PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Webinar The New Breed of State Health Privacy Laws Blog

Webinar - State Health Privacy Laws 01

If you couldn’t make it to my recent webinar on Washington’s My Health My Data Act (MHMDA) and the new state health privacy laws, you can watch the replay here. I had a great discussion with  Mike Hintze (Hintze Law).

Button Watch Webinar 02

Continue Reading

The Funniest Hacker Stock Photos 5.0

HackerBack by popular demand, it’s another installment of the funniest hacker stock photos.  Because I create security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.

Hacker techniques have evolved over the years, and so have hacker stock photos. Now, many of them are created by AI.  Whether created by humans or machines, they are generally quite ridiculous.

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 4.0
The Funniest Hacker Stock Photos 3.0
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

Hacker Stock Photo #1

Hacker

I have no way to explain this one except that it is Barbie marketing gone wrong.

Hacker Stock Photo #2

Hacker

Neon masks are the new “in” thing for hacking these days.

Hacker Stock Photo #3

Hackers

This one was AI generated. I guess AI think that people need to be wired into something in order to work. Also, the AI thinks that there’s no need for eyes when hacking.

Continue Reading

Are Many Privacy Violations Also Data Breaches?

Privacy and Security

Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.

Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.”  Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation

In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule. 

  1. In In Re GoodRx Holdings, Inc., (FTC 2023) the FTC claimed that GoodRx shared health data with advertisers, contradicting its privacy notice that stated it didn’t share such data with third parties. This is traditionally a privacy violation — a classic broken promises case.  But the FTC contended that this was a data breach because the third parties obtained the data without the proper authorization.  The FTC imposed a $1.5 million penalty for violating the Rule.
  2. In another case from this year, In re Easy Healthcare Corp., (FTC 2023), a fertility app called Premom shared user health data with third parties in violation of its privacy notice. The FTC asserted that this was a data breach that should have been reported under the Health Breach Notification Rule.

These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.

Continue Reading

Dataministeriet Podcast Interview About Privacy Law

DataMinisteriet logo

I had a great discussion with Filip Johnssén about various privacy law issues on his podcast, Dataministeriet. It begins in Swedish, then turns to English after a brief introduction.

Listen Button

Continue Reading

Counterman and the U.S. Supreme Court’s Overly Mechanical First Amendment Protection of Threats

Threat Counterman 01

In Counterman v. Colorado (June 27, 2023), the U.S. Supreme Court held that in order for a defendant to be convicted of a crime for making a threat to another person, the “State must show that the defendant consciously disregarded a substantial risk that his communications would be viewed as threatening violence.”  In other words, the Court held that subjective intent (recklessness) must be required for criminalizing threats. The Court held that objective reasonableness isn’t restrictive enough a standard to criminalize threats.

For a period of years, Counterman harassed a woman online by sending hundreds of Facebook messages. Whenever she would block him, he created a new account and kept sending messages. The messages said that he was watching her, described her activities, and also made angry threats of violence.  According to the Court’s summary of the facts:

She believed that Counterman was “threat[ening her] life”; “was very fearful that he was following” her; and was “afraid [she] would get hurt.” As a result, she had “a lot of trouble sleeping” and suffered from severe anxiety. She stopped walking alone, declined social engagements, and canceled some of her [singing] performances, though doing so caused her financial strain. Eventually, C. W. decided that she had to contact the authorities.  (citations omitted)

Counterman was convicted of violating a Colorado statute that criminalizes one who:

Repeatedly follows, approaches, contacts, places under surveillance, or makes any form of communication with another person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship in a manner that would cause a reasonable person to suffer serious emotional distress and does cause that person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship to suffer serious emotional distress. Colo. Rev. Stat. §18–3–602(1)(c) (2022).

The Court began by stating that “[t]rue threats of violence, everyone agrees, lie outside the bounds of the First Amendment’s protection.” However, the Court held that the absence of a subjective mental state “will chill protected, non-threatening speech” and that at least recklessness must be proven as to the speech’s threatening character.

This holding, however, is problematic for protecting people against online threats of violence. Ironically, under the reckless standard required by Counterman, a deranged stalker will fare better than one who understands what is reasonable; the deranged stalker’s threats can’t be criminalized. The most frightening threats are those by obsessed stalkers who have no awareness of unreasonable they are being.  These people are acting beyond reason. They are unhinged.

Continue Reading

Webinar The Quantified Worker AI and Employment Blog

If you couldn’t make it to my recent webinar to discuss Ifeoma Ajunwa’s book, The Quantified Worker: Law and Technology in the Modern Workplace, you can watch the replay here. I had a great discussion with Ifeoma Ajunwa, Pauline Kim, and Matthew Bodie on the use of AI in hiring decisions and for other employment purposes.

Button Watch Webinar 02

Continue Reading

ABA Event on Privacy and Consent

ABA Webinar - Privacy and Consent

On Thursday, June 22 at 12pm EST, I’ll be speaking on a webinar hosted by the ABA on Privacy and the Ongoing Viability of Consent. I’ll be discussing the background and effectiveness of the consent model with Jessica Rich and Aryeh Friedman.

You can find more information about the event and how to register here.

Button Register

I will be speaking about my recent article Murky Consent: An Approach to the Fictions of Consent in Privacy Law.

Article - Solove - Murky Consent 03a

Download Button 01

Continue Reading

Video of My Children’s Book, THE EYEMONGER

Eyemonger Video Title Page

Here’s an animated video of my children’s book, The Eyemonger, that I narrated.

Cover Eyemonger Solove If you want the print version, click here to order the book on Amazon.

I also have free resources for parents and teachers to accompany the book.

Publisher’s Weekly writes that The Eyemonger is a “delightfully illustrated story concerned with issues of privacy. . . . Solove’s underlying theme and catchy rhymes sit perfectly on the cusp of children’s and middle-grade reading levels, and Beckwith’s eye-catching and brilliantly detailed illustrations will inspire young imaginations to soar.”

 

Continue Reading