PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

FERPA Whiteboard and FERPA Interactive Whiteboard

FERPA Whiteboard - TeachPrivacy FERPA Training

Recently, I created two new FERPA training resources.

FERPA Whiteboard

I created a 1-page visual summary of FERPA, which I call the FERPA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

FERPA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the FERPA Whiteboard — the FERPA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about FERPA.  It can also be used in learning management systems.

Continue Reading

Artificial Intelligence, Big Data, and Humanity’s Future: An Interview with Evan Selinger

Re engineering Humanity

Recently published by Cambridge University Press, Re-Engineering Humanity explores how artificial intelligence, automated decisionmaking, the increasing use of Big Data are shaping the future of humanity. This excellent interdisciplinary book is co-authored by Professors Evan Selinger and Brett Frischmann, and it critically examines three interrelated questions. Under what circumstances can using technology make us more like simple machines than actualized human beings? Why does the diminution of our human potential matter? What will it take to build a high-tech future that human beings can flourish in?  This is a book that will make you think about technology in a new and provocative way.

Continue Reading

Cartoon: GDPR Experts

Cartoon GDPR Experts - TeachPrivacy GDPR Training 02 medium

This cartoon makes fun of the fact that these days, there seem to be so many GDPR experts.  There are, indeed, many experts who know a lot about GDPR.  The problem is that there are a lot more “experts” out there who know only a little about GDPR.

Continue Reading

GDPR: Days Away Yet Miles to Go

GDPR Compliance - TeachPrivacy GDPR Training 01

May 25, 2018 is just around the corner.  That’s the date when GDPR enforcement starts.  Many organizations are scrambling to address GDPR compliance. But many still don’t even know what GDPR is.  A recent survey [link no longer available] conducted of EU citizens and EU companies reveals some interesting details about GDPR preparation and compliance on the other side of the pond.  For EU consumers, 90% believe that the GDPR is “good for consumers.”

GDPR compliance efforts by companies in the EU remain rather limited.  And I’m putting it nicely.  The survey reveals a rather low amount of knowledge about the GDPR and not enough preparation:

GDPR Survey 01

 

Continue Reading

Cartoon: Dark Web

Cartoon Dark Web - TeachPrivacy Security Training 03 medium

I hope you enjoy my latest cartoon about passwords on the Dark Web.  These days, it seems, login credentials and other personal data are routinely stocking the shelves of the Dark Web.  Last year, a hacker was peddling 117 million LinkedIn user email and passwords. And, late last year, researchers found a file with 1.4 billion passwords for sale on the Dark Web. Hackers will have happy shopping for a long time.

Continue Reading

The Cambridge Handbook of Consumer Privacy

Cambridge Guide to Consumer Privacy - Selinger Polonetsky Tene 03

Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer PrivacyThis is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues.  The book has a hefty price tag, but it is a terrific resource.    

Cambridge Guide to Consumer Privacy - Selinger Polonetsky Tene 02

I have a blurb on the back of the book. This is what I wrote:

The Cambridge Handbook of Consumer Privacy is a magnificent collection of essays – each one short, engaging, and thought-provoking. The broad range of topics covers the most important and vital issues in consumer privacy, and these essays will be relevant for years to come. The authors are a superb assembly of the leading scholars and practitioners from diverse fields and perspectives. This book is a true feast of ideas.

Below is the table of contents.  I found a few of these essays on SSRN, where they are available for free, and I am linking to the ones I found.Continue Reading

Should Privacy Law Regulate Technological Design? An Interview with Woodrow Hartzog

Blueprint Privacy 03

Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?

Continue Reading

In re Zappos: The 9th Circuit Recognizes Data Breach Harm

Data Breach Harm and Standing: Increased Risk of Future Harm

In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm.  The case arises out of a breach where hackers stole personal data on 24 million+ individuals.  Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not.  The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.

Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent.  If plaintiffs lack standing, their case is dismissed and can’t proceed.  For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm.  Clapper v. Amnesty International USA, 568 U.S. 398 (2013).  In that case,  the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance.  The Court concluded that the plaintiffs were merely speculating about future possible harm.

Early on, most courts rejected standing in data breach cases.  A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  There, the court held that an increased future risk of harm could be sufficient to establish standing.

Continue Reading

Breach Notification Laws Now in All 50 States

Data Breach Notification - TeachPrivacy Security Training

Recently, South Dakota and Alabama passed data breach notification laws.  These were the last two states to pass such laws, and now all 50 states have breach notification laws.  There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).

In 2003, California passed the first data breach notification law.  The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005.  That breach attracted national media attention largely because people started receiving notification letters in the mail.  Other states started to follow California’s lead, passing their own breach notification laws.  Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws.   Washington, DC also has a breach notification law.

There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA.  Other countries have started to jump on the notification bandwagon.  Canada will have a breach notification requirement starting on November 1, 2018.  In the EU, the GDPR has a breach notification requirement.

I have mixed feelings about breach notification laws.  On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up.  The bright light has shown us just how woeful the state of data security is.  Individuals have learned a lot from the process as well, including how often their data is affected.

But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach.  The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security.  But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected.  Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.

Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.

Continue Reading

Cartoon: GDPR Compliance

Cartoon GDPR Compliance - TeachPrivacy GDPR Training 02 medium

Organizations are racing to get ready for the GDPR implementation date of May 25, 2018.  Complete GDPR compliance in a few months is likely not feasible for many organizations, but this shouldn’t mean that these organizations should give up.  Making a good-faith effort and continuing to strive to improve are quite worthwhile.

Continue Reading