PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

We Still Haven’t Learned the Major Lesson of the 2013 Target Hack

Breached - Excerpt - Lessons of Target Hack 01

I have an article with Professor Woodrow Hartzog in Slate created from an excerpt from our new book, Breached! Why Data Security Law Fails and How to Improve it

We Still Haven’t Learned the Major Lesson of the 2013 Target Hack
By Woodrow Hartzog & Daniel Solove
Slate (April 13, 2022)

You can read Chapter 1 of Breached! for free here.

Woody and I will be holding a webinar to discuss the book on Wednesday, April 27, 2022 at 2 PM ET. More info and registration here.

Continue Reading

New 2022 Edition of PRIVACY LAW FUNDAMENTALS

Book - Privacy Law Fundamentals - Solove Schwartz 02a

I am pleased to announce that Professor Paul Schwartz and I have just published a new 6th edition of our book, PRIVACY LAW FUNDAMENTALS.  Now in a new 6th edition for 2022, PRIVACY LAW FUNDAMENTALS is a distilled guide to the essential elements of U.S. data privacy law. In an easily-digestible format, the book covers core concepts, key laws, and leading cases.

The book summarizes the essential provisions of all of the major privacy statutes and regulations, including COPPA, ECPA, FCRA, FERPA, FISA, FTC Act, GLBA, HIPAA, TCPA, Privacy Act, VPPA, and more.

The book includes summaries of foreign laws such as the EU’s GDPR, China’s PIPL, Canada’s PIPEDA, Brazil’s LGPD, and more.

In addition, PRIVACY LAW FUNDAMENTALS summarizes key state privacy laws and provides an overview of FTC and HHS enforcement actions. We provide numerous charts and tables summarizing the privacy statutes (i.e. statutes with private rights of action, preemption, and statutory damages, among other things).
Continue Reading

Debate with Professor Jane Bambauer on State Privacy Laws and the Uniform Personal Data Protection Act

Debate Solove Bambauer 02

 

Please join me Thursday, April 14 at 12pm ET for a debate with Professor Jane Bambauer (University of Arizona).  We will be discussing state privacy laws and the pros and cons of the Uniform Law Commissions model privacy law, the Uniform Personal Data Protection Act (UPDPA).  You can attend in-person or watch online.

Registration Button 01

Related Posts

A Critique of the Uniform Law Commission’s Uniform Personal Data Protection Act

ALI Data Privacy: Overview and Black Letter Text

Continue Reading

Webinar – Privacy Legislation: How to Create Effective Privacy Laws

In this webinar, I moderate a discussion about recent privacy laws, what works, what fails, the virtues/vices of a private right of action, and other ideas for creating good laws.

Speakers include:

You can see the archived webinar by clicking the button below.

Relevant Readings

Continue Reading

Chronicle of a Breach Foretold – Download Chapter 1 of BREACHED!

Breached - Solove and Hartzog 08

Professor Woodrow Hartzog and I have posted Chapter 1 of our new book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022) on SSRN:

Chapter 1: Chronicle of a Breach Foretold

You can download it for free.

Download Article

Website for Breached! 
Breached! Amazon Page

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals. 

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

Prof. Solove’s Privacy Training: 150+ Courses

Privacy Awareness Training 03

Webinar – Worldwide Privacy Law: New Developments

In this webinar, I discuss recently-enacted worldwide privacy laws as well as new laws likely to be enacted this year with other experts. The webinar also covers enforcement trends, world regional developments, and cross-border data transfer. Speakers include:

You can see the archived webinar by clicking the button below.

Continue Reading

BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022)

Breached - Solove and Hartzog 05

I’m delighted to announce that my new book, Breached!, with Professor Woodrow Hartzog is now out in print:

BREACHED!

WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT

(Oxford University Press, March 1, 2022)

Website for Breached! 
Breached! Amazon Page

Cover - Breached - Solove & Hartzog

Excerpt from the book jacket description:

Drawing insights from many fascinating stories about data breaches, Solove and Hartzog show how major breaches could have been prevented or mitigated through a different approach to data security rules. Current law is counterproductive. It pummels organizations that have suffered a breach but doesn’t address the many other actors that contribute to the problem: software companies that create vulnerable software, device companies that make insecure devices, government policymakers who write regulations that increase security risks, organizations that train people to engage in risky behaviors, and more.

Although humans are the weakest link for data security, policies and technologies are often designed with a poor understanding of human behavior. Breached! corrects this course by focusing on the human side of security. Drawing from public health theory and a nuanced understanding of risk, Solove and Hartzog set out a holistic vision for data security law-one that holds all actors accountable, understands security broadly and in relationship to privacy, looks to prevention and mitigation rather than reaction, and works by accepting human limitations rather than being in denial of them. The book closes with a roadmap for how we can reboot law and policy surrounding data security.

Here is some additional advanced praise about the book beyond the quotes in the image above:

“A fascinating exploration of the ways that our fixation on individual data breaches has limited the effectiveness of data security law.” – Josephine Wolff, Associate Professor of Cybersecurity Policy, Tufts University

Breached! shows how the future of data security requires us to look at the problem holistically and understand that good privacy rules can also promote good security outcomes. A breath of fresh air on an important and often-ignored topic.”– Neil Richards, Professor of Law, Washington University

“A compelling account of where data security law has gone wrong plus convincing advocacy of where it should go. This book should be read by anyone involved in privacy and cybersecurity.” – Paul Schwartz, Jefferson E. Peyser Professor of Law, Berkeley Law School

“A clear, accessible, persuasive case that data security today needs a systematic approach, far beyond just mopping up breaches. I hope every regulator or legislator working on the subject reads this book and follows their advice.” – William McGeveran, Associate Dean for Academic Affairs, U. Minnesota Law School

Breached! Amazon Page

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals. 

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.

Privacy+Security Forum: Spring Academy

(Virtual Event | March 23-25, 2022)

Sessions and workshops on CCPA developments, CCPA litigation, state privacy law, health privacy, HIPAA, de-identification, EU privacy law, GDPR, Asian privacy law, Saudi Arabia and UAE privacy laws, cookies, PIAs, mobile apps, vendor management, ad tech, and much more!

SCHEDULE  |  SPEAKERS

PSF Spring 25

Button Register for Privacy+Security Forum

ALI Data Privacy: Overview and Black Letter Text

ALI Data Privacy Article - Solove Schwartz

The final published version of my article with Professor Paul Schwartz, ALI Data Privacy: Overview and Black Letter Text., 68 UCLA L. Rev. 1262 (2022) is now posted on SSRN and available as a free download.

The article is based on the ALI Data Privacy Principles. Professor Paul Schwartz and I were the co-reporters on the project. With a great team of advisers plus the helpful comments of ALI members, we drafted this document, which is similar to a model code.

Article abstract:

In this Article, the Reporters for the American Law Institute Principles of Law, Data Privacy provide an overview of the project as well as the text of its black letter. The Principles aim to provide a blueprint for policymakers to regulate privacy comprehensively and effectively.

The United States has long remained an outlier in privacy law. While numerous nations have enacted comprehensive privacy laws, the United States has clung stubbornly to a fragmented, inconsistent patchwork of laws. Moreover, there long has been a vast divide between U.S. and European Union (EU) approaches to regulating privacy—a divide that many consider to be unbridgeable.

The Principles propose comprehensive privacy principles for legislation that are consistent with key foundations in the U.S. approach to privacy but also better align the United States with the EU. Additionally, the Principles breathe new life into the moribund and oft-criticized U.S. notice-and-choice approach, which has remained firmly rooted in U.S. law. Drawing from a vast array of privacy laws and frameworks, and with a balance of innovation, practicality, and compromise, the Principles aim to guide policymakers in advancing U.S. privacy law.

You can download it for free on SSRN.

Download Article

Continue Reading

A Critique of the Uniform Law Commission’s Uniform Personal Data Protection Act

Critique of the ULC's Uniform Personal Data Protection Act 02

In 2021, the Uniform Law Commission (ULC) finalized its Uniform Personal Data Protection Act (UPDPA), a model law intended to be a guide to states seeking to enact broad privacy laws. Unfortunately, the ULC’s law is beyond disappointing.  Quite frankly, the UPDPA is quite terrible. No state should adopt it in whole or in part. It is hard to find anything to salvage in the UPDPA. It’s a law as clunky as its acronym.  I find it shocking that the ULC could propose such a awful law. It is, sad to say, quite shameful.

The UPDPA is quite spare and loose. The heart of the law is basically as follows: (1) companies can use personal data without people’s consent as long as there is a “compatible data practice” and (2) if the event of an “incompatible” data practice, companies only need to provide a chance to opt out.

The ULC has cooked up a broth that is so insubstantial, so thin and fetid, that it is hardly any different from bilge water. One might think I’m exaggerating for dramatic effect, but if you look at the law, you’ll see that my comments are far from rhetorical flourishes but are quite restrained.

More specifically, Section 7(a) provides:

A controller or processor may engage in a compatible data practice without the data subject’s consent. A controller or processor engages in a compatible data practice if the processing is consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.

This provision is so vague that it permits companies to do nearly anything. Even data practices that are not expected by people are fine if a company deems them “likely to benefit data subjects substantially.” Every company thinks that what it does provides a benefit and makes the world a better place. It’s hard to imagine how anyone could fail to cook up a rationale for nearly any data use that wouldn’t somehow constitute a “compatible” practice.

Continue Reading