Recently, the U.S. Court of Appeals for the 9th Circuit issued a decision with profound implications for consumer privacy protection law. In FTC v. AT&T Mobility (9th Cir. Aug. 29, 2016), a 3-judge panel of the 9th Circuit held that the Federal Trade Commission (FTC) lacks jurisdiction over companies that engage in common carrier activity. The result is that there is now a gaping hole in consumer privacy protection law.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
Contracting with cloud service providers has long been a world shrouded in fog. Across various organizations, cloud service agreements (CSAs) are all over the place, and often many people entering into these contracts have no idea what provisions they should have to protect their data.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
A recent article in Wired argues that it is time to kill password recovery questions. Password recovery questions are those questions that you set up in case you forget your password. Common questions are:
In what city were you born?
What is your mother’s maiden name?
Where did you go to high school?
HIPAA is famously impenetrable, with so many special terms and definitions. I wrote this cartoon to capture the wonderful world of HIPAA jargon, which I hope fellow lovers of HIPAA can appreciate.
I have another HIPAA cartoon here.
Here’s a cartoon I created. It involves several Fair Information Practice Principles (FIPPs) and privacy best practices. The ones involved (and not heeded) in this cartoon are doing a data inventory, informing people about the purposes of the collection of their data, using data for only those purposes, and not keeping data longer than necessary to accomplish those purposes.
For many organizations, there is a lot of data collected that gets stored and forgotten, or that is collected with no apparent purpose in mind. Data inventories are a great way to take stock of this data and determine whether it is really necessary and appropriate to keep it.
I have good news and bad news about ransomware. First, the good news — here’s a cartoon I created. I hope you enjoy it, because that’s the only good news i have. Now, for the bad news . . .
Everyone seems to be afraid of ransomware these days, but is the fear justified? Is ransomware more about hype than harm? Unfortunately, a recent study of international companies conducted by Malwarebytes provides some startling statistics to back up the fears. According to the study, 40% of companies worldwide and more than 50% of the US companies surveyed experienced a ransomware incident in the last year.
The stakes are very high — 3.5% of companies surveyed even indicated that lives were also at stake which was exemplified by a recent attack in Marin, California where doctors lost access to patient records for over 10 days.
In a Seinfeld episode called “The Package” from 1996 (click here to see the scene), airing just months after HIPAA was passed, Elaine goes to see a doctor for a rash.
Fellowships can be a great way to kick start a career in privacy law. I have added new fellowships the list I published in February 2016, as well as updated deadlines and other relevant information. Click here to see the fully updated list of privacy fellowships. If you know of others I should add, please email me.