PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Data Vu: Why Breaches Involve the Same Stories Again and Again

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 27, 2022

Scientific American Article - Data Vu by Solove Hartzog

Woodrow Hartzog and I wrote a new article about data breaches called Data Vu: Why Breaches Involve the Same Stories Again and Again.” We discuss how data breaches involve the same old mistakes and how we must break the cycle. We begin:

In the classic comedy Groundhog Day, protagonist Phil, played by Bill Murray, asks “What would you do if you were stuck in one place and every day was exactly the same, and nothing that you did mattered?” In this movie, Phil is stuck reliving the same day over and over, where the events repeat in a continual loop, and nothing he does can stop them. Phil’s predicament sounds a lot like our cruel cycle with data breaches.

Every year, organizations suffer more data spills and attacks, with personal information being exposed and abused at alarming rates. While Phil eventually figured out how to break the loop, we’re still stuck: the same types of data breaches keep occurring with the same plot elements virtually unchanged.

Like Phil eventually managed to do, we must examine the recurring elements that allow data breaches to happen and try to learn from them. Common plotlines include human error, unnecessary data collection, consolidated storage and careless mistakes. Countless stories involve organizations that spent a ton of money on security and still ended up breached. Only when we learn from these recurring stories can we make headway in stopping the cycle.

Head over to Scientific American to read the rest of the article.

The article draws from some of the ideas in my book with Hartzog, Breached! Why Data Security Law Fails and How to Improve It (Oxford University Press, 2022).

Continue Reading

NBC Think Again Interview

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 27, 2022

 

NBC Think Again Interview
NBC Think Again did a short feature about my article, “I’ve Got Nothing to Hide and Other Misunderstandings of Privacy.”  In this interview we talk about what privacy really means and how little of it we actually have.

Click here to watch this interview, or watch it in the embedded video below.

Continue Reading

A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 22, 2022

A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law?

A federal comprehensive privacy law in the United States?  Can it really be true? Could this finally be the time it happens?

Eventually, maybe the lion really will lie down the lamb. Maybe the Loch Ness Monster will be located. Maybe Congress will finally join 150+ other countries around the world and pass a comprehensive privacy law. Maybe, just maybe . . .

The United States recently inched closer to this occurrence. I see hope breaking out all over the Twitterverse. The American Data Privacy and Protection Act (ADPPA) advanced out of Committee.  This is still an early round in the Squid Game of making a law in this country, but this law might have what it takes. It could go all the way.

I’ve learned not to put too much faith in Congress. I am not going to be Charlie Brown with the football. Back around 2005, after the ChoicePoint data breach, as states all started eyeing California’s breach notification law with envy and started to craft laws of their own, I thought for sure Congress would pass a federal data breach notification law.

But I was wrong. Congress failed. Breach notification was an easy issue for Congress to address – far easier than a comprehensive privacy law which is swamped with a multitude of complicated issues. But maybe this is the time. After all, in the movies the hapless underdog somehow finds a way to win. Sometimes, life imitates the movies, and we all need a feel-good story during these dark summer days.

Grading the ADPPA: Is it Any Good?

ADPPA

The ADPPA bill itself isn’t too bad. In my view, Congress is generally a D student when writing laws, and the ADPPA is a B+.

Continue Reading

Lawsuits for Wrongful Data Collection – Biometric Data and Beyond: An Interview with Katherine Heaton and Amanda Thai

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 13, 2022

Lawsuits for Wrongful Data Collection

Powered by recent privacy laws, lawsuits for wrongful data collection have been rapidly increasing. The result is a growing body of caselaw, many unanswered questions, and a new landscape for companies to navigate.

I recently had the opportunity to discuss the expanding number of wrongful collection lawsuits with several experts at Beazley. Based in Denver, Katherine Heaton is the Focus Group Leader for Cyber Services and InfoSec at Beazley. Amanda Thai is a Cyber TPL Specialist in Beazley’s New York office.

Continue Reading

Cartoon – Phishing Emails

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 11, 2022

Cartoon Phishing Email - TeachPrivacy Data Security Training 02 small

This cartoon involves a common phishing scam – the inheritance email. For decades, phishers have been sending out the same email scams. One would think that after a while, people would learn about the common scams, and they wouldn’t work anymore. Unfortunately, people keep falling for the same scams over and over again.  Even a very low response rate still works for hackers because they send out their email messages so widely.

Continue Reading

Webinar – Privacy and Innovation: Strategies for Privacy Analyses of New Technologies

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 10, 2022

If you couldn’t make it to my webinar to discuss privacy and innovation, you can watch the replay here.   David Keating (Alston & Bird), Ashley Massengale (Porsche) and Nameir Abbas (Okta), and I discussed practical approaches and tips for assessments of new technologies under privacy regulatory standards.

Button Watch Video 01

Continue Reading

Webinar: Cross-Border Data Transfers: What’s Next?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 27, 2022

Webinar Cross-Border Data Transfers 03

 

If you couldn’t make my webinar to discuss cross-border data transfers, you can watch the replay here. Justin Antonipillai of Wirewheel, Josh Harris of BBB National Programs and I discussed the new framework between the US and the EU for cross-border data transfers as well as the CBPRs.  We also discussed steps that companies should take today and what to expect in the future.

Button Watch Video 01

 

 

Continue Reading

The Best Books About Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 17, 2022

Best Privacy Books

I was invited by Shepherd to list my recommendations for the 5 best books about privacy. Shepherd is a site that posts lists of best books recommended by experts about various topics. It has excellent lists.

I was delighted to have the chance to share my admiration for superb books by Woodrow Hartzog, Danielle Citron, Neil Richards, Anita Allen, and Ari Waldman. There are many other excellent books about privacy, but I was asked to list just 5, so I had to exclude many other very worthy works.

Best Privacy Books 02

Best Privacy Books Covers

At my list of best privacy books at Shepherd, I describe how I became interested in the privacy field, and I provide short explanations for why I chose each book.

Continue Reading

Key Quotes from BREACHED!

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 16, 2022

Breached - Solove and Hartzog 11

Professor Woodrow Hartzog and I selected some key quotes from our new book, BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT (Oxford University Press 2022).

The Law’s Obsessive and Unproductive Focus on Data Breaches

“Too much of the current law of data security places the breach at the center of everything. Turning data security law into the “law of breaches” has the effect of over-emphasizing the conduct of the breached entities while ignoring the other actors and factors that contributed to the breach.” (p. 11)

“Data security law has an unhealthy obsession with data breaches. This obsession has, ironically, been the primary reason why the law has failed to stop the deluge of data breaches. The more obsessed with breaches the law has become, the more the law has failed to deal with them.” (p. 39)

“Breaches are already very costly and painful, so when regulators come along and add a little more to the pain, it often is not a game changer. This is especially true because the penalties are often far smaller than the overall costs of the breach.” (p. 55)

Data Security Is a Delicate Balance

“Current data security rules fail to address risk effectively. In many circumstances, the law penalizes breaches with little regard to considerations of risk and balance. Other times, the law levies no penalty against organizations even though their actions created enormous unwarranted risks.” (p. 12)

Continue Reading