This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction. This is often done out of a lack of knowledge about […]
Over at Lawfare, I have an essay co-authored by Chris Hoofnagle and Woodrow Hartzog called The FTC Can Rise to the Privacy Challenge, but Not Without Help From Congress. This piece is also posted at the Brooking Institution’s TechTank. The essay begins: Facebook’s recent settlement with the Federal Trade Commission (FTC) has reignited debate over whether the […]
This cartoon is about evolution of data breaches, which began to grab headlines back in 2005, thanks in large part to California’s data breach notification law — the first of such laws. Since that time, every state has passed breach notification laws, and there are breach notification laws sprouting up around the world. Every day, […]
I’m thrilled that, the American Law Institute (ALI) has approved the Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project. According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for […]
I had the opportunity to interview Mark Singer and Raf Sanchez, both at Beazley, about the issue of profiling and the GDPR. Mark Singer is a member of the Cyber & Executive Risk Group at Beazley. Mark handles insurance coverage issues arising out of cybersecurity, technology errors and omissions, data privacy, intellectual property, media and advertising liabilities. Raf […]
This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months. For more background about […]
Quietly, at the end of April, HIPAA was significantly weakened. HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties. This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines. The existing penalty structure under HIPAA […]
This privacy cartoon is about data minimization, a principle embodied in many privacy laws. Under the data minimization principle, organizations are to collect, process, or share only the minimum necessary personal data to achieve their purpose. There’s a lot of hat tipping to data minimization, but this principle is often not followed enough. Far too […]
I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have. Going through this list can help to assess how complete a privacy law is. For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data […]
These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States. When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of […]