All posts in Data Breach Notification

Breach Notification Laws Now in All 50 States

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
April 7, 2018

Data Breach Notification - TeachPrivacy Security Training

Recently, South Dakota and Alabama passed data breach notification laws.  These were the last two states to pass such laws, and now all 50 states have breach notification laws.  There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).

In 2003, California passed the first data breach notification law.  The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005.  That breach attracted national media attention largely because people started receiving notification letters in the mail.  Other states started to follow California’s lead, passing their own breach notification laws.  Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws.   Washington, DC also has a breach notification law.

There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA.  Other countries have started to jump on the notification bandwagon.  Canada will have a breach notification requirement starting on November 1, 2018.  In the EU, the GDPR has a breach notification requirement.

I have mixed feelings about breach notification laws.  On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up.  The bright light has shown us just how woeful the state of data security is.  Individuals have learned a lot from the process as well, including how often their data is affected.

But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach.  The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security.  But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected.  Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.

Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.

Continue Reading

April 7, 2018 / Category: Cybersecurity, Data Breach, Data Breach Notification, Data Security / Tags: , /

GDPR Training, Writings, and Resources: Roundup from the Past Year

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
January 11, 2018

General Data Protection Regulation - GDPR - Training Resources by Prof. Daniel Solove

The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs.  In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.

GDPR Whiteboard

GDPR Whiteboard - TeachPrivacy Privacy Awareness Training 02 small

200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of  GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.

GDPR Interactive Whiteboard

GDPR Whiteboard Interactive - TeachPrivacy GDPR Training

I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)

The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.

A Guide to GDPR Training

A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.

The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO)  is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:

  • basic privacy awareness training for your general workforce
  • advanced training for personnel who need more detailed knowledge of GDPR
  • role-based training specific to an individual’s job function.

I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.

GDPR (Short Introductory Course ~ 7 Mins)

GDPR Training

This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series  –  Privacy Shield and European Union Privacy Law.

COURSE OUTLINE:

  • Structure
    Scope
    Personal Data
    Sensitive Data
    Data Controllers and Data Processors
    Supervisory Authority
    Enforcement
    Rights and Responsibilities
    International Data Transfer
  • Rights and Responsibilities
    Transparency
    Purpose Specification and Minimization
    Consent
    Right to Erasure
    Right to Data Portability
    Data Protection by Design
    Data Protection Impact Assessments
    Record of Data Processing Activities
    Data Breach Notification
  • International Data Transfer

Global Privacy and Data Protection
(Privacy Awareness Course ~20 Mins or ~30 Mins)

 

 This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations.  I updated this program for GDPR.  The course focuses on three main issues:

  • Why is privacy important?
  • What is personal data?
  • How do we protect privacy?

COURSE OUTLINE:

  • The Purpose of this Training
    Personal Data
    People Care About Privacy
    Your Role
  • Why We Protect Personal Data
    Respect
    Preventing Harm
    Trust
    Reputation
    Legal Compliance
    Contractual Compliance
  • What is Personal Data?
    Identifying Personal Data or PII
    Sensitive Data
  • Data Collection
    Lawful Basis
    Data Collection Limitation
  • Data Handling and Processing
    Limited Access
    Confidentiality
    Security Safeguards
  • Use of Personal Data
    Purpose Specification
  • Individual Knowledge and Participation
    Notice
    Access and Correction
    Consent
    Right to Erasure
    Right to Data Portability
  • Transfer and Sharing of Data
    International Transfers of Data
    Sharing Data with Third Parties
  • Accountability
    Privacy by Design
    Ask the Privacy Office

GDPR’s Broad Scope: A Short Vignette

GDPR Humorous Vignette

Please check out our humorous 1-minute video vignette about the GDPR.

CARTOONS

Preparing for GDPR

 

Taking Privacy Seriously

cartoon-gdpr-training-privacy-shield-training-01

January 11, 2018 / Category: Data Breach, Data Breach Notification, Data Privacy, Data Security, Data Security Best Practices, EU Data Protection Directive, European Union Privacy, GDPR, GDPR Compliance, Privacy Compliance Program, Privacy Laws, Training, Training GDPR, Training: EU Privacy / Tags: , , , /

Is a Ransomware Attack a HIPAA Data Breach?

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
August 19, 2016

Ransomware - Security Awareness Training

As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).

A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice.  Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.

Continue Reading

August 19, 2016 / Category: Data Breach Notification, HHS, HHS Office for Civil Rights, HIPAA, Malware, Ransomware, Training, Training: Data Security, Training: HIPAA / Tags: , , , , /

10 Implications of the New EU General Data Protection Regulation (GDPR)

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
December 23, 2015

EU GDPR Training General Data Protection Regulation

EU Flag EU Privacy TrainingLast week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries.  Clocking in at more than 200 pages, this is quite a document to digest.  According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”

The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year.  It will has substantial implications for any global company doing business in the EU.  The GDPR is anticipated to go into effect in 2017.

Here are some of the implications I see emerging from the GDPR as well as some questions for the future:

1. Penalties and Enforcement

Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.”  Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.”  The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”

These are huge penalties.  Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO).  Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling.  The CEO will stand up immediately and say: “Excuse me, but I must take this call.  It’s my CPO calling!”

EU Privacy Training Money

To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent.  Will the new GDPR change enforcement?  With such huge fines, the payoff for enforcement will be enormous.  We could see a new enforcement culture emerge, with more robust and consistent enforcement.  If privacy isn’t much of a priority of upper management at some global companies, it will be soon.

Continue Reading

December 23, 2015 / Category: BCRs, Chief Privacy Officers, Cybersecurity, Data Breach, Data Breach Notification, Enforcement, EU Data Protection Directive, European Union Privacy, FIPPs, Global Privacy, Privacy, Privacy Laws, Safe Harbor, Training, Training: EU Privacy, Training: Privacy Awareness, Training: Safe Harbor / Tags: , , , , , , , /

Lessons from the Latest HIPAA Enforcement Action

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
July 29, 2015

HIPAA Training OCR Enforcementby Daniel J. Solove

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC).  SEMC agreed to pay $218,000.

The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken.  OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”

Continue Reading

July 29, 2015 / Category: Cloud Computing, Data Breach, Data Breach Notification, HHS, HHS Office for Civil Rights, HIPAA, Mobile Devices, Portable Devices, Training, Training: Data Security, Training: HIPAA / Tags: , , , , , , , , /

The OPM Data Breach: Harm Without End?

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
June 22, 2015

title image

By Daniel J. Solove

The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:

If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”

Continue Reading

June 22, 2015 / Category: Cybersecurity, Data Breach, Data Breach Notification, Data Security, Data Security Best Practices, Encryption, Harm, Identity Theft, Privacy, Privacy and Security / Tags: , , , , , , , , /

Law Firm Cyber Security and Privacy Risks

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
April 30, 2015

Title image

By Daniel J. Solove

Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.

This is not time for firms to keep calm and carry on. The proper response is to freak out.

Continue Reading

April 30, 2015 / Category: Chief Security Officers, Confidentiality, Data Breach, Data Breach Notification, Data Security, Data Security Best Practices, Law Firms, Lawsuits, Privacy, Training, Training: Data Security / Tags: , , , , , /

Why the C-Suite Should Have Coffee with the Privacy and Security Officers Every Week

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
September 10, 2014

 

c suite blog 1

by Daniel J. Solove

As I discussed in a previous post, the two key things that organizations can do to prevent data incidents can be summed up in a simple rhyme:

The C-Suite must care

The workforce must be aware

In this post, I want to focus on the “C-Suite” – a term used for the upper management of an organization, its top officers.

The C-Suite must care about data security.

But far too often, the C-Suite doesn’t fully appreciate the risks and could use a better understanding of the law.

Continue Reading

September 10, 2014 / Category: Chief Privacy Officers, Chief Security Officers, Class Actions, Data Breach, Data Breach Notification, Data Security, Enforcement, Global Privacy, Lawsuits, Privacy, Training, Training: Data Security, Training: Privacy Awareness / Tags: , , , /

The 2 Essential Ways to Prevent Data Breaches

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
September 1, 2014

data breach post 1

by Daniel J. Solove

We’re in the midst of a crisis in data protection. Billions of passwords stolen. . . Mammoth data breaches. . . Increasing threats. . . Malicious hackers . . . Continue Reading

September 1, 2014 / Category: Data Breach, Data Breach Notification, Data Security, Privacy, Training, Training: Data Security, Training: FERPA, Training: Financial Privacy, Training: HIPAA, Training: PCI, Training: Privacy Awareness, Training: Safe Harbor / Tags: , , , , , /

6 Lessons from the Costliest HIPAA Settlement to Date

Daniel Solove
Daniel Solove @danielsolove
Founder of TeachPrivacy
May 20, 2014

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

May 20, 2014 / Category: Data Breach, Data Breach Notification, Data Security, Enforcement, HHS Office for Civil Rights, HIPAA, HIPAA Business Associates, HITECH Act, OCR / Tags: , , , /