This cartoon depicts the potential future of the Internet of Things. As more and more devices are connected to the Internet, including ones implanted in people’s bodies, increasing thought must be given to the privacy and security implications. The speed of technological development is moving at a far greater pace than the speed of policy thinking regarding privacy and security.
How will the security of new devices be regulated? The market doesn’t seem to be adequately addressing the security of the Internet of Things. Bad security in devices has externalities beyond the users, as devices can be used as part of botnets to attack other targets.
How will privacy be designed into devices? How will notice and choice work? When privacy is “baked in” to a device, do the engineers have a comprehensive understanding of privacy? How will consumers be able to understand and respond to these design choices?
Should there be special considerations for medical devices or any device that is implantable in a person?
We still await satisfactory answers to these questions . . . but the expansion of the Internet of Things isn’t waiting.
Here’s an earlier cartoon I created regarding the Internet of Things:
Misspelled words and bad grammar are tell-tale signs of phishing. Why don’t phishers learn spelling and grammar? Can’t they afford a copy of Strunk and White?
Phishers don’t need to spell better because their poorly-written schemes still fool enough people. It’s just math for the phishers — a numbers game. If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do. That’s why it is essential to train people — again and again.
My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement. 2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties. At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.
The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.
Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:
In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about. “I’ve got nothing to hide,” they declare. “The only people who should worry are those who are doing something immoral or illegal.”
The nothing-to-hide argument is ubiquitous. This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007). It was a short law review piece, one that I thought would be read by only a few people. But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay. I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press 2011).
This year is the 10th anniversary of the piece. A lot has happened between then and now. Not too long before I wrote my essay, there were revelations of illegal NSA surveillance. A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again. This was the climate in which I wrote the essay.
Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority. Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.
Nevertheless, the nothing-to-hide argument is far from vanquished. There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.
Here are a few short excerpts from my nothing-to-hide essay:
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.
I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS (IAPP 2017) (co-authored with Professor Paul Schwartz) is now out in print. This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.
Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.
“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.
“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field. It is a gem.” — Kurt Wimmer, Covington & Burling LLP
“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum
“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology
You can get a copy at IAPP’s bookstore or at Amazon. For general information about this book as well as all my textbooks and useful resources, visit our Information Privacy Law textbook website.
The full table of contents is below:
I recently updated my book chapter, A Brief History of Information Privacy Law, which appears in the new edition of PLI’s Proskauer on Privacy.
This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.
The chapter can be downloaded for free here.
Here is the table of contents:
A while ago, I wrote about a case involving a member of the St. Louis Cardinals baseball team staff who improperly accessed a database of the Houston Astros. There is now an epilogue to report in the case. The individual who engaged in the illegal access — a scouting director named Chris Correa — was fired by the Cardinals, imprisoned for 46 months, and banned permanently from baseball. The Cardinals were fined $2 million by Major League Baseball Commissioner Rob Manfred, and they must forfeit their first two picks in the draft to the Houston Astros.
According to an article about the incident in the St. Louis Post-Dispatch: “As outlined in court documents, the U.S. attorney illustrated how Correa hacked Houston’s internal database, ‘Ground Control,’ 48 times during a 2½-year period. He viewed scouting reports, private medical reviews and other proprietary information. The government argued that Correa may have sought to determine if Houston borrowed the Cardinals’ data or approach, but the information he accessed was ‘keenly focused on information that coincided with the work he was doing for the Cardinals.'”
As I wrote in my piece about the case, there are several lessons to be learned. One lesson is that it is a myth that hacking and computer crime must be hi-tech. Here, Correa’s hacking was nothing sophisticated — he just used another person’s password. The person had previously worked for the Cardinals, and when he went to the Astros, he kept using the same password. In my piece, I discussed other lessons from this incident, such as the importance of teaching people good password practices as well as teaching people that just because they have access to information doesn’t make it legal to view the information. The Cardinals organization appears to have learned from the incident, as the “employee manual has been updated to illustrate what is illegal activity online,” and the organization is using two-factor authentication to protect its own sensitive data. The article doesn’t say whether the Astros also stepped up their security awareness training by teaching employees not to reuse their old passwords from another team.