News, Developments, and Insights

high-tech technology background with eyes on computer display

The Three General Approaches to Privacy Regulation

Three Approaches to Privacy Law

These days, the debate about a federal comprehensive privacy law is buzzing louder than ever before. A number of bills are floating around Congress, and there are many proposals for privacy legislation by various groups, organizations, and companies.  As proposals to regulate privacy are debated, it is helpful to distinguish between three general approaches to regulating privacy:

  1. Privacy Self-Management
  2. Governance and Documentation
  3. Use Regulation

Most privacy laws rely predominantly on one of these approaches, with some laws drawing from two or even all of them.

Each approach has various strengths and weaknesses.  To be successful, a privacy law must use all three approaches. Many laws could be strengthened greatly if they used more of the third approach that I will outline below.

Continue Reading

Video- Challenges of Privacy Notices, Schrems II, and Other Privacy Issues – A Conversation with Daniel Solove, Justin Antonipillai, and Andy Dale

Video Solove Antonipillai Dale

In this video, Daniel Solove (TeachPrivacy, GW Law), Justin Antonipillai (Wirewheel), and Andy Dale (Alyce) discuss the challenge of writing privacy notices, Schrems II, and other privacy issues.

Continue Reading

How Cyberinsurance Is Responding to Ransomware: An Interview with Ken Suh, Mark Singer, and Marcello Antonucci

Ransomware has long been a scourge, and it has been growing into a pandemic with no signs of slowing down. I recently had the opportunity to discuss ransomware with several experts at Beazley. Based in Chicago, Ken Suh is the focus group leader for cyber & tech claims at Beazley. Mark Singer is a cyber & tech claims manager based in Beazley’s London office. Marcello Antonucci is based in New York and is a global cyber & tech claims team leader at Beazley.


Continue Reading

What Are the Requirements for HIPAA Training?

HIPAA Training Requirements - TeachPrivacy 01

HIPAA training is an specific requirement of HIPAA. HIPAA requires that covered entities (CEs) and business associates (BAs) provide HIPAA training to members of their workforce who handle protected health information (PHI).  This means administrative and clinical personnel need to be trained.  Business associates — and any of their subcontractors — must have training.  Basically, anyone who comes into contact with PHI must be trained.

HIPAA’s Privacy Rule and HIPAA’s Security Rule both have separate training requirements.  Generally, HIPAA’s training requirements in both rules are rather sparse — not a lot of guidance is provided.

The HIPAA Privacy Rule, at 45 CFR § 164.530(b)(1), says that training must be “as necessary and appropriate for the members of the workforce to carry out their functions.” HIPAA thus doesn’t require that everyone be trained in the same way.  It is also important to note that HIPAA training doesn’t mean training to make trainees experts on HIPAA. In fact, HIPAA doesn’t even state that trainees learn about HIPAA itself; instead, they must learn about how to carry out their organization’s obligations under HIPAA.

The Privacy Rule doesn’t provide much further guidance on the specific topics that should be covered.

Continue Reading