PRIVACY + SECURITY BLOG

News, Developments, and Insights

Ransomware and the Role of Cyber Insurance: An Interview with Kimberly Horn

hacker setting up ransomware

Ransomware has long been a scourge, and it’s getting worse. I recently had the chance to talk about ransomware and cyber insurance with Kimberly Horn, the Global Claims Team Leader for Cyber & Tech Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions.

 

Continue Reading

Cartoon: The Privacy Paradox

Cartoon Privacy Paradox - TeachPrivacy Privacy Training 02 small

This cartoon is about the “privacy paradox” — the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.

I recently wrote an article about the privacy paradox: The Myth of the Privacy Paradox, forthcoming 89 Geo. Wash. L. Rev.  You can download it on SSRN for free.

Download Article Solove Myth of the Privacy Paradox

Commentators typically make one of two types of arguments about the privacy paradox. On one side, privacy regulation skeptics contend behavior is the best metric to evaluate how people actually value privacy. Behavior reveals that people ascribe a low value to privacy or readily trade it away for goods or services. The argument often goes on to contend that privacy regulation should be reduced.

Continue Reading

Cartoon: GDPR Lawful Basis

Cartoon GDPR Lawful Basis - TeachPrivacy GDPR Training

This cartoon is about the GDPR’s lawful basis requirement to process personal data. One of the biggest differences between U.S. and EU privacy law is that in the U.S., organizations can collect and use personal data in nearly any way they choose as long as they state what they are doing in their privacy notice and follow what they say.  In the EU, in contrast, the GDPR requires that organizations have a “lawful basis” to collect and process personal data. The GDPR specified six lawful bases, including consent, performance of a contract, compliance with a legal obligation, public interest, protect the vital interests of the data subject or other people, and legitimate interest in processing the data.

Many organizations use legitimate interest as their lawful basis.

Article 6(1)(f) of the GDPR provides: 

1.Processing shall be lawful only if and to the extent that at least one of the following applies:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Continue Reading

Notable Changes in the Modified Draft CCPA Regulation

CCPA Regulation - TeachPrivacy CCPA Training 01

Updated on March 27, 2020 — The California AG came out with a modified modified draft of the CCPA regulation on March 11, 2020.  Most notably, a few of the changes in the February 7 draft were walked back.  I will discuss the details below. 

On Friday, February 7, 2020, the California AG dropped a new modified draft CCPA regulation.  Comments are due by February 24, 2020 at 5 PM Pacific Time.

Here are some notable changes:

(1) IP Addresses Can Somehow Escape from Being Personal Information 

New text of the regulation:

§ 999.302. Guidance Regarding the Interpretation of CCPA Definitions
(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

This last sentence about IP addresses was stricken in the new modified CCPA regulation of March 11.

Continue Reading