This cartoon is about data breach notification. All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe. And, as is often said in data security, it’s not whether a breach will happen, but when . . .
In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail. The file contained Social Security information and other financial data.
The envelope arrived without the USB drive. The firm contacted the post office.
What happened next is most bizarre. Here’s an excerpt from the law firm’s letter notifying the state attorney general:
Recently, South Dakota and Alabama passed data breach notification laws. These were the last two states to pass such laws, and now all 50 states have breach notification laws. There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).
In 2003, California passed the first data breach notification law. The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005. That breach attracted national media attention largely because people started receiving notification letters in the mail. Other states started to follow California’s lead, passing their own breach notification laws. Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws. Washington, DC also has a breach notification law.
There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA. Other countries have started to jump on the notification bandwagon. Canada will have a breach notification requirement starting on November 1, 2018. In the EU, the GDPR has a breach notification requirement.
I have mixed feelings about breach notification laws. On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up. The bright light has shown us just how woeful the state of data security is. Individuals have learned a lot from the process as well, including how often their data is affected.
But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach. The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security. But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected. Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.
Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.
The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.
200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.
I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)
The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.
A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.
The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO) is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:
- basic privacy awareness training for your general workforce
- advanced training for personnel who need more detailed knowledge of GDPR
- role-based training specific to an individual’s job function.
I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.
This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law.
Data Controllers and Data Processors
Rights and Responsibilities
International Data Transfer
- Rights and Responsibilities
Purpose Specification and Minimization
Right to Erasure
Right to Data Portability
Data Protection by Design
Data Protection Impact Assessments
Record of Data Processing Activities
Data Breach Notification
- International Data Transfer
This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations. I updated this program for GDPR. The course focuses on three main issues:
- Why is privacy important?
- What is personal data?
- How do we protect privacy?
- The Purpose of this Training
People Care About Privacy
- Why We Protect Personal Data
- What is Personal Data?
Identifying Personal Data or PII
- Data Collection
Data Collection Limitation
- Data Handling and Processing
- Use of Personal Data
- Individual Knowledge and Participation
Access and Correction
Right to Erasure
Right to Data Portability
- Transfer and Sharing of Data
International Transfers of Data
Sharing Data with Third Parties
Privacy by Design
Ask the Privacy Office
Please check out our humorous 1-minute video vignette about the GDPR.
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.