PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

GDPR: Days Away Yet Miles to Go

GDPR Compliance - TeachPrivacy GDPR Training 01

May 25, 2018 is just around the corner.  That’s the date when GDPR enforcement starts.  Many organizations are scrambling to address GDPR compliance. But many still don’t even know what GDPR is.  A recent survey [link no longer available] conducted of EU citizens and EU companies reveals some interesting details about GDPR preparation and compliance on the other side of the pond.  For EU consumers, 90% believe that the GDPR is “good for consumers.”

GDPR compliance efforts by companies in the EU remain rather limited.  And I’m putting it nicely.  The survey reveals a rather low amount of knowledge about the GDPR and not enough preparation:

GDPR Survey 01

 

Continue Reading

The Cambridge Handbook of Consumer Privacy

Cambridge Guide to Consumer Privacy - Selinger Polonetsky Tene 03

Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer PrivacyThis is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues.  The book has a hefty price tag, but it is a terrific resource.    

Cambridge Guide to Consumer Privacy - Selinger Polonetsky Tene 02

I have a blurb on the back of the book. This is what I wrote:

The Cambridge Handbook of Consumer Privacy is a magnificent collection of essays – each one short, engaging, and thought-provoking. The broad range of topics covers the most important and vital issues in consumer privacy, and these essays will be relevant for years to come. The authors are a superb assembly of the leading scholars and practitioners from diverse fields and perspectives. This book is a true feast of ideas.

Below is the table of contents.  I found a few of these essays on SSRN, where they are available for free, and I am linking to the ones I found.Continue Reading

Cartoon: Dark Web

Cartoon Dark Web - TeachPrivacy Security Training 03 medium

I hope you enjoy my latest cartoon about passwords on the Dark Web.  These days, it seems, login credentials and other personal data are routinely stocking the shelves of the Dark Web.  Last year, a hacker was peddling 117 million LinkedIn user email and passwords. And, late last year, researchers found a file with 1.4 billion passwords for sale on the Dark Web. Hackers will have happy shopping for a long time.

Continue Reading

Should Privacy Law Regulate Technological Design? An Interview with Woodrow Hartzog

Blueprint Privacy 03

Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?

Continue Reading

In re Zappos: The 9th Circuit Recognizes Data Breach Harm

Data Breach Harm and Standing: Increased Risk of Future Harm

In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm.  The case arises out of a breach where hackers stole personal data on 24 million+ individuals.  Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not.  The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.

Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent.  If plaintiffs lack standing, their case is dismissed and can’t proceed.  For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm.  Clapper v. Amnesty International USA, 568 U.S. 398 (2013).  In that case,  the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance.  The Court concluded that the plaintiffs were merely speculating about future possible harm.

Early on, most courts rejected standing in data breach cases.  A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  There, the court held that an increased future risk of harm could be sufficient to establish standing.

Continue Reading

Breach Notification Laws Now in All 50 States

Data Breach Notification - TeachPrivacy Security Training

Recently, South Dakota and Alabama passed data breach notification laws.  These were the last two states to pass such laws, and now all 50 states have breach notification laws.  There’s also a federal breach notification requirement under HIPAA (passed with the HITECH Act of 2009).

In 2003, California passed the first data breach notification law.  The law didn’t get a lot of attention until the ChoicePoint data breach was announced in 2005.  That breach attracted national media attention largely because people started receiving notification letters in the mail.  Other states started to follow California’s lead, passing their own breach notification laws.  Now, just 15 years later, a milestone has been reached with all 50 states having breach notification laws.   Washington, DC also has a breach notification law.

There still is no omnibus federal breach notification statute — just the requirement for health data (protected health information) under HIPAA.  Other countries have started to jump on the notification bandwagon.  Canada will have a breach notification requirement starting on November 1, 2018.  In the EU, the GDPR has a breach notification requirement.

I have mixed feelings about breach notification laws.  On the pro side, they have shed a lot of light on data breaches, which used to remain hushed up.  The bright light has shown us just how woeful the state of data security is.  Individuals have learned a lot from the process as well, including how often their data is affected.

But on the con side, breach notification laws are a great expense to comply with, amounting to a de facto strict liability fine on organizations that suffer a breach.  The expense is the same no matter whether a company was careful, negligent, or even reckless with regard to its data security.  But the most problematic thing about breach notification laws is that they have put so much focus on breach response when so many other dimensions of data security are being neglected.  Many policymakers have looked to breach notification as the primary policy response to the problem of data security, but breach notification alone is far from a solution.

Professor Woodrow Hartzog and I are currently working on a book that will explore these issues, so please stay tuned.

Continue Reading

Cartoon: GDPR Compliance

Cartoon GDPR Compliance - TeachPrivacy GDPR Training 02 medium

Organizations are racing to get ready for the GDPR implementation date of May 25, 2018.  Complete GDPR compliance in a few months is likely not feasible for many organizations, but this shouldn’t mean that these organizations should give up.  Making a good-faith effort and continuing to strive to improve are quite worthwhile.

Continue Reading

HIPAA Whiteboard and HIPAA Interactive Whiteboard

HIPAA Whiteboard

Recently, I created two new HIPAA training resources.

HIPAA Whiteboard

I created a 1-page visual summary of HIPAA, which I call the HIPAA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

HIPAA Whiteboard - TeachPrivacy HIPAA Training

HIPAA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about HIPAA.  It can also be used in learning management systems.

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

Continue Reading

GDPR Whiteboard and GDPR Interactive Whiteboard

GDPR Whiteboard - TeachPrivacy GDPR Training

Recently, I created two new GDPR training resources.

GDPR Whiteboard

I created a 1-page visual summary of the GDPR, which I call the GDPR WhiteboardThe idea was to capture the key points of the General Data Protection Regulation (GDPR) in a succinct and visually-engaging way.  It has become quite popular, receiving thousands of downloads.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

GDPR Whiteboard - TeachPrivacy Privacy Awareness Training 02 small

GDPR Interactive Whiteboard

I subsequently created a new training module — an interactive version of the GDPR Whiteboard – the GDPR Interactive Whiteboard.  When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in learning management systems.

GDPR Whiteboard Interactive - TeachPrivacy GDPR Training

GDPR Whiteboard Interactive - TeachPrivacy GDPR Training

Continue Reading

Risk and Anxiety: A Theory of Data Breach Harms

Risk and Anxiety Theory of Data Breach Harms

My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms,  96 Texas Law Review 737 (2018).  I co-authored the piece with Professor Danielle Keats Citron.  We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm.  There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.

Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.

When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.

We aim to provide greater coherence to this troubled body of law.   We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.

The article can be downloaded for free on SSRN.

Here’s the abstract:

Continue Reading