In the annals of what must be one of the most ridiculous data security incidents, a law firm employee sent a client file on an unencrypted thumb drive in the mail. The file contained Social Security information and other financial data.
The envelope arrived without the USB drive. The firm contacted the post office.
What happened next is most bizarre. Here’s an excerpt from the law firm’s letter notifying the state attorney general:
Happy Halloween! I hope you enjoy this privacy cartoon about Halloween and Big Data.
This HIPAA cartoon involves the notice of privacy practices (NPP) under HIPAA. HIPAA has a set of detailed requirements for the NPP. See 45 CFR 164.520 for the text of HIPAA’s requirement for NPPs.
The biggest challenge regarding privacy notices is that hardly anyone actually reads the notice, and notices are often a chore to read.
There is a Hobson’s choice when it comes to such notices, whether under HIPAA or otherwise. As I wrote in Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013): “[M]aking [notices] simple and easy to understand conflicts with fully informing people about the consequences of giving up data, which are quite complex if explained in sufficient detail to be meaningful. People need a deeper understanding and background to make informed choices.” Sadly, there’s no easy way to win on this one.
I am very excited to announce that my HIPAA training programs and short courses have received a complete update and new design.
Cybersecurity litigation is currently at a crossroads. Courts have struggled in these cases, coming out in wildly inconsistent ways about whether a data breach causes harm. Although the litigation landscape is uncertain, there are some near certainties about cybersecurity generally: There will be many data breaches, and they will be terrible and costly. We thus have seen the rise of cybersecurity insurance to address this emergent and troublesome risk vector.
I am delighted to be interviewing Kimberly Horn, who is the Global Focus Group Leader for Cyber Claims at Beazley. Kim has significant experience in data privacy and cyber security matters, including guiding insureds through immediate and comprehensive responses to data breaches and network intrusions. She also has extensive experience managing class action litigation, regulatory investigations, and PCI negotiations arising out of privacy breaches.
One of the biggest challenges for organizations is locating all the personal data they have. This task must be done, however, to comply with the General Data Protection Regulation (GDPR) and other privacy laws. Moreover, the GDPR and the new California Consumer Privacy Act provide that individuals have rights regarding their data. These rights often require that organizations must keep records of individual privacy preferences regarding their data.
I had the opportunity to interview Dimitri Sirota about these issues. Dimitri is the CEO and co-founder of one of the first enterprise privacy management platforms, BigID, and a privacy and identity expert.
The U.S. Supreme Court has been notoriously slow to tackle new technology. In 2002, Blackberry launched its first smart phone. On June 29, 2007, Steve Jobs announced the launch of the original Apple iPhone. But it took the Supreme Court until 2014 to decide a case involving the Fourth Amendment and smart phones – Riley v. California, 134 S.Ct. 2473 (2014). This past summer, the Supreme Court issued another opinion involving smart phones – Carpenter vs. United States, 138 S.Ct. 2206 (2018).
I am thrilled to have had the opportunity to interview Bart Huffman, a partner in Reed Smith’s global IP, Tech & Data Group, about the Supreme Court’s recent foray into smart phones.
This HIPAA cartoon involves confidentiality. There are countless cases of misdirected PHI that is emailed or faxed to the wrong people.
I recently created a new short course on HIPAA Confidentiality. You can learn more about it here.
In recent years, there have been tremendous advances in artificial intelligence (AI). These rapid technological advances are raising a myriad of ethical issues, and much work remains to be done in thinking through all of these ethical issues.
I am delighted to be interviewing Kurt Long about the topic of AI. Long is the creator and CEO of FairWarning, a cloud-based security provider that provides data protection and governance for electronic health records, Salesforce, Office 365, and many other cloud applications. Long has extensive experience with AI and has thought a lot about its ethical ramifications.
Blockchain is taking the world by storm. I am delighted to have the opportunity to interview Steve Shillingford, Founder and CEO of Anonyome Labs, a consumer privacy software company.
Steve was previously at Oracle and Novell, then was President of Solera Networks before founding Anonyome. Steve speaks and writes extensively on identity management, cybersecurity, privacy, and Big Data.