All posts in Data Security

Did the LabMD Case Weaken the FTC’s Approach to Data Security?

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - Washington, DC

Co-Authored by Prof. Woodrow Hartzog

On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.

While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).

Continue Reading

Cartoon: Devils of Data Security

Daniel Solove
Founder of TeachPrivacy

Cartoon Devils of Security - TeachPrivacy Security Awareness Training 02 medium

I hope you enjoy my latest cartoon about data security — a twist on the angel on one shoulder and devil on the other.  Humans are the weakest link for data security.  Attempts to control people with surveillance or lots of technological restrictions often backfire.  I believe that the most effective solution is to train people.  It’s not perfect, but if training is done right, it can make a meaningful difference.

Continue Reading

Artificial Intelligence, Big Data, and Humanity’s Future: An Interview with Evan Selinger

Daniel Solove
Founder of TeachPrivacy

Re engineering Humanity

Recently published by Cambridge University Press, Re-Engineering Humanity explores how artificial intelligence, automated decisionmaking, the increasing use of Big Data are shaping the future of humanity. This excellent interdisciplinary book is co-authored by Professors Evan Selinger and Brett Frischmann, and it critically examines three interrelated questions. Under what circumstances can using technology make us more like simple machines than actualized human beings? Why does the diminution of our human potential matter? What will it take to build a high-tech future that human beings can flourish in?  This is a book that will make you think about technology in a new and provocative way.

Continue Reading

Cartoon: Dark Web

Daniel Solove
Founder of TeachPrivacy

Cartoon Dark Web - TeachPrivacy Security Training 03 medium

I hope you enjoy my latest cartoon about passwords on the Dark Web.  These days, it seems, login credentials and other personal data are routinely stocking the shelves of the Dark Web.  Last year, a hacker was peddling 117 million LinkedIn user email and passwords. And, late last year, researchers found a file with 1.4 billion passwords for sale on the Dark Web. Hackers will have happy shopping for a long time.

Continue Reading

In re Zappos: The 9th Circuit Recognizes Data Breach Harm

Daniel Solove
Founder of TeachPrivacy

Data Breach Harm and Standing: Increased Risk of Future Harm

In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm.  The case arises out of a breach where hackers stole personal data on 24 million+ individuals.  Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not.  The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.

Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent.  If plaintiffs lack standing, their case is dismissed and can’t proceed.  For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm.  Clapper v. Amnesty International USA, 568 U.S. 398 (2013).  In that case,  the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance.  The Court concluded that the plaintiffs were merely speculating about future possible harm.

Early on, most courts rejected standing in data breach cases.  A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  There, the court held that an increased future risk of harm could be sufficient to establish standing.

Continue Reading

Breach Notification Laws Now in All 50 States

Daniel Solove
Founder of TeachPrivacy

Data Breach Notification - TeachPrivacy Security Training

Recently, South Dakota and Alabama passed data breach notification laws.  These were the last two states to pass such laws, and now all 50 states have breach notification laws.  There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).

In 2003, California passed the first data breach notification law.  The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005.  That breach attracted national media attention largely because people started receiving notification letters in the mail.  Other states started to follow California’s lead, passing their own breach notification laws.  Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws.   Washington, DC also has a breach notification law.

There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA.  Other countries have started to jump on the notification bandwagon.  Canada will have a breach notification requirement starting on November 1, 2018.  In the EU, the GDPR has a breach notification requirement.

I have mixed feelings about breach notification laws.  On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up.  The bright light has shown us just how woeful the state of data security is.  Individuals have learned a lot from the process as well, including how often their data is affected.

But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach.  The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security.  But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected.  Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.

Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.

Continue Reading

Risk and Anxiety: A Theory of Data Breach Harms

Daniel Solove
Founder of TeachPrivacy

Risk and Anxiety Theory of Data Breach Harms

My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms,  96 Texas Law Review 737 (2018).  I co-authored the piece with Professor Danielle Keats Citron.  We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm.  There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.

Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.

When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.

We aim to provide greater coherence to this troubled body of law.   We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.

The article can be downloaded for free on SSRN.

Here’s the abstract:

Continue Reading

The Funniest Hacker Stock Photos 4.0: The Future of Hacking

Daniel Solove
Founder of TeachPrivacy

robot hacker working with computer notebook

It’s time for another installment of the funniest hacker stock photos.  Because I create information security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.

For this round, I focus on the future of hacking, so I looked closely for hacker stock photos that depicted the most state-of-the-art hacking techniques as well as a glimpse into the future.

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 3.0
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

Here are this year’s pictures.  Enjoy!

 

Hacker Stock Photo #1

Hacker

This guy might be one of the creepiest hackers I’ve ever seen.

And, he’s part of a new Las Vegas musical act called “Hacker Man Group”

Hacker

 

Hacker Stock Photo #2

Hacker

I am quite confused about why this hacker needs a magnifying glass if he’s wearing a virtual reality headset.   How does he even see the magnifying glass?  I guess this is a twist on The Matrix, as he appears to have the powers to warp time and space.

Continue Reading

Data Security Is Worsening: 2017 Was the Worst Year Yet

Daniel Solove
Founder of TeachPrivacy

Every year, we hear about how climate change is worsening. It seems the same story is happening with data security. Last year was the worst year in recorded data breach history. More than 5,200 breaches were reported in 2017, with more than 7.8 billion records compromised. By comparison, there are 7.6 billion people on Earth, so 2017 saw the number of records compromised surpass the total world population. Previously, 2016 was the record-holder with 6.3 billion records compromised. Are there any records left that haven’t been compromised?

Major breaches and security incidents included the enormous Equifax breach of 145 million records, the Uber breach, and the NSA leaked tools, which spawned WannaCry and other niceties. Click here for a collection of summaries of some of the more notable breaches of 2017.

Continue Reading

My Privacy and Security Scholarship in 2017

Daniel Solove
Founder of TeachPrivacy

Scholarship about Privacy and Security

In this post, I provide a brief overview of my scholarship last year.

Risk and Anxiety: A Theory of Data Breach Harms 

I co-authored  Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron.  The piece is forthcoming in Texas Law Review this year.  Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse.  Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?”  We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.

Download Risk and Anxiety: A Theory of Data Breach Harms for free

Continue Reading