For years, many policymakers, industry representatives, and commentators were opposed to a comprehensive federal privacy law. They typical federalism arguments were often trotted out. Then, in 2018, California passed the California Consumer Privacy Act (CCPA). Now, there seems to be a chorus for a comprehensive federal privacy law with preemption. I’ll be posting soon about my thoughts on a federal law and on preemption.
I hope that you can join us for the International Privacy+Security Forum (April 3-5, 2019 in Washington, DC).
The International Privacy+Security Forum is an annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC. The Int’l Forum event focuses on privacy and security laws from around the world. The main feature of Forum events is that we have deep-dive sessions on topics. We attract highly seasoned professionals, and we encourage highly interactive sessions.
We will have 100+ speakers and about 40 sessions.
This cartoon is about data breach notification. All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe. And, as is often said in data security, it’s not whether a breach will happen, but when . . .
Last year was a record-setting year for HIPAA enforcement. On HHS’s website, OCR has touted its 2018 enforcement:
OCR has concluded an all-time record year in HIPAA enforcement activity. In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent. In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2018:
There have been quite a number of state HIPAA enforcement cases this year, and one expert points out a trend toward increasing state enforcement of HIPAA.
An article in Data Breach Today discusses a number of state HIPAA enforcement cases. Here are some of the ones discussed:
Massachusetts — $75,000 settlement with McLean Hospital for a data breach involving 1,500 victims based on an employee who routinely took home unencrypted backup tapes with PHI. From the state press release:
The AG’s complaint alleges that McLean, a psychiatric hospital in Belmont, allowed an employee to regularly take home eight unencrypted back-up tapes containing clinical and demographic information from the Harvard Brain Tissue Resource Center that the hospital possessed. The tapes contained personal information such as names, social security numbers, diagnoses and family histories. When the employee was terminated from her position at McLean in May 2015, she only returned four of the tapes, and the hospital was unable to recover the others.
New Jersey — $100,000 settlement with EmblemHealth for a 2016 breach involving 81,000 victims. Details from the state’s press release:
The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.
The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)
During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file.
I’ve been creating security and privacy awareness training for years, and I am always in the hunt for good stock photos to illustrate these issues. I thought I’d share with you some of the most ridiculous ones I’ve come across.
For the past four years, I’ve posted just the funniest hacker stock photos, but this year, I thought I’d broaden the focus and include more privacy and security topics. Without further delay, here they are . . .
This cartoon about artificial intelligence is based on something I often hear — that it is impossible to understand how certain decisions are made by certain algorithms. I wonder whether this problem is due to the fact that not enough effort is being devoted to addressing ethical issues such as the transparency of the decisionmaking process. It’s easy to say in the abstract that ethics is important. But to truly matter, ethics must be a part of the primary design process, not a secondary consideration. The amount of innovation going into new technology is staggering. Although time and effort are being spent on ethics, far less innovation is going into developing the ethical part of technological design.
A recent case involving the Illinois Biometric Information Privacy Act (BIPA), Rivera v Google (N.D. Ill. No. 16 C 02714, Dec. 28, 2018), puts the ills of Spokeo Inc. v. Robins on full display. In Rivera, plaintiffs sued Google under BIPA, which prohibits companies from collecting and storing specific types of biometric data without people’s consent. The plaintiffs alleged that Google collected and used their face-geometry scans through Google Photos without their consent. Google’s face recognition feature is defaulted to being on unless users opt out. Instead of addressing the merits of the plaintiffs’ lawsuit under BIPA, the court dismissed the case for lack of standing based on Spokeo, a fairly recent U.S. Supreme Court case on standing.
Spokeo is a terrible decision by the U.S. Supreme Court. It purports to be an attempt to clarify the test for standing to sue in federal court, but it flunks on clarity and coherence. I previously wrote an extensive critique of Spokeo when the decision came out in 2016.
Beyond Spokeo‘s incoherent mess, there is another part of the opinion that is far worse — Spokeo authorizes courts to override legislatures in determining whether there’s a cognizable privacy harm under a legislature’s own statute. This part of Spokeo is a major usurpation of legislative power — it undermines a legislature’s determination about the proper remedies for violations of its own laws.
I’m pleased to announce that there is a newly-created archive of all of my notable privacy+security books posts – for years 2008-present. Together, there are probably about 100 books featured. The past decade has seen a tremendous abundance of scholarship on privacy and security topics, and there are some truly essential books discussed in these posts.
If you’re interested in a more comprehensive listing of privacy+security books (including books written before the past 10 years), Paul Schwartz and I maintain a page over at our Privacy+Security Academy website that lists privacy+security non-fiction books.
It is sad to say goodbye to Concurring Opinions, a law professor blog I co-founded in 2005. The blog began when a group of us (Dave Hoffman, Kaimi Wenger, Nate Oman, and me) who were blogging at PrawfsBlawg decided we wanted more autonomy in blog governance, so we founded Concurring Opinions. Over the years, we added many great permabloggers: Danielle Citron, Deven Desai, Frank Pasquale, Gerard Magliocca, Ronald K.L. Collins, Larry Cunningham, Naomi Cahn, Sarah Waldeck, Solangel Maldonado, Corey Yung, Jaya Ramji-Nogales, and others.
I have a few final thoughts about Concurring Opinions below, as well as a small piece of good news — I’ve archived most of my posts here on this special archive page. More on the archive later.