I have posted to SSRN a copy of my latest draft article, The Myth of the Privacy Paradox. It’s available for download for free.
Here’s the abstract:
The Myth of the Privacy Paradox
- SHARE:
-
-
-
-
Notable Changes in the Modified Draft CCPA Regulation
Updated on March 27, 2020 — The California AG came out with a modified modified draft of the CCPA regulation on March 11, 2020. Most notably, a few of the changes in the February 7 draft were walked back. I will discuss the details below.
On Friday, February 7, 2020, the California AG dropped a new modified draft CCPA regulation. Comments are due by February 24, 2020 at 5 PM Pacific Time.
Here are some notable changes:
(1) IP Addresses Can Somehow Escape from Being Personal Information
New text of the regulation:
§ 999.302. Guidance Regarding the Interpretation of CCPA Definitions
(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This last sentence about IP addresses was stricken in the new modified CCPA regulation of March 11.
- SHARE:
-
-
-
-
A Terrifying New Dimension of Ransomware
Ransomware has long been a scourge. Since at least 2012, ransomware has grown dramatically. Ransoms have increased — the average ransom payout is now more than $40,000. Organizations most hit are public sector, software services, professional services, and healthcare. Healthcare, in particular, is a soft target because of the need to get systems back and running quickly. According to a McAfee report, ransomware attacks more than doubled in 2019. An FBI warning from fall 2019 didn’t indicate an increase in the number of attacks but did show an increase in the targeting and severity of the attacks: “Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent. Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
For a long time, a debate has raged about whether to pay the ransom. Some argue that the ransom should never be paid, but organizations facing the loss of their data might not have much of a choice. But if organizations back up their data, then they can they can avoid paying the ransoms and restore their data. But now there’s a new development in ransomware that is particularly troubling and that makes paying the ransoms a necessity even when data is backed up. Ransomware groups are now threatening to release an organization’s data online if the ransom isn’t paid.
This year, five law firms were hit with Maze Ransomware. Instead of just encrypting the data, the ransomware group exfiltrated it first and then posted a small amount of it online. The group threatened to post the remainder of the data online unless the ransom was paid. According to one article: “Recent reports have shown the hacking group behind Maze ransomware has been steadily posting the data of its victims online after the organizations fail to pay the ransom demand. A compiled list of victims shows the data of several healthcare organizations are included in those postings, despite a lack of public reporting of those incidents.”
- SHARE:
-
-
-
-
Cartoon: The History of Privacy
For Data Privacy Day, here’s a cartoon about the history of privacy. A constant stream of articles and books proclaim that privacy is dead. But people have been saying that privacy is dead for quite some time. This is either the longest death scene in history, or privacy isn’t dying.
- SHARE:
-
-
-
-
New Supplemental Materials for INFORMATION PRIVACY LAW Casebooks
I am pleased to announce that Professor Paul Schwartz and I have released new supplemental materials for our INFORMATION PRIVACY LAW casebooks:
(1) edited version of Carpenter v. US
(2) overview of the CCPA + state biometric privacy laws
- SHARE:
-
-
-
-
2019 Highlights in Privacy Training, Writing, Resources, and Humor
Here are some of highlights of my privacy training, writing, resources, and humor from 2019.
- SHARE:
-
-
-
-
Top 10 Privacy Law Developments of the Decade 2010-2019
It is an understatement to say that a lot has happened in privacy law during the past decade. Here is my list of the most notable developments.
NOTE: I am giving a particular emphasis to what I find to be notable from a United States perspective. What is notable privacy law depends upon where one is situated. For example, if one is from a small country, that country’s developments are quite notable even if not well-known on a worldwide stage.
- SHARE:
-
-
-
-
What Should Privacy Awareness Training Include?
Privacy awareness training educates an organization’s workforce about the way that the organization protects privacy and the workforce’s role in this endeavor. In this post, I explain what privacy awareness training should include. Privacy awareness training typically covers the following things:
- SHARE:
-
-
-
-
CCPA FAQ
I am pleased to announce my new CCPA FAQ that covers all the key details of the California Consumer Protection Act.
- SHARE:
-
-
-
-
Notable Privacy and Security Books 2019
Here are some notable books on privacy and security from 2019. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
- SHARE:
-
-
-
-