What Google Must Forget: The EU Ruling on the Right to Be Forgotten

Daniel Solove
Founder of TeachPrivacy

 

google right to be forgotten blog 1

by Daniel J. Solove

In a momentous decision, the EU Court of Justice has ruled in favor of a Spanish man who sought to have links to his personal data removed from Google search results. Under what has become known as the “right to be forgotten,” EU citizens have a right to the deletion of certain personal data under the EU Data Protection Directive.

The EU Court of Justice has concluded that “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”

Continue Reading

6 Lessons from the Costliest HIPAA Settlement to Date

Daniel Solove
Founder of TeachPrivacy

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

Snapchat and FTC Privacy and Security Consent Orders

Daniel Solove
Founder of TeachPrivacy

snapchat and ftc blog 1

by Daniel J. Solove

Co-authored by Woodrow Hartzog

snapchat and ftc blog 2

The Federal Trade Commission (FTC) recently entered into a consent order with the media service Snapchat for not living up to its promises about how it maintains the privacy and security of user’s data. The FTC order prohibits Snapchat from “misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information” and requires the company “to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.”

Continue Reading

Big Data and Our Children’s Future: On Reforming FERPA

Daniel Solove
Founder of TeachPrivacy

Double check

by Daniel J. Solove

Last week, the White House released its report, Big Data: Seizing Opportunities, Preserving Values. My reaction to it is mixed. The report mentions some concerns about privacy with Big Data and suggests some reforms, but everything is stated so mildly, in a way designed to please everyone. The report is painted in pastels; it finesses the hard issues and leaves specifics for another day. So it is a step forward, which is good, but it is a very small step, like a child on a beach reluctantly dipping a toe into ocean.

Continue Reading

Why Did inBloom Die? A Hard Lesson About Education Privacy

Daniel Solove
Founder of TeachPrivacy

in bloom blog 1

by Daniel J. Solove

For any organization who doesn’t take privacy seriously, the demise of inBoom should be a loud wake up call. Funded by $100 million from the Gates Foundation, inBloom was a non-profit organization aiming to store student data so that school officials and teachers could use it to learn about their students and how to more effectively teach them and improve their performance in school. Who would have thought that a project with so much funding and promise would be shutting down just a few years after its creation? What went wrong?

Continue Reading

Our Privacy and Data Security Depend Upon Contracts Between Organizations

Daniel Solove
Founder of TeachPrivacy

contracts between organizations blog 1

by Daniel J. Solove

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider.

In many cases, these contracts fail to contain key protections of data. For example, a study conducted by Fordham School of Law’s Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data. I blogged about this study previously here.

Continue Reading

The Future of Global Privacy: Conflict or Harmony?

Daniel Solove
Founder of TeachPrivacy

future of global privacy blog 1

by Daniel J. Solove

I recently had the opportunity to interview Christopher Kuner, Senior Of Counsel with Wilson Sonsini Goodrich & Rosati in Brussels. He is also an Honorary Professor at the University of Copenhagen, a visiting fellow at the London School of Economics, and teaches at the University of Cambridge. He is editor-in-chief of the law journal International Data Privacy Law, and has been active in international organizations such as the Council of Europe, the OECD, and UNCITRAL. His book entitled “Transborder Data Flows and Data Privacy Law” was published in 2013 by Oxford University Press. More information is available at his personal web site.

Continue Reading

5 Key Quotes from the FTC v. Wyndham Decision on Data Security

Daniel Solove
Founder of TeachPrivacy

5 key points ftc wyndham blog 1

by Daniel J. Solove

This post was co-authored by Professor Woodrow Hartzog.

The long-awaited federal district court opinion in FTC v. Wyndham was finally released last week. The U.S. District Court for the District of New Jersey rejected Wyndham’s arguments that the FTC lacks the authority to regulate unfair data security practices, that the FTC is required to issues rules before bringing an unfair data security complaint, and that the FTC failed to provide fair notice of what constitutes an unfair data security practice.

I blogged about the case here last week.

Continue Reading

Heartbleed: A Data Security Bug of Titanic Proportions that Affects Most of the Internet and that Will Have Enormous Implications

Daniel Solove
Founder of TeachPrivacy

heartbleed blog 1

by Daniel J. Solove

It sounds like a late April Fool’s joke, but it isn’t. Heartbleed, a data security bug in Open SSL, allows hackers to access personal data and encryption keys. This vulnerability has existed for 2+ years, and there is no way to know if your data has been compromised. And the majority of websites that encrypt use OpenSSL, such as the most popular banking and retail sites. This is a security flaw of titanic proportions. According to CNN: “Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.”

Continue Reading

One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham

Daniel Solove
Founder of TeachPrivacy

ftc wyndham blog post

by Daniel J. Solove

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and yesterday, it finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Continue Reading

Waking Up the C-Suite to Privacy and Security Risks

Daniel Solove
Founder of TeachPrivacy

waking up the c suite

by Daniel J. Solove

I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.

Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.

Continue Reading

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Daniel Solove
Founder of TeachPrivacy

Blank chalkboard and stack of books

by Daniel J. Solove

This post was co-authored by Professor Paul Schwartz, Berkeley Law School.

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

Continue Reading

5 Things School Officials Must Know About Privacy

Daniel Solove
Founder of TeachPrivacy

schools must know blog 1

by Daniel J. Solove

I have produced a new short video for the newly-launched education privacy website of SafeGov. The site is called edu.SafeGov.org, and it contains a wonderful array of resources for parents, school officials, and policymakers regarding education privacy issues.

Continue Reading

Privacy by Design with Passion and Pizazz: A Review of The Privacy Engineer’s Manifesto

Daniel Solove
Founder of TeachPrivacy

C

by Daniel J. Solove

I was fortunate to pick up a copy of The Privacy Engineer’s Manifesto, a new book by Michelle Finneran Dennedy, Jonathan Fox, and Thomas Finneran.

I’ve read a lot of practical “how to” stuff about privacy before that’s vague and not very specific, but this book is so refreshingly detailed, has great depth, and is concrete. It’s a real achievement, and a book that deserves attention.

Continue Reading

Duties When Contracting with Data Service Providers

Daniel Solove
Founder of TeachPrivacy

data services blog 1

by Daniel J. Solove

In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.

Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.

Continue Reading

Is Data Security Awareness Training Effective?

Daniel Solove
Founder of TeachPrivacy

data security awareness blog 1

by Daniel J. Solove

A recent article in CIO explores the question: Is data security awareness training effective?

The answer: Yes.

The article points to an ISACA study that seeks to measure the effectiveness of data security awareness training. The study concludes: “Security awareness training is a vital nontechnical component to information security. As such, it is in the interest of the public and private sectors to continue to research this component that directly impacts security’s weakest link: humans.”

Continue Reading

10 Reasons Why Privacy Matters

Daniel Solove
Founder of TeachPrivacy

why privacy matters 1

by Daniel J. Solove

Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that. Here are 10 reasons why privacy matters.

1. Limit on Power

Privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. Personal data is used to make very important decisions in our lives. Personal data can be used to affect our reputations; and it can be used to influence our decisions and shape our behavior. It can be used as a tool to exercise control over us. And in the wrong hands, personal data can be used to cause us great harm.

Continue Reading

Data Security Is an Art, Not Just a Science

Daniel Solove
Founder of TeachPrivacy

data security blog 1

by Daniel J. Solove

Far too often, the mandate for data security is simply to “secure it,” and people often think of data security as a set of clear choices. This is in contrast to privacy, which is understood as a set of muddy policy issues. But data security is, in fact, quite muddy itself.

Data security is about risk management. Data security measures can reduce the risk of having a data breach, but these measures have costs. These costs can be financial, but they also can involve efficiency, convenience, and the very culture of an organization.

Continue Reading

4 Points About the Target Breach and Data Security

Daniel Solove
Founder of TeachPrivacy

I

by Daniel J. Solove

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

Continue Reading

The Year in Privacy 2013 and the Year to Come

Daniel Solove
Founder of TeachPrivacy

high-tech technology background with eyes on computer display

by Daniel J. Solove

2013 was a remarkable year in privacy developments. Here are four main trends I saw occurring this year:

1. The heat on the NSA for its broad surveillance programs has been sustained and productive.

The Edward Snowden leaks revealed massive NSA surveillance efforts. What is most interesting in the aftermath of the recent NSA surveillance revelations has been the strong public disapproval of the NSA surveillance and courts finally taking some leadership on the issue, such as one court declaring the surveillance likely unconstitutional. The President’s Review Group on Intelligence and Communications Technologies recommended curbs on the NSA. Congress has yet to show leadership on the issue, which remains disappointing, but we are finally seeing the stirrings of a response and perhaps change. Indeed, 56% of people in a Pew poll “say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting.”

Moreover, the story regarding NSA surveillance keeps going on. It hasn’t faded. The overall trend is that there is now sustained heat on the NSA and a sustained stirring for changing the law to provide greater oversight and controls on government surveillance.

Continue Reading

NSA Metadata Surveillance and the Fourth Amendment

Daniel Solove
Founder of TeachPrivacy

metadata

by Daniel J. Solove

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

Continue Reading

Why Schools Are Flunking Privacy and How They Can Improve

Daniel Solove
Founder of TeachPrivacy

pixel cloud network icon computer

by Daniel J. Solove

Fordham School of Law’s Center on Law and Information Policy (CLIP), headed by Joel Reidenberg, has released an eye-opening and sobering study of how public schools are handling privacy issues with regard to cloud computing. The study is called Privacy and Cloud Computing in Public Schools, and it is well worth a read.

Continue Reading

Why Metadata Matters: The NSA and the Future of Privacy

Daniel Solove
Founder of TeachPrivacy

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

Continue Reading

Privacy and Data Security in Higher Education

Daniel Solove
Founder of TeachPrivacy

Computer work

by Daniel J. Solove

I was recently interviewed in HR Horizons, the magazine of the National Association of College and University Business Officers (NACUBO) on the topic of privacy and data security in higher education. Here are a few excerpts:

What is the difference between data security and data privacy, and what risks do each pose for a college or university?

Data security involves everything you need to know and do to secure the data you have and produce. This includes technical safeguards you should have in place such as firewalls, virus protection, and password controls. It includes processes for monitoring access to data. And it also includes physical controls, such as policies for data destruction like document-shredding programs. Data security officers most often have a technical background and operate from within the IT unit of a university.

Continue Reading

Is Privacy Law Constitutional? Is Personal Data Speech?

Daniel Solove
Founder of TeachPrivacy

blog-constitutional-1by Daniel J. Solove

Professor Neil M. Richards (Washington University School of Law) has posted a draft chapter of his forthcoming book about privacy law and free speech. It is a fascinating piece — very accessible and engaging. It’s called Why Data Privacy Law is (Mostly) Constitutional.

Eyebrows were raised a few years ago when the U.S. Supreme Court struck down a privacy statute in Sorrell v. IMS Health, Inc., 131 S.Ct. 2653 (2011). A Vermont statue restricted pharmacies from disclosing personal data for marketing purposes and barred pharmaceutical companies from using personal data for marketing without people’s consent. The Supreme Court held that the statute violated the First Amendment because it singled out particular content and particular speakers.

Does this mean that most privacy laws have a problem with the First Amendment right to free speech? After all, privacy laws mandate restrictions on uses and disclosures of personal data.

Continue Reading

Data Security: The Greatest Threat Is Internal

Daniel Solove
Founder of TeachPrivacy

Virus in program code

by Daniel J. Solove

A PC World article discusses a new study by Forrester that reveals that internal threats are the “leading cause” of data breaches. The survey involved companies in Canada, France, Germany, the UK, and the US. The study revealed that 36% of breaches involve “inadvertent misuse of data by employees.”

According to the article, the study also indicated that “only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they’re even aware of their organization’s current security policies.” The article quotes Heidi Shey, the study’s author, who says: “People don’t know what they don’t know. You’ve got to give them some kind of guidance and guard rails to work with.”

Continue Reading

A List of Privacy Training and Data Security Training Requirements in Laws, Regulations, and Industry Codes

Daniel Solove
Founder of TeachPrivacy

Privacy Writing 04by Daniel J. Solove

I was recently asked whether I had a list of the various laws, regulations, and industry codes that require privacy and/or data security training.  I know about a number of training requirements, but didn’t have a formal list.  I realized that such a list would be useful, so I created one with the help of Joe Newman, a former student who now does some work for my company. 

The PDF is here.  It provides information about each requirement, citations, and quotations of the relevant provisions.  Below is a summary.   If there are any training requirements we missed, please let me know.

Continue Reading

The FTC and the New Common Law of Privacy

Daniel Solove
Founder of TeachPrivacy

Bby Daniel J. Solove

I recently posted a draft of my new article, The FTC and the New Common Law of Privacy (with Professor Woodrow Hartzog).

You can download it for free on SSRN.

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

Continue Reading

The Stunning Need for Improvement on Mobile and Cloud Risks

Daniel Solove
Founder of TeachPrivacy

Cloud and Mobile 02by Daniel J. Solove

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud*, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services. The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others. The results are quite startling.

The study concluded that “the greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Continue Reading

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

In the April issue of the Journal of AHIMA, I authored two short pieces about HIPAA:

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)

HIPAA Mighty and Flawed: Regulation has Wide-Reaching Impact on the Healthcare
Industry
84 Journal of AHIMA 30 (April 2013)

The first piece provides an overview of HIPAA and its evolution. The second involves an analysis of HIPAA’s strengths and weaknesses. Overall, I find HIPAA to be one of the most effective privacy regulatory regimes.  HIPAA is very effective in large part because it requires privacy and security officials who have responsibility over these issues.  These officials develop policies and procedures, perform assessments, and provide HIPAA training to employees, among other things. Privacy laws are not self-executing, and enforcement agencies have limited enforcement resources. The effectiveness of the law depends upon each organization taking compliance seriously, and this starts with a governance structure, awareness training, and things that create a culture of compliance.  Many other privacy laws don’t realize this, and fail to include the robust governance components of HIPAA.

The entire issue is here. Copyright belongs to Journal of AHIMA.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security

Higher Education Needs Privacy Officers and Privacy/Security Training

Daniel Solove
Founder of TeachPrivacy

Climbing Vines of Ivyby Daniel J. Solove

In 2007, Seung Cho, a student at Virginia Tech, killed 32 students and faculty and wounded 17. He then committed suicide.

One of the most troublesome things about this incident was that it might have been prevented if school officials and employees had a better grasp of privacy law. Appointed by the state governor, the Virginia Tech Review Panel issued an extensive report revealing that several University officials and employees knew about Cho’s mental instability but failed to share what they knew with each other. And nobody ever told Cho’s parents about his problems, his stalking of a female student, and his dark writings and erratic behavior. Cho’s parents said that if they had known, they would have taken him home and made him go to therapy. This is what they did when Cho had problems in high school.

Continue Reading

Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

Daniel Solove
Founder of TeachPrivacy

Passwords 01by Daniel J. Solove

In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

Continue Reading

New Privacy Training Programs: US, EU, and Global Privacy Law

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

We have launched several new privacy training programs, including a series with brief introductions to privacy law.  We have completed a privacy training program about US Privacy Law with a video and interactive material / quiz questions.  And we just completed a training program about EU Privacy Law.  This program has a 7.5 minute video (as well as an abridged version at 4.5 minutes), and there’s a separate excerpt on the Safe Harbor Arrangement for those who only want to cover Safe Harbor in their training programs.

These programs are illustrated-as-I-talk.  You can preview the European Union Privacy Law video.

Coming soon: Global Privacy Law, which will focus heavily on the OECD Privacy Guidelines and  the APEC Privacy Framework.

European Union Privacy Training

 

 

New Financial Privacy Training Programs

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

We have begun producing a new program series about financial privacy.  The first two programs are completed.

The first part is an overview video that discusses the importance of financial privacy and the various laws and regulations that regulate.  These laws and regulations are discussed very broadly.  The video concludes with some key best practices for protecting financial data.  This video is made in a unique style — an animated piece of currency.

The second program focuses on the Gramm-Leach-Bliley Act (GLBA).  The video discusses the GLBA’s scope, notice, confidentiality, data sharing, and security.  The video also explains why protecting the privacy and security of financial data is important.

Gramm-Leach-Bliley Act Privacy Training GLBA

There are interactive materials and quiz questions to accompany the video.

Privacy Self-Management and the Consent Dilemma

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

I’m pleased to share with you my new article in Harvard Law Review entitled Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013). You can download it for free on SSRN. This is a short piece (24 pages) so you can read it in one sitting.

Here are some key points in the Article:

Continue Reading

Privacy and Security Training: Why Train? What Is Effective?

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

I recently presented at the ABA Antitrust Spring Meeting about privacy and data security training on a panel called “Compliance Tools for In-House Chief Privacy Officers.” I discussed why all organizations should have privacy training and what makes privacy training effective. I thought I’d share with you the gist of my talk.

Why Train?

The short answer – an ounce of prevention is worth a pound of cure. Privacy and security incidents can leave gaping wounds, and training can reduce the risk.

Continue Reading

The HIPAA-HITECH Regulation, the Cloud, and Beyond

Daniel Solove
Founder of TeachPrivacy

HIPAA HITECH Privacy Trainingby Daniel J. Solove

The new HIPAA-HITECH regulation is here. Officially titled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” this new regulation modifies HIPAA in accordance with the changes mandated by the HITECH Act of 2009. After years of waiting and many false alarms that the regulation was going to be released imminently, prompting joking references to Samuel Beckett’s play Waiting for Godot, HHS unleashed 563 pages upon the world. According to Office for Civil Rights (OCR) director Leon Rodriguez, the rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” I agree with his dramatic characterization of the regulation, for it makes some very big changes and very important ones too.

Continue Reading

Final HIPAA-HITECH Regulation

Daniel Solove
Founder of TeachPrivacy

posted by Daniel J. Solove

The final HIPAA-HITECH regulation is finally out!  Clocking in at 563 pages long, the regulation, which is entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” will be published in the Federal Register on January 25, 2013.  You can download the PDF of the pre-publication version here.

New Privacy by Design Training Video

Daniel Solove
Founder of TeachPrivacy

I recently created this 2-minute comical cartoon vignette to teach about the importance of privacy and apps.  Far too often, apps are not designed with privacy in mind, and people install apps without considering the privacy implications.

More About Apps and Privacy

FPF & CDT, Best Practices for Mobile App Developers

Pew Internet Survey, Privacy and Data Management on Mobile Devices

TRUSTe, Get a Privacy Policy for Your Mobile App

FTC, Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing

New York Times Bits Blog, Consumers Say No to Mobile Apps That Grab Too Much Data

Washington Post Post Tech Blog, App Developers, Privacy Advocates Work Out Suggestions for Policy Disclosure

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security

Educational Institutions and Cloud Computing: A Roadmap of Responsibilities

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

Increasingly, educational institutions and state entities handling student data are hiring outside companies to perform cloud computing functions related to managing personal information.

The benefits of cloud computing are that outside entities might be more sophisticated at managing personal data. These entities may be able to manage data more inexpensively and effectively than the educational institution could do itself. In many cases, cloud computing providers can provide better security than the educational institutions can.

Continue Reading

Employer Social Media Policies: A Brave New World

Daniel Solove
Founder of TeachPrivacy

Posted by Daniel J. Solove

Social Media Policies and TrainingThe frequent use of social media by employees has created a new domain of risk for employers – employees who reveal confidential or sensitive information or who otherwise say things that damage their institution’s reputation or create strife with their colleagues.

For example, in the healthcare context, in a number of widely-publicized incidents, employees revealed confidential information about patients on their blogs and social network profiles. For example, according to a Boston Globe story, an emergency room physician posted data online about the patient. The physician thought that it was safe to post about as long as she did not include the patient’s name. But others could identify the patient.  There are numerous recent cases where hospital staff have posted photos and other information about patients online.

Continue Reading

Do Young People Care About Privacy?

Daniel Solove
Founder of TeachPrivacy

Posted by Daniel J. Solove

A common argument I hear is that young people just don’t care about privacy.  If they cared about privacy, why would they share so much personal data on Facebook?  Why would they text so much?  Why would they be so cavalier about their privacy?  Privacy will be dead in a generation, the argument goes.

This argument is wrong for several reasons.  Studies show that young people do care about privacy.  A few years ago, a study by Chris Hoofnagle and others revealed that young people’s attitudes about privacy didn’t differ much from older people’s attitudes.   A more recent study sponsored by Microsoft found that “[p]rivacy and security rank as college students’ #1 concern about online activity.”

But what accounts for the behavior of sharing so much personal data online?  First, young people—especially teenagers—might not be thinking through the consequences of their actions.  It doesn’t mean they will never care about privacy; they might care about privacy at a point in the future.

Continue Reading

Data Security and the Human Factor: Training and Its Challenges

Daniel Solove
Founder of TeachPrivacy

Posted by Daniel J. Solove

According to a stat in SC Magazine, 90% of malware requires a human interaction to infect.  One of the biggest data security threats isn’t technical – it’s the human factor.  People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors.  A lot of hacking doesn’t involve technical wizardry but is essentially con artistry.  I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks.  He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.

There have been a number of good recent articles on data security and data security training.  Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.”  The article describes the increasing sophistication of phishing.  The old misspelled lottery scam emails are now your grandfather’s phishing.  Today’s phishing is more personalized – and much more likely to trick people.  According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.”  O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”

Continue Reading

More Fun with the Airline Screening Playset: Body Imaging X-Ray Edition!

Daniel Solove
Founder of TeachPrivacy

Airline Screening Playset Playmobil Set 01

I’ve been following the recent controversy over the TSA’s body imaging X-ray machines, otherwise known as the “backscatter” or “exhibit-yourself-in-the-nude” devices.  It made me reminisce about an old post I wrote about the Playmobil airline screening playset.

Airline Screening Playset Playmobil Box 01

I had not used the playset for a while.  Five long years have elapsed since my post, and I had outgrown this toy and moved on to more advanced ones.  But this recent controversy made me regress. . . .

 

Airline Screening Playset Playmobil 03
Airline Screening Playset Playmobil 04 Continue Reading

The SeaWorld Killer Whale Death Video and the Right to Privacy

Daniel Solove
Founder of TeachPrivacy

Orca Sea World

ACLU vs. NSA: Standing to Challenge NSA Warrantless Wiretapping

Daniel Solove
Founder of TeachPrivacy

In ACLU v. NSA, –F.3d — (6th Cir. 2007), a panel from the 6th Circuit held that the ACLU and other plaintiffs lacked standing to challenge the Bush Administration’s warrantless wiretapping program conducted by the National Security Agency (NSA). NYT coverage is here. According to the sketchy details known about the program, the court noted, “it has been publicly acknowledged that the TSP [the Terrorist Surveillance Program, as it has now been named by the Administration] includes the interception (i.e., wiretapping), without warrants, of telephone and email communications, where one party to the communication is located outside the United States and the NSA has ‘a reasonable basis to conclude that one party to the communication is a member of al Qaeda, affiliated with al Qaeda, or a member of an organization affiliated with al Qaeda, or working in support of al Qaeda.”

The plaintiffs are “journalists, academics, and lawyers who regularly communicate with individuals located overseas, who the plaintiffs believe are the types of people the NSA suspects of being al Qaeda terrorists, affiliates, or supporters, and are therefore likely to be monitored under the TSP.” The plaintiffs claimed that the NSA wiretapping violated, among other things, the First Amendment, Fourth Amendment, and the Foreign Intelligence Surveillance Act (FISA).

According to Judge Batchelder’s opinion, the plaintiffs could not establish standing because they could not directly prove that they were subject to surveillance. One of the problems with the court’s reasoning is that there is little way for the plaintiffs to find out more specific information about whether particular plaintiffs’ phone calls have been wiretapped. As a result, the government can violate the plaintiffs’ First and Fourth Amendment rights with impunity if they cannot ever learn enough to gain standing to challenge the surveillance.

Continue Reading

The Washingtonienne Case and the Still-Very-Much-Alive Public Disclosure Tort

Daniel Solove
Founder of TeachPrivacy

Washingtonienne Case

Earlier this summer, I blogged about the Washingtonienne case. Recently law professor Andrew McClurg wrote a piece for the Washington Post about the case. He writes:

Cutler’s blog, written under the pseudonym Washingtonienne, was a daily diary of her sex life while working as a staffer for Sen. Mike DeWine (R-Ohio). It recounted, entertainingly and in considerable — sometimes embarrassing — detail, her ongoing relationships with six men, including [the] plaintiff. . . .

Although McClurg notes that the plaintiff “suffered a genuine wrong,” he also states that the law “appears to be against him” because he “does not allege that any of the statements about him are untrue.” McClurg notes that the plaintiff is suing under the public disclosure of private facts tort, which “provides a remedy when one publicizes private, embarrassing, non-newsworthy facts about a person in a manner that reasonable people would find highly offensive.” McClurg notes that “while Cutler’s actions may meet this standard, courts have long been hostile to such lawsuits because of a fear of inhibiting free speech.” McClurg continues:

In 1989 the court tossed out a lawsuit against a newspaper for publishing a rape victim’s name in violation of Florida law. While it stopped short of ruling that a state may never punish true speech, the test it adopted for when that can be done without violating the First Amendment is so stringent Justice Byron White lamented in dissent that the court had “obliterate[d]” the public disclosure tort.

Not so. Time after time the Supreme Court has explicitly carved out space for the public disclosure tort to exist. In the series of cases involving the First Amendment and privacy restrictions on true speech, the Court has always confined the First Amendment to speech about matters “of public significance.” The Court did this in Smith v. Daily Mail Pub. Co., 443 U.S. 97, 103 (1979) as well as its most recent case on the issue, Bartnicki v. Vopper, 532 U.S. 514 (2001), where the Court held that “privacy concerns give way when balanced against the interest in publishing matters of public importance.” Id. at 534.

Continue Reading

The Airline Screening Playset: Hours of Fun!

Daniel Solove
Founder of TeachPrivacy

Airline Screening Playset Playmobil Box 01After blogging a few weeks ago about the airline screening playset, I went ahead and ordered one.

Each day, I would check my mailbox, eager with excitement about its arrival. Today, it finally arrived. I rushed to open it and began what would be hours of exciting play. Here’s what came in the playset:

Airline Screening Playset Playmobil Set 01

I was a bit disappointed in the toy’s lack of realism. There was only one passenger to be screened. Where were the long lines? The passenger’s clothing wasn’t removable for strip searching. The passenger’s shoes couldn’t be removed either. Her luggage fit easily inside the X-ray machine. There were no silly warning signs not to carry guns or bombs onto the plane. And there was no No Fly List or Selectee List included in the playset.

Airline Screening Playset Playmobil Toy 01

Another oddity was that the toy came with two guns, one for the police officer and one that either belonged to the X-ray screener or the passenger. The luggage actually opened up, and the gun fit inside. I put it through the X-ray machine, and it went through undetected. Perhaps this is where the toy came closest to reality.

The biggest departure from reality was that the passenger had a cheery smile on her face.

Airline Screening Playset Playmobil Toy 02

Continue Reading