PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

A Terrifying New Dimension of Ransomware

Ransomware

Ransomware has long been a scourge. Since at least 2012, ransomware has grown dramatically. Ransoms have increased — the average ransom payout is now more than $40,000.   Organizations most hit are public sector, software services, professional services, and healthcare.  Healthcare, in particular, is a soft target because of the need to get systems back and running quickly. According to a McAfee report, ransomware attacks more than doubled in 2019.  An FBI warning from fall 2019 didn’t indicate an increase in the number of attacks but did show an increase in the targeting and severity of the attacks: “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”

For a long time, a debate has raged about whether to pay the ransom.  Some argue that the ransom should never be paid, but organizations facing the loss of their data might not have much of a choice. But if organizations back up their data, then they can they can avoid paying the ransoms and restore their data. But now there’s a new development in ransomware that is particularly troubling and that makes paying the ransoms a necessity even when data is backed up.  Ransomware groups are now threatening to release an organization’s data online if the ransom isn’t paid.

Ransomware Threaten to Disclose DataThis year, five law firms were hit with Maze Ransomware.  Instead of just encrypting the data, the ransomware group exfiltrated it first and then posted a small amount of it online. The group threatened to post the remainder of the data online unless the ransom was paid. According to one article: “Recent reports have shown the hacking group behind Maze ransomware has been steadily posting the data of its victims online after the organizations fail to pay the ransom demand. A compiled list of victims shows the data of several healthcare organizations are included in those postings, despite a lack of public reporting of those incidents.”

Continue Reading

Cartoon: The History of Privacy

Cartoon History of Privacy - TeachPrivacy Privacy Awareness Training

For Data Privacy Day, here’s a cartoon about the history of privacy.  A constant stream of articles and books proclaim that privacy is dead. But people have been saying that privacy is dead for quite some time. This is either the longest death scene in history, or privacy isn’t dying.

Continue Reading

New Supplemental Materials for INFORMATION PRIVACY LAW Casebooks


I am pleased to announce that Professor Paul Schwartz and I have released new supplemental materials for our INFORMATION PRIVACY LAW casebooks:

(1) edited version of Carpenter v. US

(2) overview of the CCPA + state biometric privacy laws

Continue Reading

Top 10 Privacy Law Developments of the Decade 2010-2019

Top 10 Privacy Law Developments of the Decade 2010-2019 02

It is an understatement to say that a lot has happened in privacy law during the past decade. Here is my list of the most notable developments.

NOTE: I am giving a particular emphasis to what I find to be notable from a United States perspective.  What is notable privacy law depends upon where one is situated.  For example, if one is from a small country, that country’s developments are quite notable even if not well-known on a worldwide stage.

Continue Reading

What Should Privacy Awareness Training Include?

Privacy Awareness Training 01

Privacy awareness training educates an organization’s workforce about the way that the organization protects privacy and the workforce’s role in this endeavor. In this post, I explain what privacy awareness training should include. Privacy awareness training typically covers the following things:

Continue Reading

Notable Privacy and Security Books 2019

Here are some notable books on privacy and security from 2019. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

Cartoon: Facial Recognition

Cartoon Facial Recognition -- TeachPrivacy Privacy Training 02 small

Facial recognition technology involves using algorithms to identify people based on their faces. Distinctive details about people’s faces are compiled into “face templates,” which are then stored in a database and used to find facial matches,

Facial recognition is quickly being deployed by many companies for various purposes, such as authenticating identity (unlocking smart phones) and identifying people in photos.  Other uses include using the data to track people’s location and behavior.  Facial recognition technology also can detect people’s emotions – an ability that could be used to manipulate people.

Continue Reading

An Open Letter to Law School Deans about Privacy Law Education in Law Schools

Privacy Law in Law Schools

UPDATE: A follow-up letter was sent to all U.S. law school deans in 2023.  Read more about the follow-up letter here

Recently a group of legal academics and practitioners in the field of privacy law sent a letter to the deans of all U.S. law schools about privacy law education in law schools.  My own brief intro about this endeavor is here in italics, followed by the letter. The signatories to the letter have signed onto the letter, not this italicized intro.

Although the field of privacy law grown dramatically in past two decades, education in law schools about privacy law has significantly lagged behind.  Most U.S. law schools lack a course on privacy law. Of those that have courses, many are small seminars, often taught by adjuncts.  Of the law schools that do have a privacy course, most often just have one course. Most schools lack a full-time faculty member who focuses substantially on privacy law.

This state of affairs is a great detriment to students.  I am constantly approached by students and graduates from law schools across the country who are wondering how they can learn about privacy law and enter the field. Many express great disappointment at the lack of any courses, faculty, or activities at their schools.

Continue Reading