This cartoon is about data breach notification. All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe. And, as is often said in data security, it’s not whether a breach will happen, but when . . .
All posts in Data Breach Notification
In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail. The file contained Social Security information and other financial data.
The envelope arrived without the USB drive. The firm contacted the post office.
What happened next is most bizarre. Here’s an excerpt from the law firm’s letter notifying the state attorney general:
Recently, South Dakota and Alabama passed data breach notification laws. These were the last two states to pass such laws, and now all 50 states have breach notification laws. There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).
In 2003, California passed the first data breach notification law. The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005. That breach attracted national media attention largely because people started receiving notification letters in the mail. Other states started to follow California’s lead, passing their own breach notification laws. Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws. Washington, DC also has a breach notification law.
There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA. Other countries have started to jump on the notification bandwagon. Canada will have a breach notification requirement starting on November 1, 2018. In the EU, the GDPR has a breach notification requirement.
I have mixed feelings about breach notification laws. On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up. The bright light has shown us just how woeful the state of data security is. Individuals have learned a lot from the process as well, including how often their data is affected.
But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach. The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security. But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected. Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.
Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.
The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.
200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.
I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)
The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.
A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.
The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO) is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:
- basic privacy awareness training for your general workforce
- advanced training for personnel who need more detailed knowledge of GDPR
- role-based training specific to an individual’s job function.
I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.
This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law.
Data Controllers and Data Processors
Rights and Responsibilities
International Data Transfer
- Rights and Responsibilities
Purpose Specification and Minimization
Right to Erasure
Right to Data Portability
Data Protection by Design
Data Protection Impact Assessments
Record of Data Processing Activities
Data Breach Notification
- International Data Transfer
This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations. I updated this program for GDPR. The course focuses on three main issues:
- Why is privacy important?
- What is personal data?
- How do we protect privacy?
- The Purpose of this Training
People Care About Privacy
- Why We Protect Personal Data
- What is Personal Data?
Identifying Personal Data or PII
- Data Collection
Data Collection Limitation
- Data Handling and Processing
- Use of Personal Data
- Individual Knowledge and Participation
Access and Correction
Right to Erasure
Right to Data Portability
- Transfer and Sharing of Data
International Transfers of Data
Sharing Data with Third Parties
Privacy by Design
Ask the Privacy Office
Please check out our humorous 1-minute video vignette about the GDPR.
As ransomware escalates and poses serious security risks for healthcare institutions, many privacy experts and legislators have called for more specific guidance from the U.S. Department of Health and Human Services (HHS).
A few weeks ago, HHS responded to these calls with a detailed fact sheet to explain ransomware and provide advice. Although most of the document outlines what should be obvious for an organization that already has a solid data security plan (including reliable back-ups, workforce training, and contingency plans), the major headline is HHS’s verdict on whether or not a ransomware attack qualifies as a data breach under HIPAA.
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
1. Penalties and Enforcement
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.
by Daniel J. Solove
Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC). SEMC agreed to pay $218,000.
The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken. OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”
By Daniel J. Solove
The recent breach of the Office of Personnel Management (OPM) network involved personal data on millions of federal employees, including data related to background checks. OPM is now offering 18 months of free credit monitoring and identity theft insurance to victims. But as experts note in a recent Washington Post article, this is not nearly enough:
If the data is in the hands of traditional cyber criminals, the 18-month window of protection may not be enough to protect workers from harm down the line. “The data is sold off, and it could be a while before it’s used,” said Michael Sussmann, a partner in the privacy and data security practice at law firm Perkins Coie. “There’s often a very big delay before having a loss.”
By Daniel J. Solove
Law firms are facing grave privacy and security risks. Although a number of firms are taking steps to address these risks, the industry as a whole needs to grasp the severity of the risk. For firms, privacy and security risks can be significantly higher than for other organizations. Incidents can be catastrophic. On a scale of 1 to 10, the risks law firms are facing are an 11.
This is not time for firms to keep calm and carry on. The proper response is to freak out.
by Daniel J. Solove
As I discussed in a previous post, the two key things that organizations can do to prevent data incidents can be summed up in a simple rhyme:
The C-Suite must care
The workforce must be aware
In this post, I want to focus on the “C-Suite” – a term used for the upper management of an organization, its top officers.
The C-Suite must care about data security.
But far too often, the C-Suite doesn’t fully appreciate the risks and could use a better understanding of the law.