On September 19, 2023, I am speaking at the European Union Agency for Law Enforcement Cooperation (EUROPOL) event, Whispers of Contrast (Madrid, Spain). The topic of my talk will be “Nothing to Hide – Nothing to Fear?” and will be based on my book, Nothing to Hide: The False Tradeoff Between Privacy and Security. You can buy the book on Amazon, or download the complete electronic version for free on SSRN.
In case you missed my interview with New York Times reporter Kashmir Hill, you can watch the replay here. We discussed her new book, Your Face Belongs to US: A Secretive Startup’s Quest to End Privacy as We Know It (Sept. 19, 2023).
Although a U.S. federal privacy law remains elusive, U.S. states have been busily passing new laws. The laws have many similarities, but there are some notable differences. California and Colorado have issued new regulations, some provisions of which strengthen components of the laws. I expect other states to join in the party soon.
I will be holding a Webinar on U.S. State Privacy Law Developments tomorrow (Tues, Aug. 29, 2023 at 2 PM ET) with Libbie Canter (Covington) to discuss these laws. Click here to register now for this free webinar!
I have created some related resources and training materials that might be useful:
I’ll be speaking at Berkeley Law’s 16th Annual BCLT Privacy Lecture on 9/22 about Murky Consent: An Approach to the Fictions of Consent in Privacy Law with commenters, Ari Ezra Waldman (Professor, UC Irvine School of Law), Rebecca Wexler (Professor, UC Berkeley School of Law), and Ella Corren (JSD, UC Berkeley School of Law).
Before the pandemic, which seems like eons ago, I spearheaded a group of legal academics and practitioners in the field of privacy law who sent a letter to the deans of all U.S. law schools about privacy law education. The pandemic occurred not too long after our letter, and deans had many other things to worry about during that time.
The time is right to send a follow up letter about why law schools should increase and improve their privacy law faculty and curriculum. So, I am emailing the letter below to all U.S. law school deans.
You can see a PDF of the letter here.
* * * *
A New Open Letter to Law School Deans
about Privacy Law Scholars and Curriculum
August 1, 2023
We are writing to you and other law school deans to urge you to prioritize offering more courses and hiring more faculty in the information privacy law field.
We previously wrote an open letter to you before the pandemic, and we wish to send you another letter now because recent developments have strengthened our contentions below.
We call on you to consider taking one or more of the following actions:
- Hire more faculty members who focus their work and teaching on privacy law and technology issues.
- Add courses to the curriculum to cover privacy law issues.
Back by popular demand, it’s another installment of the funniest hacker stock photos. Because I create security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.
Hacker techniques have evolved over the years, and so have hacker stock photos. Now, many of them are created by AI. Whether created by humans or machines, they are generally quite ridiculous.
If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 4.0
The Funniest Hacker Stock Photos 3.0
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0
Hacker Stock Photo #1
I have no way to explain this one except that it is Barbie marketing gone wrong.
Hacker Stock Photo #2
Neon masks are the new “in” thing for hacking these days.
Hacker Stock Photo #3
This one was AI generated. I guess AI think that people need to be wired into something in order to work. Also, the AI thinks that there’s no need for eyes when hacking.
Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.
Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.” Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation.
In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule.
- In In Re GoodRx Holdings, Inc., (FTC 2023) the FTC claimed that GoodRx shared health data with advertisers, contradicting its privacy notice that stated it didn’t share such data with third parties. This is traditionally a privacy violation — a classic broken promises case. But the FTC contended that this was a data breach because the third parties obtained the data without the proper authorization. The FTC imposed a $1.5 million penalty for violating the Rule.
- In another case from this year, In re Easy Healthcare Corp., (FTC 2023), a fertility app called Premom shared user health data with third parties in violation of its privacy notice. The FTC asserted that this was a data breach that should have been reported under the Health Breach Notification Rule.
These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.