6 Great Films About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel Solove

I previously shared 5 of my favorite novels about privacy and security, and I’d now like to share 6 of my favorite films about these topics — because I just couldn’t whittle the list down to 5.

I was thinking about my favorite films because I’ve been putting together a session at my Privacy+Security Forum event next month — the “Privacy and Security Film and TV Club” — where a group of experts will share their favorite films and TV series that have privacy and security themes.

Without further ado, here are my film choices:

Continue Reading

Should the U.S. Play By Different Rules in Cyberspace?

Daniel Solove
Founder of TeachPrivacy

Flag

Recently, oral arguments were heard in a very important case in the U.S. Court of Appeals for the Second Circuit. The case is officially titled In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, but it is being referred to as Microsoft v. United States for short.

Continue Reading

PCI Training: Reducing the Risk of Phishing Attacks

Daniel Solove
Founder of TeachPrivacy

PCI Training Payment Card Data Risks

PCI Logo PCI TrainingThe Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.

A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.

PCI Training Phishing Statistics

According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”

Continue Reading

Start with Security: The FTC’s Data Security Guidance

Daniel Solove
Founder of TeachPrivacy

FTC Start with Security 03

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Continue Reading

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Daniel Solove
Founder of TeachPrivacy

Why HIPAA matters

By Daniel J. Solove

Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.

“HIPAA?” the doctors will ask.

“Yes, HIPAA,” I confess.

And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease.  Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.”  It’s about as bad as “stink eye.”

Continue Reading

5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - FTC - Data Security

Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security.  Our suggestions include:

  1. Do more proactive enforcement
  2. Take on more data security cases
  3. Push companies toward improved authentication – moving beyond mere passwords
  4. Restrict the use of Social Security numbers for authentication purposes
  5. Develop a theory of data stewardship for third parties

Please check out our essay for our explanation of the above agenda and a lot more detail.

Continue Reading

New Security Training Program: Social Engineering: Spies and Sabotage

Daniel Solove
Founder of TeachPrivacy

Module Data Security Spies and Sabotage 02

I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.

After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.

Social Engineering Training Spies 01

Continue Reading

The High Cost of Phishing and the ROI of Phishing Training

Daniel Solove
Founder of TeachPrivacy

Phishing Training 01

A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face.  Phishing is an enormous problem, and it is getting worse.

Phishing threats -- Verizon report 2015 threats

In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.

Continue Reading

Social Dimensions of Privacy

Daniel Solove
Founder of TeachPrivacy

Digital Person 02
I recently received my copy of Social Dimensions of Privacy, edited by Beate Roessler & Dorota Mokrosinska.  The book was published by Cambridge University Press this summer.

Social Dimensions of Privacy ISBN 9781107052376I’m delighted as I look over this book.  The book has a wonderful selection of short philosophical essays on privacy, and I’m honored to be included among the terrific group of chapter authors, who include Anita Allen, Paul Schwartz, Helen Nissenbaum, Judith Wagner DeCew, Kirsty Hughes, Colin Bennett, Adam Moore, and Priscilla Regan, among many others.  Each chapter is succinct and well-chosen.

From the book blurb: “Written by a select international group of leading privacy scholars, Social Dimensions of Privacy endorses and develops an innovative approach to privacy. By debating topical privacy cases in their specific research areas, the contributors explore the new privacy-sensitive areas: legal scholars and political theorists discuss the European and American approaches to privacy regulation; sociologists explore new forms of surveillance and privacy on social network sites; and philosophers revisit feminist critiques of privacy, discuss markets in personal data, issues of privacy in health care and democratic politics. The broad interdisciplinary character of the volume will be of interest to readers from a variety of scientific disciplines who are concerned with privacy and data protection issues.”

My chapter is entitled “The Meaning and Value of Privacy.”

Here’s a full table of contents:

Continue Reading

The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.

Daniel Solove
Founder of TeachPrivacy

FTC 01by Daniel J. Solove

The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015).  The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.

Background

Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security.  Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Deception and unfairness are two independent bases for FTC enforcement.  During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled.  Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.

Among the arguments made by Wyndham, three are most worth focusing on:

FTC PNG 02a(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.

(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.

(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.

The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals.  Here is a very brief overview of the 3rd Circuit’s reasoning.

Continue Reading

Should the FTC Kill the Password? The Case for Better Authentication

Daniel Solove
Founder of TeachPrivacy

title image

Co-authored by Professor Woodrow Hartzog.

Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.

Continue Reading

Big Brother on the Cover: 50+ Covers for George Orwell’s 1984

Daniel Solove
Founder of TeachPrivacy

Privacy Training Blog Big Brother Is Watching You Poster

by Daniel J. Solove

Privacy Training Blog George Orwell

George Orwell

One of the most well-known classic privacy books is George Orwell’s 1984, and it has been published in countless editions around the world.  I enjoy collecting things, and I’ve gathered up more than 50 book covers of various editions of the novel.  I find it interesting how various artists and designers try to capture the novel’s themes.  I thought I’d share the covers with you.

Orwell’s 1984 chronicles a harrowing totalitarian society, one that engages in massive surveillance of its citizenry.  Everywhere are posters that say “NSA Big Brother Is Watching You.”   From the novel:

Continue Reading

Lessons from the Latest HIPAA Enforcement Action

Daniel Solove
Founder of TeachPrivacy

HIPAA Training OCR Enforcementby Daniel J. Solove

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC).  SEMC agreed to pay $218,000.

The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken.  OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”

Continue Reading

Understanding the FTC on Privacy and Security

Daniel Solove
Founder of TeachPrivacy

Privacy Training Blog FTC

by Daniel J. Solove

Privacy Awareness Training Blog TRUSTe FTC WebinarI recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security.   The webinar is free and is archived at TRUSTe’s site.

Here is a brief synopsis of the webinar:

For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security.  What are the standards that the FTC is developing for privacy and data security?  What sources does the FTC use for the standards it develops?

A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.

My webinar was written up at the Wall Street Journal.  If you’re interested in seeing it, it’s free and available here.   Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.

Continue Reading

Patient Access to Medical Records Under HIPAA: Significant Reform Needed

Daniel Solove
Founder of TeachPrivacy

Doctor taking notes in his office, isolated

by Daniel J. Solove

Recently, I wrote about the challenges in accessing health information about family members.  In this post, I will explore patients’ access to their own medical records.

HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.

Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.

Continue Reading

HIPAA’s Friends and Family Network: Access to Health Information

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Blog Sharing PHI with Friends and Family 02

by Daniel J. Solove

Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.

The doctor thinks that you can only have the information with a signed written authorization. Is this correct?

No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.

So has the doctor violated HIPAA by refusing to disclose the PHI?

Continue Reading

OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

OPM Fallout

By Daniel J. Solove

Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.

general devels

News

Mayer Brown survey of executives: 25% of organizations lack both a CPO and CIO (March 2015)

stats

Continue Reading

Security Experts Critique Government Backdoor Access to Encrypted Data

Daniel Solove
Founder of TeachPrivacy

Data Ballby Daniel J. Solove

In a recent report, MIT security experts critiqued calls by government law enforcement for backdoor access to encrypted information.  As the experts aptly stated:

“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information — even encrypted information. They argue that the growing use of encryption will neutralize their investigative capabilities. They propose that data storage and communications systems must be designed for exceptional access by law enforcement agencies. These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

The report is called Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications and is by Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner.

Continue Reading

Mr. Robot: My Review of the New TV Series

Daniel Solove
Founder of TeachPrivacy

Mr Robot 01by Daniel J. Solove

I’ve really been enjoying the new TV series Mr. Robot on USA. Network.  It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security  geeks.

Mr Robot 05aThe protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City.  The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person.  Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone.  But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.

Elliot is very smart and clever, and he sees many around him as idiots.  He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people.  He lives most of his life inside his head.  The show presents the stark contrast between what he says to others and what he is thinking.  In one scene, we see him speaking to his psychiatrist, telling her hardly anything.  But we hear his thoughts and know that he is pondering quite a lot.
Continue Reading

Going Bankrupt with Your Personal Data

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Security Professionals in High Demand

Daniel Solove
Founder of TeachPrivacy

CISO Security Professionals Security Training

by Daniel J. Solove

According to a study, the number of cybersecurity job listings increased 74% from 2007 to 2013.  This was more than double the growth rate of IT jobs.

In a survey earlier this year of ISACA members, 86% stated that there is a “global shortage of skilled cybersecurity professionals.”

According to a salary survey, CISO salaries climbed 7.1% in the past year, from a range of between about $126,000 – $190,000 to a range between $134,000 – $205,000.

Chart CISO Salaries 01

Continue Reading

New Resource Page: HIPAA Training Requirements FAQ

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Whiteboard 02

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.

Continue Reading

What Is Privacy?

Daniel Solove
Founder of TeachPrivacy

Finger Print Iris Scan

By Daniel J. Solove

What is privacy? This is a central question to answer, because a conception of privacy underpins every attempt to address it and protect it.  Every court that holds that something is or isn’t privacy is basing its decision on a conception of privacy — often unstated.  Privacy laws are also based on a conception of privacy, which informs what things the laws protect.  Decisions involving privacy by design also involve a conception of privacy.  When privacy is “baked into” products and services, there must be some understanding of what is being baked in.

Far too often, conceptions of privacy are too narrow, focusing on keeping secrets or avoiding disclosure of personal data.  Privacy is much more than these things.  Overly narrow conceptions of privacy lead to courts concluding that there is no privacy violation when something doesn’t fit the narrow conception.   Narrow or incomplete conceptions of privacy lead to laws that fail to address key problems.  Privacy by design can involve throwing in a few things and calling it “privacy,” but this is like cooking a dish that requires 20 ingredients but only including 5 of them.

It is thus imperative to think through what privacy is.  If you have an overly narrow or incomplete conception of privacy, you’re not going to be able to effectively identify privacy risks or protect privacy.

In my work, I have attempted to develop a practical and useable conception of privacy.  In what follows, I will briefly describe what I have developed.

Continue Reading

Baseball’s “Hacking” Case: Are You a Hacker Too?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

 

I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident.  At the outset, apologies for the feature photo above.  It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection.  I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.

Continue Reading

Cybersecurity: Leviathan vs. Low-Hanging Fruit

Daniel Solove
Founder of TeachPrivacy

Data Security Training Low-Hanging Fruit

by Daniel J. Solove

There are certainly many hackers with sophisticated technical skills and potent malicious technologies.  These threats can seem akin to Leviathan — all powerful and insurmountable.

Leviathan 01

It can be easy to get caught up focusing on the Leviathan and miss the low-hanging fruit of cybersecurity.  This low-hanging fruit consists of rather simple and easy-to-fix vulnerabilities and bad practices.

Continue Reading

The Importance and Goals of HIPAA Training Programs

Founder of TeachPrivacy

HIPAA Training

by Daniel J. Solove

There is a great quote in this article from HealthcareInfoSecurity: that expresses very well the importance and goals of HIPAA training programs:

Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, [Ann Patterson of the Medical Identity Fraud Alliance] says. “Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the ‘red flags’ detection systems are keeping pace with changing technologies and workplace practices.”

Continue Reading

The OPM Data Breach: Harm Without End?

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:

If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”

Continue Reading

Use of Encryption Is Increasing — Albeit Slowly

Daniel Solove
Founder of TeachPrivacy

old metal numbers

by Daniel J. Solove

According to a survey commissioned by Thales e-Security, the use of encryption by organizations is increasing.  Ten years ago, only 15% had an enterprise-wide encryption strategy. Now, 36% have such a strategy.

Chart Encryption Increase 01 Some other interesting findings from the survey also found, according to a ZDNet article:

Continue Reading

New Resource Page: Text of HIPAA’s Training Requirements

Daniel Solove
Founder of TeachPrivacy

HIPAA Training Requirements Text 01

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: Text of HIPAA’s Training Requirements.  This page provides excerpts of the training provisions in the HIPAA Privacy Rule and the HIPAA Security Rule.

This page is designed to be a useful companion page to our resource page, HIPAA Training Requirements: FAQ.  The FAQ discuss my interpretation of the HIPAA training provisions, but the full text of those provisions is located on the separate new resource page above.

Continue Reading

Cybersecurity in the Boardroom

Daniel Solove
Founder of TeachPrivacy

??????????

by Daniel J. Solove

A few days ago, I posted about how boards of directors must grapple with privacy and cybersecurity.   Today, I came across a survey by NYSE Governance Services and Vericode of 200 directors in various industries.

According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity.  This finding is not surprising given the frequency of data breaches these days.  There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.

Plague 01

Continue Reading

Boards of Directors Must Grapple with Privacy and Cybersecurity

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Privacy and cybersecurity have become issues that should be addressed at the board level. No longer minor risks, privacy and cybersecurity have become existential issues. The costs and reputational harm of privacy and security incidents can be devastating.

Yet not enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.

Continue Reading

New Resource Page: Privacy and Security Training Requirements

Daniel Solove
Founder of TeachPrivacy

Privacy and Security Training Requirements 02

by Daniel J. Solove

I have created a new resource page for the TeachPrivacy website:  Privacy and Security Training Requirements.

Continue Reading

Green Eggs and Ham: How Not to Market and Invade Privacy

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Dr. Seuss’s Green Eggs and Ham is a timeless classic that is read to millions of children. At first the simple rhymes and cute drawings are alluring. But parents will soon discover the book’s terrifying equation: The tiresome repetition of the book multiplied by the number of times a child will want the book read. The result is mind-numbing and will make parents curse the day they decided to make the book part of their child’s library.

Continue Reading

Health Data Security in Crisis, Phase 2 Audits, and Other HIPAA Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

Co-authored with Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. We have split the health/HIPAA material from our updates on other topics. To see our updates for other topics, click here.

For a PDF version of this post, and for archived issues of previous posts, click here.

Continue Reading

The Terrifying Math of Phishing

Daniel Solove
Founder of TeachPrivacy

Fish 1210-1242156850ss7a pub domain pictures

by Daniel J. Solove

Although we are seeing increasingly more sophisticated attempts at phishing, it appears as though many phishers still haven’t been able to get their hands on a program with spell check.  Why are we still seeing the $10 million lottery winning emails?  Or the long lost relative of yours living in Fiji who is leaving you $4 million?

A recent article explains that for the phishers, it is all a numbers game:

“So, if 97 per cent of phishing attempts are unsuccessful, why is it such a large issue? Because there are 156 million phishing emails sent worldwide daily. . . . Of the 156 million phishing emails sent daily, 16 million get through filters. Another eight million are opened by recipients. 800,000 click on the link provided, and 80,000 provide the information requested.”

Continue Reading

Myths About Privacy Law and the First Amendment

Daniel Solove
Founder of TeachPrivacy

Privacy and First Amendment 01

by Daniel J. Solove

In Sorrell vs. IMS Health, 131 S. Ct. 2653 (2011), the Supreme Court struck down Vermont’s Prescription Confidentiality Law as a violation of the First Amendment right to free speech. The Vermont law restricted the sale and marketing use of information that would identify prescribers without their consent. The Supreme Court reasoned that the Vermont law “enacts content- and speaker-based restrictions on the sale, disclosure, and use of prescriber-identifying information.” According to the Court, the statute made content-based restrictions because it singled out marketing, and the statute made speaker-based restrictions because it focused on pharmaceutical manufacturers. The Court stated: “The law on its face burdens disfavored speech by disfavored speakers.”

Continue Reading

Chart of the Largest Data Breaches in the World

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

Over at the website, Information Is Beautiful, is this amazing chart of the biggest data breaches in the world

Who knew data breaches could be so beautiful?  For those who have suffered from their data being lost in a data breach to those who have suffered because they had to clean up after a data breach, there is a larger meaning to all your pain — it was for art!

This chart is so cool that it would almost be worth all the pain.

Data Breaches Security Training 02 Continue Reading

Troublesome Password Practices and the Need for Data Security Training

Daniel Solove
Founder of TeachPrivacy

login  password on lcd screen macro

By Daniel J. Solove

A recent study by TeleSign revealed that many people engage in some troublesome password practices. Some of the most alarming findings from the report include:

— 73% of accounts use duplicate passwords.

— Nearly half of consumers have a password they haven’t changed in 5+ years

— “Consumers have an average of 24 online accounts, but use only 6 unique passwords.”

— “Only 30 percent of consumers are confident that their passwords will protect the security of their online accounts.”

These findings demonstrate why better authentication is needed. Enforcing good password practices is tremendously difficult. People have so many passwords that they must memorize, and if they must be long and complex, this compounds the challenge.  Alternative means of authentication — such as two-factor authentication — should be explored, as they can be affordable and efficient.

Continue Reading

5 Great Novels About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

I am a lover of literature (I teach a class in law and literature), and I also love privacy and security, so I thought I’d list some of my favorite novels about privacy and security.

I’m also trying to compile a more comprehensive list of literary works about privacy and security, and I welcome your suggestions.

Continue Reading

Big Data, Big Data Breaches, Big Fines and Other Privacy + Security Updates

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove
Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. This post includes developments from the first part of 2015. For a PDF version of this post, and for archived issues of previous posts, click here.

NOTE: Health privacy and security issues will now be covered in a separate update post. 

Continue Reading

If the Empire in Star Wars Had Big Data

Daniel Solove
Founder of TeachPrivacy

Star Wars Privacy and Security Awareness Darth Vader

. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine.  A more efficient collection and aggregation of Jawa records would have located the droids immediately.  Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke’s sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.

There is an important lesson to be learned from Star Wars: If you are trying to establish and maintain a ruthless Empire, you can greatly benefit from better data aggregation and analysis.

Continue Reading

Law Firm Cyber Security and Privacy Risks

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.

This is not time for firms to keep calm and carry on. The proper response is to freak out.

Continue Reading

Why We Should Persuade and Train with Stories

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove

 

Once upon a time, there was a teacher who wanted to train people. At first, the teacher stated a list of things to do and not do. But this had little effect. The teacher was upset and started to doubt whether he could ever get through to people. But then the teacher tried a new approach – using stories. People remembered the stories, and the training started to change people’s behavior. And the teacher and everyone he taught lived happily ever after.

Continue Reading

Privacy Law: From a National Dish to a Global Stew

Daniel Solove
Founder of TeachPrivacy

title image

By Daniel J. Solove
This post is co-authored by Professor Neil Richards

The recent case of Google v. Vidal-Hall in the UK has generated quite a buzz, with Omer Tene calling it the “European privacy judicial decision of a decade.”

The case illustrates several fascinating aspects of the developing global law of privacy, with big implications for online marketing, Big Data, and the Internet of Things.

At first blush, it is easy to see the case as one more divergence between how privacy is protected in the EU and US, with a European Court once again showing how much eager it is to protect privacy than an American one. But the biggest takeaway from the case is not one of divergence; it is one of convergence!

Continue Reading

The Health Data Breach and ID Theft Epidemic

Daniel Solove
Founder of TeachPrivacy

Title image

By Daniel J. Solove

When you go to the hospital, you might worry about catching a staph infection or pneumonia, but you should also worry about contracting a nasty case of medical identity theft. Most people suffer significant harm from medical ID theft, and few are completely cured. This ailment is spreading dramatically as data spurts out of healthcare organizations these days as if from a ruptured aorta.

In January of this year, an article citing U.S. Department of Health and Human Services (HHS) statistics noted that in the past 5 years, there have been roughly 120,000 reported data breaches involving HIPAA protected health information. These breaches have involved more than 31 million individuals.

Continue Reading

Does Scholarship Really Have an Impact? The Article that Revolutionized Privacy Law

Daniel Solove
Founder of TeachPrivacy

Title image

 

By Daniel J. Solove

Does scholarship really have an impact? For a long time, naysayers have attacked scholarship, especially scholarship about law. U.S. Supreme Court Chief Justice Roberts once remarked: “Pick up a copy of any law review that you see, and the first article is likely to be, you know, the influence of Immanuel Kant on evidentiary approaches in 18th Century Bulgaria, or something.” He noted that when the academy addresses legal issues at “a particularly abstract, philosophical level . . . they shouldn’t expect that it would be of any particular help or even interest to the members of the practice of the bar or judges.” Judge Harry Edwards also has attacked legal scholarship as largely irrelevant.

Continue Reading