What laws require security awareness training? What topics do the laws require to be covered? What should be covered? How frequently should training be given?
I recently created a new resource page — Security Awareness Training FAQ — to answer the above questions and more. I discuss various legal and industry requirements for security awareness training. I also discuss best practices. I hope that you find this resource to be useful.
When is a person harmed by a privacy violation?
The U.S. Supreme Court just handed down a decision in an important case, Spokeo Inc. v. Robins.
Plaintiff Thomas Robins sued Spokeo under the Fair Credit Reporting Act (FCRA) because Spokeo had inaccurate information about him in its profile. Spokeo’s profiles are used by potential employers and others to search for data about people. FCRA requires that information in profiles for these purposes be accurate, and it allows people to sue if information is not.
The privacy law profession is growing tremendously, but there is a challenge that we’re facing, one that I’d like to enlist your help in addressing – the bottleneck problem. There is a huge bottleneck at the entry point to the field. So I am calling on organizations to address this bottleneck by offering fellowships to recent law school graduates interested in privacy law.
Each year, I teach about 60-70 privacy law students, and there are many other professors teaching similar courses with large enrollments. Many great students want to enter the field, but they find it very hard to do so because nearly every position requires a number of years of experience.
Unlike other field with a more developed entry point, privacy lacks an easy way in. People have to do all sorts of career gymnastics to lateral sideways or slip in from other areas. A while ago, I solicited advice on entering the profession and provided advice of my own, and I posted about it in my post, How to Enter the Privacy Profession.
On the other side, many organizations are seeking to fill privacy law positions but are having a hard time finding enough people with experience.
The privacy profession must address the bottleneck problem and develop a reliable pathway to the profession.
I am therefore calling on companies and organizations to create privacy law fellowships that would last 1-2 years. If you create one, I will list it in my list of privacy law fellowships. Right now, the list is short, and most of the opportunities are in NGOs and the government, with a handful from the private sector. I’d like to triple or quadruple this list . . . and hopefully make it even longer than that.
So if you’re on the privacy team at an organization, please look into creating a fellowship position. If you’re a privacy law professor, please join in my call. A mature profession needs an entry point and a reliable pathway. It’s time to make that happen for privacy law.
There’s a new British import to America, and sadly, it isn’t a rock band. It’s CCTV. In many of Britain’s cities, there is an elaborate network of thousands of surveillance cameras monitored through closed circuit television (CCTV). According to estimates, there are about 4 million surveillance cameras in Britain and a citizen is caught on surveillance camera about 300 times per day.
The AP reports [link no longer available] that NYC is starting to install hundreds of surveillance cameras in an effort to mimic Britain’s CCTV. According to the AP [link no longer available]:
Please stop by the TeachPrivacy booth at the expo at the IAPP Summit.
See if you can spot all the privacy and data security risks in this scene. Pick up a copy of the scene, see our poster, and try out our interactive module.
Ransomware has been sickening healthcare institutions. It has become a plague.
Continue Reading
After years of careful study and extensive analysis, I have arrived at a solution to all the privacy and data security problems worldwide. Although I’ve been advised that I shouldn’t give away such a perfect solution to such a vexing problem for free, my drive to altruism is simply too strong.
Without further ado . . .
[stag_toggle title=”Read the Solution to All Privacy and Data Security Problems Worldwide” state=”closed”]
Don’t collect personal data.
[/stag_toggle]
[stag_toggle title=”Further Elaboration” state=”closed”]
April Fool’s!
There is another solution — not quite a miracle cure all, but definitely very helpful — privacy and cybersecurity training! And that’s no joke.
With Professor Woodrow Hartzog, I have also solved the challenge of legal compliance more generally: The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016).
[/stag_toggle]
The past 20 years have seen the remarkable emergence of the privacy profession. Starting from nothing, this profession originally included a handful of people called Chief Privacy Officers (CPOs). Nobody grew up saying they wanted to be a CPO. Nobody knew what CPOs did.
In a high-profile privacy lawsuit, former pro-wrestler Hulk Hogan won a $115 million jury verdict against Gawker for posting his sex video without his consent. Hulk Hogan, whose real name is TerryBollea, brought a lawsuit for invasion of privacy and other torts. Under one of the main privacy torts — public disclosure of private facts — one can be liable if one widely and publicly discloses private information about another that would be highly offensive to a reasonable person and not of legitimate concern to the public.
Ransomware is on a rampage! Attacks are happening with ever-increasing frequency, and ransomware is evolving and becoming more powerful.
Several major media sites, such as the New York Times, BBC, AOL, and the NFL, were recently infected with malware that directed visitors to sites attempting to install ransomware on their computers.
Ransomware has the potential to attack the Internet of Things. In one instance, a researcher was able to infect a TV with ransomware.
Ransomware is now attacking smart phones.
Last month, one hospital paid $17,000 in ransom when ransomware attacked its computer system. The computer network was down for more than a week, and patients had to be transferred to other hospitals.