The Triumph of the Privacy Profession: An Interview with Bamberger and Mulligan

Daniel Solove
Founder of TeachPrivacy

Woman in space

The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.

Continue Reading

The Hulk Hogan Gawker Sex Video Case, Free Speech, and the Verdict’s Impact

Daniel Solove
Founder of TeachPrivacy

Wikicommons - Public Domain Photo by Kristin Fitzsimmons

In a high-profile privacy lawsuit, former pro-wrestler Hulk Hogan won a $115 million jury verdict against Gawker for posting his sex video without his consent. Hulk Hogan, whose real name is TerryBollea, brought a lawsuit for invasion of privacy and other torts.  Under one of the main privacy torts — public disclosure of private facts — one can be liable if one widely and publicly discloses private information about another that would be highly offensive to a reasonable person and not of legitimate concern to the public.

Continue Reading

Ransomware on a Rampage

Daniel Solove
Founder of TeachPrivacy

Ransomware Training 01

Ransomware is on a rampage!  Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.

Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.

Ransomware Malware Training

Ransomware has the potential to attack the Internet of Things.  In one instance, a researcher was able to infect a TV with ransomware.

Ransomware is now attacking smart phones.

Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system.  The computer network was down for more than a week, and patients had to be transferred to other hospitals.

Continue Reading

Surveillance and Our Addiction to Exposure

Daniel Solove
Founder of TeachPrivacy

Bernard-Harcourt-Exposed-02-720x340Bernard-Harcourt-ExposedBernard Harcourt’s Exposed: Desire and Disobedience in the Digital Age (Harvard University Press 2015) is an indictment of  our contemporary age of surveillance and exposure — what Harcourt calls “the expository society.” Harcourt passionately deconstructs modern technology-infused society and explains its dark implications with an almost poetic eloquence.

Harcourt begins by critiquing the metaphor of George Orwell’s 1984 to describe the ills of our world today.  In my own previous work, I critiqued this metaphor, arguing that Kafka’s The Trial was a more apt metaphor to capture the powerlessness and vulnerability that people experience as government and businesses construct and use “digital dossiers” about their lives.  Harcourt critiques Orwell in a different manner, arguing that Orwell’s dystopian vision is inapt because it is too drab and gray:

Continue Reading

The Funniest Hacker Stock Photos 2.0

Daniel Solove
Founder of TeachPrivacy

Security Training

Back by popular demand, it’s time for another round of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I  frequently find myself in need of a good hacker photo.

But good hacker photos are hard to find.  I often browse through countless images, each one more ridiculous than the next.

Last year, I brought you some of the funniest hacker stock photos I found. There are more . . . oh so many more!  Here are the lucky “winners” this year. Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

Privacy Awareness TrainingA dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

The 5 Things Every Privacy Lawyer Needs to Know about the FTC: An Interview with Chris Hoofnagle

Daniel Solove
Founder of TeachPrivacy

Privacy and Security Training

The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score. Continue Reading

Information Security Training: Focus on the Human Problem

Daniel Solove
Founder of TeachPrivacy

Information Security Awareness Training Plan B

I created a new poster about information security training, which is debuting at the RSA conference.  This poster is based on the fact that the vast majority of information security incidents and data breaches occur because of human mistakes.   Information security is only in small part a technology problem; it is largely a human problem.

If you’re at RSA and are interested in information security awareness training, please drop by the TeachPrivacy booth at Moscone North 4802.

RSA Conference 2016

You can pick up a copy of this poster.  And you can also learn about our newest training, which includes a really neat Where’s Waldo style game where users spot privacy and security risks.

Continue Reading

Spot the Privacy and Security Risks Training Game

Daniel Solove
Founder of TeachPrivacy

Spot the Risks Privacy and Information Security Awareness Training

I’m pleased to announce a new training program:  Spot the Risks: Privacy and Security. The program is a Where’s Waldo style risk-spotting game that takes about 5 minutes to complete.  Trainees are asked to spot the risks in an office.  Feedback is provided about each risk so trainees learn many of the most important best practices.

Continue Reading

Without Scalia, Will There Be a 4th Amendment Revolution?

Daniel Solove
Founder of TeachPrivacy

title image

The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases.  One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering.  A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.

Continue Reading

A List of Privacy Law Fellowships

Daniel Solove
Founder of TeachPrivacy

Opportunity Business Fotolia_66071917_S 03

One way to enter the privacy profession is to do a fellowship, and fortunately, an increasing number of fellowship opportunities are emerging.

I have written about the challenges of breaking in to the privacy law profession, especially the challenges that recent law school graduates will face.  There are no established career paths in this field yet, so it takes some effort to get started.  Once you’re in the club, you’ll be in big demand, but there’s a bottleneck at the entrance.  This is why fellowships can be a great way to kick start a career in privacy law.

Here are a few fellowships related to privacy that I’m aware of.  If you know of others I should add to the list, please email me.

Continue Reading

A New US-EU Safe Harbor Agreement Has Been Reached

Daniel Solove
Founder of TeachPrivacy

EU-US Privacy Shield Safe Harbor Training

Last year, the death of the US-EU Safe Harbor Arrangement sent waves of shock and despair to the approximately 4500 companies that used this mechanism to transfer personal data from the US to the EU.  But a new day has dawned.

Continue Reading

Notable Privacy and Security Books from 2015

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

For several years, I have been posting about notable books on privacy and security, and this post lists some of the notable books from 2015.  To see a more comprehensive list of nonfiction works about privacy and security, you might consult this resource page that Professor Paul Schwartz and I maintain: Nonfiction Privacy + Security Books.

Now, without further ado, here are some of the many privacy and security books published in 2015:

Continue Reading

What Can We Learn From Bad Passwords?

Daniel Solove
Founder of TeachPrivacy

Title

By Daniel J. Solove

The SplashData annual list of the 25 most widely used bad passwords recently was posted for passwords used in 2015.  The list is compiled annually by examining passwords leaked during a particular year.  Here is the list of passwords for 2015, and below it, I have some thoughts and reactions to the list.

Continue Reading

Can the FBI Force Apple to Write Software to Weaken Its Software?

Daniel Solove
Founder of TeachPrivacy

title image

A dramatic legal battle is taking place that will have dramatic implications for the future of technology, privacy, security, and the extent of government power.  The FBI obtained an order from a magistrate judge to force Apple to develop software to help the FBI break into an encrypted iPhone.

Continue Reading

New Privacy and Security Awareness Training Programs

Daniel Solove
Founder of TeachPrivacy

security awareness training

I created some new training programs last year, and here are some of the highlights:

Security Training Malware -- Ransomware Attack

The Ransomware Attack (~5 mins)

This short program (~5 minutes) consists of an interactive cartoon vignette about malware.  The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware.  The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.

Module Lifecycle of Personal Data 01

The Life Cycle of Personal Data (~ 15 mins)

This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data.  The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.

Continue Reading

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Daniel Solove
Founder of TeachPrivacy

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations19 Green Bag 2d 223 (2016).  Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law.  Here’s the abstract:

There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.

Continue Reading

3 Types of Incidents Account for 86% of HIPAA Data Breaches

Daniel Solove
Founder of TeachPrivacy

HIPAA Data BreachA new report by Verizon, the PHI Data Breach report, analyzes 1,931 data breaches of protected health information (PHI) under HIPAA,  The incidents occurred between 1994 and 2014, with most occurring from 2004-2014.  An article from Computer World sums up the findings of the report.

Verizon 2016 Healthcare ReportOne interesting statistic is that 392 million PHI records were compromised in these breaches, more than the entire population of the United States.

The report notes that 3 types of incident account for 86% of the data breaches:

(1) Lost or stolen portable electronic devices

(2) Sending records to the wrong individual

(3) Improper access to PHI by employees

What do these things have in common?

These are problems that deal with the human factor.  The problems are preventable, and the risk of them can be significantly reduced through training.

To train on these things, organizations must do more then merely say: “Be careful” or “Do not do.”  The training must have an impact on people.  And education is most effective with repetition. People must be repeatedly educated, over and over again.

Continue Reading

Teaching Information Privacy Law

Daniel Solove
Founder of TeachPrivacy

Eyes Privacy 01

I originally posted a version of this post more than 10 years ago, in 2005.  I think it is important to re-post it, with a few updates.

I strongly recommend teaching information privacy law in law schools.  I have authored several textbooks in the field, and I know that this might seem like a self-plug.  But I really am a big believer that all law schools should have not just one course on information privacy law, but several — no matter what textbooks are used!

Information privacy law remains a fairly new field, and it has yet to take hold as a course taught consistently in most law schools.  Last year, I wrote a post complaining about the fact that only about 25% of law schools have a course on privacy law. I’m hoping to change all that.

Privacy Law

So if you’re an academic interested in exploring issues involving information technology, criminal procedure, or free speech, you should consider adding information privacy law to your course package.  If you’re a practitioner, consider teaching an information privacy law course as an adjunct.

Here are some reasons to teach the course:

Continue Reading

Is HIPAA Enforcement Too Lax?

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

The Scope and Potential of FTC Data Protection

Daniel Solove
Founder of TeachPrivacy

FTC Privacy and Security

I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015).  I wrote the article with Professor Woodrow Hartzog.

FTC StatueThe article addresses  the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”).  We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.

The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.

GW Law Review FTC Symposium

Here is a table of contents of the issue, along with links to where you can access each essay and article.

Continue Reading

The Value of HIPAA Training

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

HIPAA expert Rebecca Herold offers a very compelling explanation of the value of HIPAA training.  She writes:

Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.

In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).

Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.

Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.

To this, all I can say is: Amen.

Rebecca is the author of several great resources on HIPAA, including The Practical Guide to HIPAA Privacy and Security Compliance.

Rebecca Herold Practical Guide to HIPAA

Continue Reading

Privacy Need Not Be Sacrificed for Security

Daniel Solove
Founder of TeachPrivacy

NSA Surveillance

I’ve long been saying that privacy need not be sacrificed for security, and it makes me delighted to see that public attitudes are aligning with this view.  A Pew survey revealed that a “majority of Americans (54%) disapprove of the U.S. government’s collection of telephone and internet data as part of anti-terrorism efforts.”  The anti-NSA surveillance sentiment is even stronger in other countries, as is shown in this chart below.

Pew NSA Surveillance

According to the survey, “74% said they should not give up privacy and freedom for the sake of safety, while just 22% said the opposite.”

As I wrote in my book, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale U. Press 2011):

The debate between privacy and security has been framed incorrectly, with the tradeoff between these values understood as an all-or-nothing proposition. But protecting privacy need not be fatal to security measures; it merely demands oversight and regulation.

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

Daniel Solove
Founder of TeachPrivacy

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

Blogging Highlights 2015: Cybersecurity Issues

Daniel Solove
Founder of TeachPrivacy

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security:

The Worst Password Ever Created

worst password ever created

Should the FTC Kill the Password?
The Case for Better Authentication

title image

Continue Reading

Blogging Highlights 2015: Privacy Issues

Daniel Solove
Founder of TeachPrivacy

Privacy Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts on privacy issues:

I. PHILOSOPHICAL

Privacy by Design:
4 Key Points

title image

What Is Privacy?

Solove Taxonomy of Privacy

II. PRIVACY LAW

Why All Law Schools Should Teach Privacy Law
— and Why Many Don’t

why law schools should teach privacy

Continue Reading

Ransomware’s Dilemma: Pay It or Not?

Daniel Solove
Founder of TeachPrivacy

Ransomware cybersecurity training

Ransomware is one of the most frightening scourges to hit the Internet.  Ransomware is a form of malware (malicious code) that encrypts a person’s files and demands a ransom payment to decrypt them.  If the money isn’t paid, the encryption keys are destroyed, and the data is lost forever.

Ransomware cybersecurity training

Ransomware began to emerge in 2009, and it has been rapidly on the rise.  Recently, it was ranked as the number one threat involving mobile malware.  According to one estimate, “at least $5 million is extorted from ransomware victims each year.”

Ransomware became a household name in 2013, when CryptoLocker infected about 500,000 victims in just 6 months.

Ransomware Cryptolocker security training 01CryptoLocker was eventually defeated.  But new variants of ransomware started popping up more frequently.

Continue Reading

10 Implications of the New EU General Data Protection Regulation (GDPR)

Daniel Solove
Founder of TeachPrivacy

EU GDPR Training General Data Protection Regulation

EU Flag EU Privacy TrainingLast week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries.  Clocking in at more than 200 pages, this is quite a document to digest.  According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”

The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year.  It will has substantial implications for any global company doing business in the EU.  The GDPR is anticipated to go into effect in 2017.

Here are some of the implications I see emerging from the GDPR as well as some questions for the future:

1. Penalties and Enforcement

Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.”  Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.”  The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”

These are huge penalties.  Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO).  Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling.  The CEO will stand up immediately and say: “Excuse me, but I must take this call.  It’s my CPO calling!”

EU Privacy Training Money

To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent.  Will the new GDPR change enforcement?  With such huge fines, the payoff for enforcement will be enormous.  We could see a new enforcement culture emerge, with more robust and consistent enforcement.  If privacy isn’t much of a priority of upper management at some global companies, it will be soon.

Continue Reading

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

Daniel Solove
Founder of TeachPrivacy

The Kafkaesque Sacrifice of Encryption Security in the Name of Security

By Daniel J. Solove

Proponents for allowing government officials to have backdoors to encrypted communications need to read Franz Kafka.  Nearly a century ago, Kafka deftly captured the irony at the heart of their argument in his short story, “The Burrow.”

After the Paris attacks, national security proponents in the US and abroad have been making even more vigorous attempts to mandate a backdoor to encryption.

Continue Reading

Does Cybersecurity Law Work Well? An Interview with Ed McNicholas

Daniel Solove
Founder of TeachPrivacy

Does Cybersecurity Law Work Well?  An Interview with Ed McNicholas

By Daniel J. Solove

“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law. 

McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).   The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go.  It is an extremely useful volume that I’m delighted I have on my desk.  If you practice in this field, get this book.  

Continue Reading

K-12 Schools Must Teach Data Privacy and Security

Daniel Solove
Founder of TeachPrivacy

K-12 Schools Must Teach Data Privacy and Security

By Daniel J. Solove

It is essential that children learn about data privacy and security.  Their lives will be fully enveloped by technologies that involve data.  But far too little about these topics is currently taught in most schools. 

Fortunately, there is a solution, one that I’m proud to have been involved in creating.  The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix.

The Privacy K-12 Curriculum Matrix is free.  It can be used by any school, educator, or parent.  It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels.  It includes suggestions for appropriate learning activities for each grade level.

Continue Reading

Modernizing Electronic Surveillance Law

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

Next year, there will be a milestone birthday for the Electronic Communications Privacy Act (ECPA) – the primary federal law that regulates how the government and private parties can monitor people’s Internet use, wiretap their communications, peruse their email, gain access to their files, and much more.

This is no ordinary birthday for ECPA. In 2016, ECPA turns 30. Little did anyone think that in 1986, when ECPA was passed, that it would still remain largely unchanged for 30 years. In 1986, the Cloud was just something in the sky. The Web was what a spider made.

Continue Reading

Great Fictional Works About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

By Daniel J. Solove

At my annual event, the Privacy+Security Forum, which was held last month, one of the sessions  involved privacy and security in fiction. The panelists had some terrific readings suggestions, and I thought I’d share with you the write-up that they generated for their session. The speakers were:

Peter Winn, Assistant U.S. Attorney, U.S. DOJ and Lecturer, University of Washington School of Law

Heather West, Senior Policy Manager & Americas Principal, Mozilla

Kevin Bankston, Director, Open Technology Institute and Co-Director, Cybersecurity Initiative, New America

Joseph Jerome, Policy Counsel at Future of Privacy Forum

Continue Reading

The Growing Problems with the Sectoral Approach to Privacy Law

Daniel Solove
Founder of TeachPrivacy

Sectoral Omnibus Privacy Regulation

By Daniel J. Solove

The US regulates privacy with a sectoral approach, with laws that are directed only to specific industries.  In contrast, the EU and many other countries have an omnibus approach — one overarching law that regulates privacy consistently across all industries.  The US is an outlier from the way most countries regulate privacy.

About 15 years ago, the sectoral approach was hailed by many US organizations as vastly preferable to an omnibus approach.  Each industry wanted to be regulated differently, in a more nuanced way focused on its particular needs.  Industries could lobby and exert their influence much more on laws focused on their industry.  Additionally, some organizations liked the sectoral approach because they fell into one of the big gaps in regulation.

But today, ironically, the sectoral approach is not doing many organizations any favors.  There are still gaps in protection under the US approach, but these have narrowed.  In fact, many organizations do not fall into gaps in protection — they are regulated by many overlapping laws.  The result is a ton of complexity, inconsistency, and uncertainty in the law.

Continue Reading

Alan Westin’s Privacy and Freedom

Daniel Solove
Founder of TeachPrivacy

Alan Westin Privacy and Freedom

Alan Westin Privacy and FreedomI am pleased to announce that Alan Westin’s classic work, Privacy and Freedom, is now back in print.  Originally published in 1967, Privacy and Freedom had an enormous influence in shaping the discourse on privacy in the 1970s and beyond, when the Fair Information Practice Principles (FIPPs) were developed.

The book contains a short introduction by me.  I am truly honored to be introducing such a great and important work.  When I began researching and writing about privacy in the late 1990s, I kept coming across citations to Westin’s book, and I was surprised that it was no longer in print.  I tracked down a used copy, which wasn’t as easy to do as today.  What impressed me most about the book was that it explored the meaning and value of privacy in a rich and interdisciplinary way.

A very brief excerpt from my intro:

At the core of the book is one of the most enduring discussions of the definition and value of privacy. Privacy is a very complex concept, and scholars and others have struggled for centuries to define it and articulate its value. Privacy and Freedom contains one of the most sophisticated, interdisciplinary, and insightful discussions of privacy ever written. Westin weaves together philosophy, sociology, psychology, and other disciplines to explain what privacy is and why we should protect it.

Alan WestinI was fortunate to get to know Alan Westin, as I began my teaching career at Seton Hall Law School in Newark, New Jersey, and Alan lived and worked nearby.  I had several lunches with him, and we continued our friendship when I left to teach at George Washington University Law School.  Alan was kind, generous, and very thoughtful. He was passionate about ideas.  I miss him greatly.

So it is a true joy to see his book live on in print once again.

Here’s the blurb from the publisher:

Continue Reading

Privacy+Security Forum Chart of Session Times + Speakers

Daniel Solove
Founder of TeachPrivacy

Privacy+Security Forum

I’m very excited that the 1st annual Privacy + Security Forum (Oct. 21-23 in Washington, DC) is finally beginning!

We have about 190 speakers and 60+ sessions.

Session Descriptions: Session Descriptions Guide
Readings: Readings for each session are on our schedule page
Session Times and Location: Session Times and Location Chart.

Below is a chart with session titles, speakers, times, and room assignments.  I designed this chart to be easy to access online.

Continue Reading

Sunken Safe Harbor: 5 Implications of Schrems and US-EU Data Transfer

Daniel Solove
Founder of TeachPrivacy

sunken safe harbor

By Daniel J. Solove

In a profound ruling with enormous implications,the European Court of Justice (ECJ) has declared the Safe Harbor Arrangement to be invalid.

[Press Release]  [Opinion]

The Safe Harbor Arrangement

The Safe Harbor Arrangement has been in place since 2000, and it is a central means by which data about EU citizens can be transferred to companies in the US.  Under the EU Data Protection Directive, data can only be transferred to countries with an “adequate level of protection” of personal data.  The EU has not deemed the US to provide an adequate level of protection, so Safe Harbor was created as a work around.

Continue Reading

Phishing Your Employees: 3 Essential Tips

Daniel Solove
Founder of TeachPrivacy

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.

1. Be careful about data collection and discipline

Think about the data that you gather about employee performance on simulated phishing.  It can be easy to overlook the implications of maintaining and using this data.  I look at it through the lens of its privacy risks.  This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences.  How long will the data be kept?  What will be done with it?  How securely will it be kept?  What if it were compromised and publicized online?

Continue Reading

6 Great Films About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel Solove

I previously shared 5 of my favorite novels about privacy and security, and I’d now like to share 6 of my favorite films about these topics — because I just couldn’t whittle the list down to 5.

I was thinking about my favorite films because I’ve been putting together a session at my Privacy+Security Forum event next month — the “Privacy and Security Film and TV Club” — where a group of experts will share their favorite films and TV series that have privacy and security themes.

Without further ado, here are my film choices:

Continue Reading

Should the U.S. Play By Different Rules in Cyberspace?

Daniel Solove
Founder of TeachPrivacy

Flag

Recently, oral arguments were heard in a very important case in the U.S. Court of Appeals for the Second Circuit. The case is officially titled In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, but it is being referred to as Microsoft v. United States for short.

Continue Reading

PCI Training: Reducing the Risk of Phishing Attacks

Daniel Solove
Founder of TeachPrivacy

PCI Training Payment Card Data Risks

PCI Logo PCI TrainingThe Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.

A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.

PCI Training Phishing Statistics

According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”

Continue Reading

Start with Security: The FTC’s Data Security Guidance

Daniel Solove
Founder of TeachPrivacy

FTC Start with Security 03

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - FTC - Data Security

Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security.  Our suggestions include:

  1. Do more proactive enforcement
  2. Take on more data security cases
  3. Push companies toward improved authentication – moving beyond mere passwords
  4. Restrict the use of Social Security numbers for authentication purposes
  5. Develop a theory of data stewardship for third parties

Please check out our essay for our explanation of the above agenda and a lot more detail.

Continue Reading

New Security Training Program: Social Engineering: Spies and Sabotage

Daniel Solove
Founder of TeachPrivacy

Module Data Security Spies and Sabotage 02

I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.

After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.

Social Engineering Training Spies 01

Continue Reading

The High Cost of Phishing and the ROI of Phishing Training

Daniel Solove
Founder of TeachPrivacy

Phishing Training 01

A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face.  Phishing is an enormous problem, and it is getting worse.

Phishing threats -- Verizon report 2015 threats

In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.

Continue Reading