All posts in Privacy and Security

Cartoon: Devils of Data Security

Daniel Solove
Founder of TeachPrivacy

Cartoon Devils of Security - TeachPrivacy Security Awareness Training 02 medium

I hope you enjoy my latest cartoon about data security — a twist on the angel on one shoulder and devil on the other.  Humans are the weakest link for data security.  Attempts to control people with surveillance or lots of technological restrictions often backfire.  I believe that the most effective solution is to train people.  It’s not perfect, but if training is done right, it can make a meaningful difference.

Continue Reading

Artificial Intelligence, Big Data, and Humanity’s Future: An Interview with Evan Selinger

Daniel Solove
Founder of TeachPrivacy

Re engineering Humanity

Recently published by Cambridge University Press, Re-Engineering Humanity explores how artificial intelligence, automated decisionmaking, the increasing use of Big Data are shaping the future of humanity. This excellent interdisciplinary book is co-authored by Professors Evan Selinger and Brett Frischmann, and it critically examines three interrelated questions. Under what circumstances can using technology make us more like simple machines than actualized human beings? Why does the diminution of our human potential matter? What will it take to build a high-tech future that human beings can flourish in?  This is a book that will make you think about technology in a new and provocative way.

Continue Reading

Cartoon: Dark Web

Daniel Solove
Founder of TeachPrivacy

Cartoon Dark Web - TeachPrivacy Security Training 03 medium

I hope you enjoy my latest cartoon about passwords on the Dark Web.  These days, it seems, login credentials and other personal data are routinely stocking the shelves of the Dark Web.  Last year, a hacker was peddling 117 million LinkedIn user email and passwords. And, late last year, researchers found a file with 1.4 billion passwords for sale on the Dark Web. Hackers will have happy shopping for a long time.

Continue Reading

Should Privacy Law Regulate Technological Design? An Interview with Woodrow Hartzog

Daniel Solove
Founder of TeachPrivacy

Blueprint Privacy 03

Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?

Continue Reading

Data Security Is Worsening: 2017 Was the Worst Year Yet

Daniel Solove
Founder of TeachPrivacy

Every year, we hear about how climate change is worsening. It seems the same story is happening with data security. Last year was the worst year in recorded data breach history. More than 5,200 breaches were reported in 2017, with more than 7.8 billion records compromised. By comparison, there are 7.6 billion people on Earth, so 2017 saw the number of records compromised surpass the total world population. Previously, 2016 was the record-holder with 6.3 billion records compromised. Are there any records left that haven’t been compromised?

Major breaches and security incidents included the enormous Equifax breach of 145 million records, the Uber breach, and the NSA leaked tools, which spawned WannaCry and other niceties. Click here for a collection of summaries of some of the more notable breaches of 2017.

Continue Reading

My Privacy and Security Scholarship in 2017

Daniel Solove
Founder of TeachPrivacy

Scholarship about Privacy and Security

In this post, I provide a brief overview of my scholarship last year.

Risk and Anxiety: A Theory of Data Breach Harms 

I co-authored  Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron.  The piece is forthcoming in Texas Law Review this year.  Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse.  Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?”  We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.

Download Risk and Anxiety: A Theory of Data Breach Harms for free

Continue Reading

Game of Risks: An Interview with Adam Levin on the HBO Breach, Cybersecurity Insurance, and Cyber Risks

Daniel Solove
Founder of TeachPrivacy

 

Recently, HBO suffered a massive data breach. The hackers stole unreleased episodes of Game of Thrones and have been leaking them before they are broadcast. Episodes of other shows were also stolen. The hackers grabbed 1.5 terabytes of data including sensitive internal documents.

 

Continue Reading

Cybersecurity vs. Humans: The Human Problem Requires a Human Answer

Daniel Solove
Founder of TeachPrivacy

Data Security Human Error - Security Awareness Training

According to a recent Ponemon Institute study, the odds of an organization having a data breach are 1 in 4.  The study also found that the average cost of a data breach is $3.62 million in 2017.  That’s a drop of 10%, but the size of data breaches has increased.

The Human Problem

The vast majority of information security incidents and data breaches occur because of human mistakes.   Information security is only in small part a technology problem; it is largely a human problem.  The biggest risks to security are human errors — people putting data where it doesn’t belong, people not following policies, people losing portable electronic devices with data on them, people falling for phishing and social engineering schemes.

Having a robust technical cybersecurity infrastructure is very important, but it alone isn’t enough.  A recent Harvard Business Review article by Dante Disparte and Chris Furlow reinforces this point quite well.  “Firms can be lulled into a dangerous state of complacency by their defensive technologies, firewalls, and assurances of perfect cyber hygiene. The danger is in thinking that these risks can be perfectly ‘managed’ through some sort of comprehensive defense system. It’s better to assume your defenses will be breached and to train your people in what to do when that happens.”

The Human Answer

In addition to technology, effectively preventing and dealing with data breaches involves humans.  The problem is the humans, but so is the answer.

According to the Ponemon study, there were significant data breach cost reductions for having an incident response team, extensively using encryption, and engaging in workforce training.

Continue Reading

Ransomware The Horror Grows

Daniel Solove
Founder of TeachPrivacy

As the FBI warned, ransomware has proven to be a formidable threat costing businesses over $1 billion in 2016, averaging 4,000 attacks per day. Ransomware forces victims to choose between losing access to their files or paying a fee that can range between hundreds and thousands of dollars. Ransomware has already made headlines in the first quarter of 2017.

Continue Reading

Privacy Cartoon: Privacy Budget vs. Security Budget

Daniel Solove
Founder of TeachPrivacy

 

Cartoon Privacy vs. Security Budget

My cartoon depicts the discrepancy in the security and privacy budgets at many organizations.  Of course, the cartoon is an exaggeration.  In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were.  That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.

Fortunately, it does appear that privacy budgets have increased according to the 2016  IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world.  Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.

Continue Reading