PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Phishing Your Employees: 3 Essential Tips

Phishing Training

A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce.  Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective. 1. Be careful about data collection and discipline Think about the data […]

PCI Training: Reducing the Risk of Phishing Attacks

PCI Training Payment Card Data Risks

The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks.  Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS).  One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, […]

Start with Security: The FTC’s Data Security Guidance

Recently, the FTC issued a short guide to what organizations can do to protect data security.  It is called Start with Security  (HTML) — a PDF version is here.  This document provides a very clear and straightforward discussion of 10 good information security measures.  It uses examples from FTC cases.

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

By Daniel J. Solove Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law. “HIPAA?” the doctors will ask. “Yes, HIPAA,” I confess. And then the doctor’s face turns grim.  At first, it looks like the face of a doctor about […]

5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham

Over at Fierce IT Security, Professor Woodrow Hartzog and I have a new essay, 5 Things the FTC Should Do to Improve Data Security in the Wake of Wyndham.  The piece discusses some enforcement strategies we believe the FTC should use to maximize its effectiveness in improving data security.  Our suggestions include: Do more proactive […]

The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.

by Daniel J. Solove The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015).  The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham. […]

Should the FTC Kill the Password? The Case for Better Authentication

Co-authored by Professor Woodrow Hartzog. Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being […]

Understanding the FTC on Privacy and Security

Privacy Training Blog FTC

by Daniel J. Solove I recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security.   The webinar is free and is archived at TRUSTe’s site. Here is a brief synopsis of the webinar: For the past nearly two decades, the FTC has risen to […]

OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

By Daniel J. Solove Co-authored by Professor Paul Schwartz This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post. News […]

Security Experts Critique Government Backdoor Access to Encrypted Data

by Daniel J. Solove In a recent report (link no longer available), MIT security experts critiqued calls by government law enforcement for backdoor access to encrypted information.  As the experts aptly stated: “Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure […]