. 

It’s that time of year again. Students have taken their finals, and now it is time to grade them. It is something professors have been looking forward to all semester. Exactness in grading is a well-honed skill, taking considerable expertise and years of practice to master. The purpose of this post is to serve as a guide to young professors about how to perfect their grading skills and as a way for students to learn the mysterious science of how their grades are determined.

Continue Reading

Ransomware The Horror Grows

Daniel Solove
Founder of TeachPrivacy

As the FBI warned, ransomware has proven to be a formidable threat costing businesses over $1 billion in 2016, averaging 4,000 attacks per day. Ransomware forces victims to choose between losing access to their files or paying a fee that can range between hundreds and thousands of dollars. Ransomware has already made headlines in the first quarter of 2017.

Continue Reading

The U.S. Congress Is Not the Leader in Privacy or Data Security Law

Daniel Solove
Founder of TeachPrivacy

Capitol Sinking 01

A common myth is that the U.S. Congress is a leader in creating privacy and data security law.  But this has not been true for quite some time.  Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.

In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws.  Here are some of the most prominent of these statutes:

Continue Reading

Congress’s Attempt to Repeal the FCC Internet Privacy Rules: The Void Will Be Filled

Daniel Solove
Founder of TeachPrivacy

FCC Privacy Rules Repealed

Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs).  The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements.  Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications.  The rules required reasonable data security protections as well as data breach notification.

FCC LogoThis development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed.  There are many other regulators and sources of privacy law to fill the void.

Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules.  They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.

Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry.  In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies..  But nature abhors a vacuum.  Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU.  They are far more likely to regulate privacy even more stringently than the FCC or FTC.

In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation.  This is what happened with data security regulation and data breach notification.  Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law.  But it failed to act.  Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws.  Instead of having to comply with one law, companies must navigate laws in many states.  The most common strategy for companies operating in all states  is to try to follow the strictest state law,  Thus, the de facto rule is the law of the state with the most strict protections.

Continue Reading

2017 HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

 

Art E.V.Pavlov_by_Repin

The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million.  2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter.  In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was.  Here are details about enforcement actions in 2017 thus far:

  1. Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago.  In October 2013,  operating room schedules that were written on paper and contained PHI of 836 individuals went missing.   Patients were not notified of the breach until February of 2014.  This represents the first enforcement related to the timeliness of breach notification.
  1. An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management.  OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce.   In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department.  Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
  1. Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals.  In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals.  The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
  1. Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty.  In this incident, the PHI of 115,143 patients was improperly accessed and disclosed.   Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year.  The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed.   Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.

Not too long ago, I posted an overview of OCR’s enforcement in 2016.  OCR continues to be active in its enforcement, at its highest level to date.  This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.

Continue Reading

Cartoon About Connected Devices

Daniel Solove
Founder of TeachPrivacy

Cartoon Connected Devices - Internet of Things

This cartoon depicts the potential future of the Internet of Things.  As more and more devices are connected to the Internet, including ones implanted in people’s bodies, increasing thought must be given to the privacy and security implications.  The speed of technological development is moving at a far greater pace than the speed of policy thinking regarding privacy and security.

How will the security of new devices be regulated?  The market doesn’t seem to be adequately addressing the security of the Internet of Things.  Bad security in devices has externalities beyond the users, as devices can be used as part of botnets to attack other targets.

How will privacy be designed into devices?  How will notice and choice work?  When privacy is “baked in” to a device, do the engineers have a comprehensive understanding of privacy?  How will consumers be able to understand and respond to these design choices?

Should there be special considerations for medical devices or any device that is implantable in a person?

We still await satisfactory answers to these questions . . . but the expansion of the Internet of Things isn’t waiting.

Here’s an earlier cartoon I created regarding the Internet of Things:

Continue Reading

Phishing Cartoon: Signs of a Phishing Scam

Daniel Solove
Founder of TeachPrivacy

Misspelled words and bad grammar are tell-tale signs of phishing.   Why don’t phishers learn spelling and grammar?  Can’t they afford a copy of Strunk and White?

Phishers don’t need to spell better because their poorly-written schemes still fool enough people.  It’s just math for the phishers — a numbers game.   If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do.   That’s why it is essential to train people — again and again.

Continue Reading

Privacy Cartoon: Privacy Budget vs. Security Budget

Daniel Solove
Founder of TeachPrivacy

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading

The Nothing-to-Hide Argument – My Essay’s 10th Anniversary

Daniel Solove
Founder of TeachPrivacy

Privacy Surveillance Nothing to Hide Argument

In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about.  “I’ve got nothing to hide,” they declare.  “The only people who should worry are those who are doing something immoral or illegal.”

Nothing to Hide - SoloveThe nothing-to-hide argument is ubiquitous.  This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007).  It was a short law review piece, one that I thought would be read by only a few people.  But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay.  I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security  (Yale University Press 2011).

This year is the 10th anniversary of the piece.  A lot has happened between then and now.  Not too long before I wrote my essay, there were revelations of illegal NSA surveillance.  A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again.  This was the climate in which I wrote the essay.

Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority.  Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”  This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.

Nevertheless, the nothing-to-hide argument is far from vanquished.  There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.

Here are a few short excerpts from my nothing-to-hide essay:

Continue Reading

HIPAA Cartoon on Snooping

Daniel Solove
Founder of TeachPrivacy

This cartoon is about snooping, one of the most common HIPAA violations.  HIPAA prohibits accessing information that people don’t need to do their jobs.   It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong.  But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients.  Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.

Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity.  A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends.  Snooping is not intended maliciously.  Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern.  In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.

Continue Reading

Law Firm Cybersecurity: An Industry at Serious Risk

Daniel Solove
Founder of TeachPrivacy

Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.

Continue Reading

New Edition of Privacy Law Fundamentals

Daniel Solove
Founder of TeachPrivacy

Privacy Law Fundamentals

I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS  (IAPP 2017)  (co-authored with Professor Paul Schwartz) is now out in print.  This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.

Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.

“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.

“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field.  It is a gem.” — Kurt Wimmer, Covington & Burling LLP

“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum

“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology

You can get a copy at IAPP’s bookstore or at Amazon.  For general information about this book as well as all my textbooks and useful resources, visit our Information Privacy Law textbook website.

The full table of contents is below:

Continue Reading

A Brief History of Information Privacy Law

Daniel Solove
Founder of TeachPrivacy

I recently updated my book chapter, A Brief History of Information Privacy Lawwhich appears in the new edition of PLI’s Proskauer on Privacy.

This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.

The chapter can be downloaded for free here.

Here is the table of contents:

Continue Reading

Epilogue to the St. Louis Cardinals Baseball Hacking Case

Daniel Solove
Founder of TeachPrivacy

St Louis Cardinals Hacking Baseball

A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros.   There is now an epilogue to report in the case.  The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball.  The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.

According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”

As I wrote in my piece about the case, there are several lessons to be learned.  One lesson is that it is a myth that hacking and computer crime must be hi-tech.  Here, Correa’s hacking was nothing sophisticated — he just used another person’s password.  The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password.  In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information.  The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data.  The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.

Continue Reading

Privacy Training for Data Privacy Day

Daniel Solove
Founder of TeachPrivacy

Data Prviacy Data Privacy Awareness Training Courses 01

Data Privacy Day Logo 01

For Data Privacy Day this year, I’m happy to make available for the day two new short privacy training programs I created in collaboration with Intel.  Ordinarily, I require a login to view my training programs, but for this day, I have put them outside the wall for anyone to see.  So click on the programs below to watch them — I’ll keep them up through the weekend.  Then, they’ll go behind the wall, so you’ll need to request an evaluation login to see them afterwards.

NOTE: These programs are now no longer publicly available.  To see them, please contact us.

The first program is a short 2-minute awareness video about Data Retention.

The second program is an 8.5 minute program called Defining Personal Information.  It seeks to explain how to identify personal information, which is a tricky issue because what counts as personal information is not static and is contextual and contingent in some cases.

These programs were created for Intel with their collaboration.  Intel graciously allowed me to add generic versions of these programs to my training course library.   And in support of Data Privacy Day, Intel was encouraging of my making them publicly available.

I. Data Retention

Privacy Awareness Training Module - Data Retention

II. Defining Personal Information

Privacy Awareness Training Module - Defining Personal Information

Continue Reading

The Future of the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Future of the FTC

Co-authored by Professor Woodrow Hartzog

The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?

Continue Reading

The Digital Person: Technology and Privacy in the Information Age

Daniel Solove
Founder of TeachPrivacy

 

Digital Person: Technology and Privacy in the Information Age

 

I am now offering the full text of my book The Digital Person:  Technology and Privacy in the Information Age (NYU Press 2004) online for FREE download.

Continue Reading

The Funniest Hacker Stock Photos 3.0

Daniel Solove
Founder of TeachPrivacy

Hacker Santa

It’s time for a third installment of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.   There are so many absurd ones that I can make enough Funniest Hacker Stock Photo posts to keep pace with Disney in making new Star Wars movies!

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

So without further ado, here are this year’s pictures:

Hacker Stock Photo #1

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

This hacker hacks the Amish way — without the use of technology or electricity.   Who needs a computer when a good old magnifying glass will suffice?  The key to this technique is to be very sneaky.  For seasoned hackers who steadfastly believe in doing things the old-fashioned way, this is how it is done!   As this hacker says: “Yes, grandson, we had to walk six miles in the snow and hack with magnifying glasses . . . you young folks have it so easy these days!”

Hacker Stock Photo #2

Funniest Hacker Stock Photo - TeachPrivacy Security Awareness Training

Why use just one magnifying glass when you can use two?  Magnifying glasses are really important to read tiny text on computer screens.  Figuring out how to enlarge the font in Windows can be tricky, and good hackers figure out “hacks” to make things faster and easier.

Hacker Stock Photo #3

Funniest Hacker Stock Photos -- TeachPrivacy Information Security Awareness Training

I’m not entirely sure what this guy is doing, but I presume that he’s so good of a hacker than he can hack with the screen facing in the wrong direction.  The only problem is that there’s nothing on his computer screen — I think he needs to stop smiling and start working a bit harder.

Hacker Stock Photo #4

Funniest Hacker Stock Photos

In an earlier edition of this series, I commented extensively on hacker gloves.  In this edition, it’s time to turn to the masks hackers wear.  I’ve always wondered why so many hackers wear masks.  Isn’t a good hacker supposed to be hard to trace?  After extensive research, I have learned that hackers wear masks because when they hack from halfway across the world and try to conceal their tracks, they might somehow mess up and accidentally expose their faces from their webcams.   Or, maybe it’s just a fashion statement.  I still have more research to do about this very important question — I’m just waiting for some funding to support this important research.

Regarding the mask above, it’s part of a new trend.  Ordinary hackers wear ninja masks, but that’s starting to become a bit passe among hacker fashion experts.  Trend leaders are wearing much more elaborate masks these days.

Continue Reading

Notable Privacy and Security Books from 2016

Daniel Solove
Founder of TeachPrivacy

Here are some notable books on privacy and security from 2016. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

When Do Data Breaches Cause Harm?

Daniel Solove
Founder of TeachPrivacy

 

Harm has become the key issue in data breach cases. During the past 20 years, there have been hundreds of lawsuits over data breaches. In many cases, the plaintiffs have evidence to establish that reasonable care wasn’t used to protect their data. But the cases have often been dismissed because courts conclude that the plaintiffs have not suffered harm as a result of the breach. Some courts are beginning to recognize harm, leading to significant inconsistency and uncertainty in this body of law.

Continue Reading

Hacking Cartoon: All Too Easy

Daniel Solove
Founder of TeachPrivacy

Cartoon Hacker Quits - TeachPrivacy Security Awareness Training

Hacking is easy.  My latest cartoon is based on the fact that many hacking attacks involve rather simple and common tactics.  Why try the hard stuff when the easy stuff works so well?  All it takes is for one person to fall for a social engineering trick, and the hackers can break in.

Continue Reading

Black Mirror: A Powerful Look at the Dark Side of Privacy, Security, and Technology

Daniel Solove
Founder of TeachPrivacy

Black Mirror Review

In a series of posts, I have written about some of my favorite media regarding privacy and security: TV shows, movies, and novels. When I wrote about TV shows, a number of people recommended the show Black Mirror. I have now seen all the episodes thus far, and I am happily adding it to the list. Black Mirror is essential watching in the canon for anyone interested in privacy, security, technology, and the future.

Continue Reading

HIPAA Cartoon on Social Media Use

Daniel Solove
Founder of TeachPrivacy

HIPAA Cartoon Social Media

Here’s a cartoon on HIPAA and social media use to jump start your week.  You can’t think enough about HIPAA these days.  HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.

Continue Reading

Phishing Cartoon: Why Do Phishers Keep Sending Obvious Scam Emails?

Daniel Solove
Founder of TeachPrivacy

Phishing Cartoon

Why do phishers waste their time with such obvious phishing scams when they can do so much better?

One possible answer: They don’t have to do better.  They send out so many emails that they only need a very low percentage of people to click.  And people always do.  In fact, if phishing emails became more effective, phishers might get too many clicks and might not be able to process it all!

To break into an organization, all the phishers need to do is to catch just one person. They don’t need to overphish the seas.  Victims are plentiful enough!

Don’t assume that people won’t fall for obvious phishing scams — they do.  That’s why it is essential to train people.  I am pleased to announce that TeachPrivacy now is offering a phishing simulator service.  We’ve teamed up with QuickPhish to provide a platform where organizations can conduct simulated phishing exercises for their workforce.  A great way to teach people not to fall for phishing emails is through direct experience.  When people wrongly click, our training can follow to teach them how to improve.

Phishing Simulator

Continue Reading

A Gaping Hole in Consumer Privacy Protection Law

Daniel Solove
Founder of TeachPrivacy

A Gaping Hole in Consumer Privacy Protection Law

Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.

Continue Reading

Clearing Up the Fog of Cloud Service Agreements

Daniel Solove
Founder of TeachPrivacy

cloud

Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.

Continue Reading

GDPR Cartoon: Taking Privacy Seriously

Daniel Solove
Founder of TeachPrivacy

cartoon-gdpr-training-privacy-shield-training-02

I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy.  More work gets thrown onto the shoulders of under-resourced privacy departments.

It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization.  Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018.  It’s never too early for organizations to start preparing.  GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases.  For more information, see the FAQ page I created about the GDPR and privacy awareness training.

Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take.  Privacy office budgets and sizes should be going up by a lot these days.

Continue Reading

Privacy Shield Training

Daniel Solove
Founder of TeachPrivacy

Privacy Shield Training Course

I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework.  Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US.  Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.

Continue Reading

The Funniest Password Recovery Questions and Why Even These Don’t Work

Daniel Solove
Founder of TeachPrivacy

Passwords

 

A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:

In what city were you born?

What is your mother’s maiden name?

Where did you go to high school?

Continue Reading

HIPAA Cartoon on HIPAA’s Jargon

Daniel Solove
Founder of TeachPrivacy

HIPAA Cartoon - TeachPrivacy HIPAA Training

HIPAA is famously impenetrable, with so many special terms and definitions.  I wrote this cartoon to capture the wonderful world of HIPAA jargon, which I hope fellow lovers of HIPAA can appreciate.

AHIMA LogoFor those who want an introduction to HIPAA and how the Privacy Rule and the Security Rule work, I produced a series of courses on HIPAA for the American Health Information Management Association (AHIMA). Each course is approximately 1 hour long.  The courses are:

• HIPAA Privacy: The Pillars of a Privacy Program
• HIPAA Privacy: Rights and Responsibilities
• HIPAA Security: Safeguarding PHI

They are available through AHIMA, but you can preview them on my site here.

HIPAA Courses - AHIMAThese AHIMA HIPAA courses are not for the entire workforce — the courses are for personnel who focus on HIPAA compliance and need to understand the basics of how HIPAA works.  My HIPAA training for the workforce is shorter as well as more basic and general.

I have another HIPAA cartoon here.

Continue Reading

Privacy Cartoon: Know Your Data

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness Training Cartoon

Here’s a cartoon I created.  It involves several Fair Information Practice Principles (FIPPs) and privacy best practices.  The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.

For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind.  Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.

Poster Privacy Awareness Training Know One's Data

Continue Reading

Ransomware: A Cartoon to Brighten More Bad News

Daniel Solove
Founder of TeachPrivacy

Ransomware cartoon

I have good news and bad news about ransomware.  First, the good news — here’s a cartoon I created.  I hope you enjoy it, because that’s the only good news i have.  Now, for the bad news . . .

The Bad News: Be Afraid, Very Afraid

Everyone seems to be afraid of ransomware these days, but is the fear justified?  Is ransomware more about hype than harm?   Unfortunately, a recent study of international companies conducted by Malwarebytes provides some startling statistics to back up the fears.  According to the study, 40% of companies worldwide and more than 50% of the US companies surveyed experienced a ransomware incident in the last year.

The stakes are very high — 3.5% of companies surveyed even indicated that lives were also at stake which was exemplified by a recent attack in Marin, California where doctors lost access to patient records for over 10 days.

Continue Reading

HIPAA’s Failure to Provide Enough Patient Control Over Medical Records

Daniel Solove
Founder of TeachPrivacy

HIPAA Privacy Rule

 

A Not-So-Far-Fetched Seinfeld Episode

In a Seinfeld episode called “The Package” from 1996 (click here to see the scene), airing just months after HIPAA was passed,  Elaine goes to see a doctor for a rash.

Continue Reading

An Updated List of Privacy Law Fellowships

Daniel Solove
Founder of TeachPrivacy

Opportunity Business Fotolia_66071917_S 03

Fellowships can be a great way to kick start a career in privacy law.  I have added new fellowships the list I published in February 2016, as well as updated deadlines and other relevant information.  Click here to see the fully updated list of privacy fellowships.  If you know of others I should add, please email me.

Continue Reading

HIPAA Cartoon – HIPAA Compliance Program

Daniel Solove
Founder of TeachPrivacy

HIPAA Training - Cartoon HIPAA Compliance

Recently, HIPAA celebrated its 20th birthday.  HHS issued a celebratory blog post.  HIPAA is 20 years old if you start counting from the date the statute was passed (1996).  If we measure HIPAA’s age from the date that the HIPAA Privacy Rule became effective (2003), then HIPAA is 13.

So HIPAA could be 20 years old, eager to become 21 and be able to drink (right now, it just makes people want to drink) or 13 years old and about to begin being an unruly teenager.

A few years ago, I published an article in the Journal of AHIMA to celebrate HIPAA’s 10th birthday (counting from when the Privacy Rule became effective).  The article discusses HIPAA’s growth and impact, and is a quick read if you’re interested.  You can download it for free here:

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)

Continue Reading

Is a Ransomware Attack a HIPAA Data Breach?

Daniel Solove
Founder of TeachPrivacy

Ransomware - Security Awareness Training

As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).

A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice.  Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.

Continue Reading

Passwords Cartoon – Security Awareness Training

Daniel Solove
Founder of TeachPrivacy

Cartoon Passwords - TeachPrivacy Security Awareness Training 01

Here’s a cartoon I created to illustrate the importance of security awareness training.  I hope you find it amusing.

Continue Reading

“Privacy”: A Unique Play Starring Your Smart Phone

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness

I was fortunate to see James Graham’s incisive play “Privacy” this past Sunday at the Public Theater in New York City.  The play is a witty and immensely engaging examination of all the data being collected about us and being assembled into digital dossiers.  Technology is adeptly woven into the play.  At many points during the production, audience members are asked to use their smart phones.  The script is entertaining and intelligent.  There is never a dull moment, and I was laughing throughout.  Continue Reading

Microsoft Just Won a Big Victory Against Government Surveillance — Why It Matters

Daniel Solove
Founder of TeachPrivacy

eye

Yesterday, Microsoft won a huge case against government surveillance, a case with very important implications: In the Matter of a Warrant to Search a Certain E‐Mail Account Controlled and Maintained by Microsoft Corporation.

Continue Reading