The FTC released the above chart showing the history of Commissioners, Chairwomen and Chairman of the FTC from 1915 through the present day. According to the chart, The Federal Trade Commission is composed of five Commissioners, and their terms extend for seven years. The Commissioners are appointed by the President with the advice and consent of the Senate. At any given time, not more than three Commissioners may be members of the same political party. The President designates one Commissioner as Chairman, and the Chairman is given the responsibility for the administration of the Commission.
HIPAA Enforcement Case – Filefax

This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement to settle HIPAA violations with Filefax, located in Northbrook, Illinois. One aspect was different than their usual settlement process in that Filefax closed the business down during the OCR investigation and was no longer operating when the settlement was reached. OCR announced that Filefax could not avoid their obligations under HIPAA even though they were no longer running the company. The receiver that is liquidating the company’s assets agreed to pay $100,000 to settle the potential HIPAA violations made by the company while open.
Their HIPAA violations stemmed from an anonymous complaint stating that the medical records of approximately 2,150 patients, which contained protected health information (PHI), received by Filefax had been taken to a shredding/recycling facility and sold. The OCR investigation found over a period of several weeks the PHI had been left unsecured outside Filefox and had been removed from the facility by an unauthorized person.
The press release can be viewed here. The Resolution Agreement can be viewed here.
Also of Interest
HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement
Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe
Lessons from 2016, the Biggest HIPAA Enforcement Year on Record
GDPR Cartoon: Lawful Processing

This cartoon focuses on the lawful processing requirement. Under the EU’s General Data Protection Regulation G(DPR), the collection and processing of personal data must be for “specified, explicit and legitimate purposes.” This is in contrast to the United States where the processing of personal information is permitted unless a law forbids it.
Under the GDPR, data processing must be “lawful” – it must be justified by a legitimate purpose in order to be permissible. Article 6 of the GDPR sets forth the grounds for the lawfulness of processing personal data. These grounds include the consent of the data subject, when processing is necessary to perform a contract where the data subject is a party, when processing is necessary to comply with a legal obligation, when processing is necessary to protect a person’s vital interests, or when processing is necessary to perform a task carried out in the public interest. The final ground for lawful processing is when processing is necessary for the “legitimate interests” of a data controller or third party.
It is far from clear that there are legitimate interests in the cartoon above. Organizations often think that “legitimate interests” mean any interests that are important to their business, but that’s not the case. This ground for lawful processing is much narrower. And, legitimate interests must not be overridden by the data subject’s interests or rights.
Key WP29 Documents for GDPR

The Article 29 Working Party was created by the EU Data Protection Directive in 1996. Its purpose is to provide advice, opinions, and guidance about data protection. The Article 29 Working Party is composed of a representative from each EU member state. The General Data Protection Regulation (GDPR) will replace the Working Party with the European Data Protection Board (EDPB).
Below are some of the most important guidelines to be issued by the Article 29 Working Party (WP29) about the General Data Protection Regulation (GDPR).
Right to Data Portability (WP 242)
Guidelines on the right to “data portability” (wp242rev.01)
Data Protection Officers (WP 243)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
My Privacy and Security Scholarship in 2017

In this post, I provide a brief overview of my scholarship last year.
Risk and Anxiety: A Theory of Data Breach Harms
I co-authored Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron. The piece is forthcoming in Texas Law Review this year. Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse. Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?” We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.
Download Risk and Anxiety: A Theory of Data Breach Harms for free.
HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:

Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Act quickly.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
Cartoon on GDPR Vendor Management

This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.
Vendors must also comply with the GDPR.
GDPR Training, Writings, and Resources: Roundup from the Past Year

The General Data Protection Regulation (GDPR) is one of the world’s strictest data privacy laws and requires privacy professionals around the globe to design and implement comprehensive compliance programs. In the past year, I developed a series of resources and training courses to assist privacy professionals with this complex task.
GDPR Whiteboard
200+ pages of the GDPR summarized into 1 page! Download it for free here. This one page visual summary of GDPR will help you and your workforce understand many of the key elements associated with this law including Territorial Scope, Lawful Processing, Rights of Data Subjects, Enforcement and more.
GDPR Interactive Whiteboard
I created a new highly-interactive version of the GDPR Whiteboard (~5 mins) — a computer-based module that can readily be used on internal websites to raise awareness and teach basic information about GDPR. It can also be used in a learning management system (LMS)
The GDPR Interactive Whiteboard adds a new level of engagement to the analog GDPR Whiteboard. and can be used in tandem with the analog version or in lieu of it.
A Guide to GDPR Training

A Guide to GDPR Training will answer many of your questions about implementing workforce privacy awareness training.
The GDPR mandates that all staff “involved in the processing operations” receive privacy awareness training. In general, the Data Protection Officer (DPO) is tasked with ensuring that all training requirements have been fulfilled. A comprehensive GDPR training program should include:
- basic privacy awareness training for your general workforce
- advanced training for personnel who need more detailed knowledge of GDPR
- role-based training specific to an individual’s job function.
I have several training courses to help organizations meet the GDPR requirements, such as the ones below plus courses on Privacy by Design, vendor management, risk and trust, and other important privacy topics.
GDPR (Short Introductory Course ~ 7 Mins)
This course provides an overview of the GDPR. It also explains the importance of GDPR compliance and the severe penalties that may be imposed for non-compliance. It is suitable for both lawyers and non-lawyers . This course can also be offered in conjunction with other courses in our series – Privacy Shield and European Union Privacy Law.
COURSE OUTLINE:
- Structure
Scope
Personal Data
Sensitive Data
Data Controllers and Data Processors
Supervisory Authority
Enforcement
Rights and Responsibilities
International Data Transfer - Rights and Responsibilities
Transparency
Purpose Specification and Minimization
Consent
Right to Erasure
Right to Data Portability
Data Protection by Design
Data Protection Impact Assessments
Record of Data Processing Activities
Data Breach Notification - International Data Transfer
Global Privacy and Data Protection
(Privacy Awareness Course ~20 Mins or ~30 Mins)

This course (~20 minutes or 30 minutes) is designed to provide basic privacy awareness to the workforce of global organizations. I updated this program for GDPR. The course focuses on three main issues:
- Why is privacy important?
- What is personal data?
- How do we protect privacy?
COURSE OUTLINE:
- The Purpose of this Training
Personal Data
People Care About Privacy
Your Role - Why We Protect Personal Data
Respect
Preventing Harm
Trust
Reputation
Legal Compliance
Contractual Compliance - What is Personal Data?
Identifying Personal Data or PII
Sensitive Data - Data Collection
Lawful Basis
Data Collection Limitation - Data Handling and Processing
Limited Access
Confidentiality
Security Safeguards - Use of Personal Data
Purpose Specification - Individual Knowledge and Participation
Notice
Access and Correction
Consent
Right to Erasure
Right to Data Portability - Transfer and Sharing of Data
International Transfers of Data
Sharing Data with Third Parties - Accountability
Privacy by Design
Ask the Privacy Office
GDPR’s Broad Scope: A Short Vignette
Please check out our humorous 1-minute video vignette about the GDPR.
CARTOONS
Preparing for GDPR
Taking Privacy Seriously
Notable Privacy and Security Books 2017

Here are some notable books on privacy and security from 2017. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
10 Reasons Why the Fourth Amendment Third Party Doctrine Should Be Overruled in Carpenter v. US

The U.S. Supreme Court will be hearing arguments this week in Carpenter v. United States, which is one of the most important Fourth Amendment cases before the Court. The case involves whether the Third Party Doctrine will remain viable. If so, the Fourth Amendment will fade into obsolescence in today’s digital age.
In this post, I provide 10 reasons why the Third Party Doctrine should be overruled. Before doing so, here’s some background.
Carpenter [6th Circuit case on cert to the Supreme Court] involved the investigation of a string of robberies of Radio Shack. The FBI obtained cell phone records of the defendants pursuant to the Stored Communications Act (SCA), which requires “specific and articulable facts” to demonstrate that there are “reasonable grounds to believe” that the records are “relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d). This standard is far short of what the Fourth Amendment would require, which is a search warrant based upon probable cause.







