In case you missed my interview with New York Times reporter Kashmir Hill, you can watch the replay here. We discussed her new book, Your Face Belongs to US: A Secretive Startup’s Quest to End Privacy as We Know It (Sept. 19, 2023).
If you couldn’t make it to my recent webinar where I discussed new state privacy laws with Libbie Canter, you can watch the replay here.
Although a U.S. federal privacy law remains elusive, U.S. states have been busily passing new laws. The laws have many similarities, but there are some notable differences. California and Colorado have issued new regulations, some provisions of which strengthen components of the laws. I expect other states to join in the party soon.
I will be holding a Webinar on U.S. State Privacy Law Developments tomorrow (Tues, Aug. 29, 2023 at 2 PM ET) with Libbie Canter (Covington) to discuss these laws. Click here to register now for this free webinar!
I have created some related resources and training materials that might be useful:
I’ll be speaking at Berkeley Law’s 16th Annual BCLT Privacy Lecture on 9/22 about Murky Consent: An Approach to the Fictions of Consent in Privacy Law with commenters, Ari Ezra Waldman (Professor, UC Irvine School of Law), Rebecca Wexler (Professor, UC Berkeley School of Law), and Ella Corren (JSD, UC Berkeley School of Law).
Before the pandemic, which seems like eons ago, I spearheaded a group of legal academics and practitioners in the field of privacy law who sent a letter to the deans of all U.S. law schools about privacy law education. The pandemic occurred not too long after our letter, and deans had many other things to worry about during that time.
The time is right to send a follow up letter about why law schools should increase and improve their privacy law faculty and curriculum. So, I am emailing the letter below to all U.S. law school deans.
You can see a PDF of the letter here.
* * * *
August 1, 2023
Dear Dean,
We are writing to you and other law school deans to urge you to prioritize offering more courses and hiring more faculty in the information privacy law field.
We previously wrote an open letter to you before the pandemic, and we wish to send you another letter now because recent developments have strengthened our contentions below.
We call on you to consider taking one or more of the following actions:
If you couldn’t make it to my recent webinar on Washington’s My Health My Data Act (MHMDA) and the new state health privacy laws, you can watch the replay here. I had a great discussion with Mike Hintze (Hintze Law).
Back by popular demand, it’s another installment of the funniest hacker stock photos. Because I create security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.
Hacker techniques have evolved over the years, and so have hacker stock photos. Now, many of them are created by AI. Whether created by humans or machines, they are generally quite ridiculous.
If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 4.0
The Funniest Hacker Stock Photos 3.0
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0
I have no way to explain this one except that it is Barbie marketing gone wrong.
Neon masks are the new “in” thing for hacking these days.
This one was AI generated. I guess AI think that people need to be wired into something in order to work. Also, the AI thinks that there’s no need for eyes when hacking.
Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.
Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.” Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation.
In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule.
These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.
I had a great discussion with Filip Johnssén about various privacy law issues on his podcast, Dataministeriet. It begins in Swedish, then turns to English after a brief introduction.
Free newsletter with cartoons, writings, events, webinars, training, humor and whiteboards.
