PRIVACY + SECURITY BLOG

News, Developments, and Insights

The 2 Essential Ways to Prevent Data Breaches

data breach post 1

by Daniel J. Solove

We’re in the midst of a crisis in data protection. Billions of passwords stolen. . . Mammoth data breaches. . . Increasing threats. . . Malicious hackers . . .Continue Reading

6 Lessons from the Costliest HIPAA Settlement to Date

Costliest HIPAA Settlement blog 1

by Daniel J. Solove

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced the costliest HIPAA settlement to date — a $4.8 million settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU). The case involved the disclosure of protected health information on the Internet. Here are some lessons from this latest case:

Continue Reading

How Should Data Security Breach Notification Work?

Data Breach Notification

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them herehereherehere, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Continue Reading

Data Security Laws, the States, and Federalism

Federalism and Privacy

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Continue Reading

The Government’s Data Security Breach and “Data Neutralization”

Digital Person Privacy

The AP reports an enormous breach of data security by the government:

Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.

The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.

Continue Reading