This cartoon is about data breach notification. All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe. And, as is often said in data security, it’s not whether a breach will happen, but when . . .
Category: Data Breach Notification
Posts about Data Breach Notification by Professor Daniel J. Solove for his blog at TeachPrivacy, a privacy awareness and security training company.
The Mail Machine Ate My Thumb Drive
Seriously?
The envelope arrived without the USB drive. The firm contacted the post office.
What happened next is most bizarre. Here’s an excerpt from the law firm’s letter notifying the state attorney general:
Breach Notification Laws Now in All 50 States
Recently, South Dakota and Alabama passed data breach notification laws. These were the last two states to pass such laws, and now all 50 states have breach notification laws. There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).
In 2003, California passed the first data breach notification law. The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005. That breach attracted national media attention largely because people started receiving notification letters in the mail. Other states started to follow California’s lead, passing their own breach notification laws. Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws. Washington, DC also has a breach notification law.
There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA. Other countries have started to jump on the notification bandwagon. Canada will have a breach notification requirement starting on November 1, 2018. In the EU, the GDPR has a breach notification requirement.
I have mixed feelings about breach notification laws. On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up. The bright light has shown us just how woeful the state of data security is. Individuals have learned a lot from the process as well, including how often their data is affected.
But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach. The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security. But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected. Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.
Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.
GDPR Training, Writings, and Resources: Roundup from the Past Year
The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.
GDPR Whiteboard
200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.
GDPR Interactive Whiteboard
I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)
The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.
A Guide to GDPR Training
A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.
The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO) is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:
- basic privacy awareness training for your general workforce
- advanced training for personnel who need more detailed knowledge of GDPR
- role-based training specific to an individual’s job function.
I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.
GDPR (Short Introductory Course ~ 7 Mins)
This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law.
COURSE OUTLINE:
- Structure
Scope
Personal Data
Sensitive Data
Data Controllers and Data Processors
Supervisory Authority
Enforcement
Rights and Responsibilities
International Data Transfer - Rights and Responsibilities
Transparency
Purpose Specification and Minimization
Consent
Right to Erasure
Right to Data Portability
Data Protection by Design
Data Protection Impact Assessments
Record of Data Processing Activities
Data Breach Notification - International Data Transfer
Global Privacy and Data Protection
(Privacy Awareness Course ~20 Mins or ~30 Mins)
This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations. I updated this program for GDPR. The course focuses on three main issues:
- Why is privacy important?
- What is personal data?
- How do we protect privacy?
COURSE OUTLINE:
- The Purpose of this Training
Personal Data
People Care About Privacy
Your Role - Why We Protect Personal Data
Respect
Preventing Harm
Trust
Reputation
Legal Compliance
Contractual Compliance - What is Personal Data?
Identifying Personal Data or PII
Sensitive Data - Data Collection
Lawful Basis
Data Collection Limitation - Data Handling and Processing
Limited Access
Confidentiality
Security Safeguards - Use of Personal Data
Purpose Specification - Individual Knowledge and Participation
Notice
Access and Correction
Consent
Right to Erasure
Right to Data Portability - Transfer and Sharing of Data
International Transfers of Data
Sharing Data with Third Parties - Accountability
Privacy by Design
Ask the Privacy Office
GDPR’s Broad Scope: A Short Vignette
Please check out our humorous 1-minute video vignette about the GDPR.
CARTOONS
Preparing for GDPR
Taking Privacy Seriously
Is a Ransomware Attack a HIPAA Data Breach?
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.