PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Privacy Tech Insights US State Privacy Law


Although a U.S. federal privacy law remains elusive, U.S. states have been busily passing new laws. The laws have many similarities, but there are some notable differences. California and Colorado have issued new regulations, some provisions of which strengthen components of the laws.  I expect other states to join in the party soon.

I will be holding a Webinar on U.S. State Privacy Law Developments tomorrow (Tues, Aug. 29, 2023 at 2 PM ET) with Libbie Canter (Covington) to discuss these laws. Click here to register now for this free webinar!

I have created some related resources and training materials that might be useful:

Continue Reading

BCLT Privacy Lecture on Murky Consent in Privacy Law

I’ll be speaking at Berkeley Law’s 16th Annual BCLT Privacy Lecture on 9/22 about Murky Consent: An Approach to the Fictions of Consent in Privacy Law with commenters, Ari Ezra Waldman (Professor, UC Irvine School of Law), Rebecca Wexler (Professor,  UC Berkeley School of Law), and Ella Corren (JSD, UC Berkeley School of Law).

Button Register

Continue Reading

A New Open Letter to Law School Deans about Privacy Law Scholars and Curriculum

Privacy - Letter to Law School Deans

Before the pandemic, which seems like eons ago, I spearheaded a group of legal academics and practitioners in the field of privacy law who sent a letter to the deans of all U.S. law schools about privacy law education.  The pandemic occurred not too long after our letter, and deans had many other things to worry about during that time.

The time is right to send a follow up letter about why law schools should increase and improve their privacy law faculty and curriculum. So, I am emailing the letter below to all U.S. law school deans.  

You can see a PDF of the letter here.

* * * *

A New Open Letter to Law School Deans
about Privacy Law Scholars and Curriculum

[PDF Version]

August 1, 2023

Dear Dean,

We are writing to you and other law school deans to urge you to prioritize offering more courses and hiring more faculty in the information privacy law field.

We previously wrote an open letter to you before the pandemic, and we wish to send you another letter now because recent developments have strengthened our contentions below.

We call on you to consider taking one or more of the following actions:

  1. Hire more faculty members who focus their work and teaching on privacy law and technology issues.
  1. Add courses to the curriculum to cover privacy law issues.

Continue Reading

Webinar The New Breed of State Health Privacy Laws Blog

Webinar - State Health Privacy Laws 01

If you couldn’t make it to my recent webinar on Washington’s My Health My Data Act (MHMDA) and the new state health privacy laws, you can watch the replay here. I had a great discussion with  Mike Hintze (Hintze Law).

Button Watch Webinar 02

Continue Reading

The Funniest Hacker Stock Photos 5.0

HackerBack by popular demand, it’s another installment of the funniest hacker stock photos.  Because I create security awareness training (and HIPAA security training too), I’m always in the hunt for hacker photos.

Hacker techniques have evolved over the years, and so have hacker stock photos. Now, many of them are created by AI.  Whether created by humans or machines, they are generally quite ridiculous.

If you’re interested in the previous posts in this series see:
The Funniest Hacker Stock Photos 4.0
The Funniest Hacker Stock Photos 3.0
The Funniest Hacker Stock Photos 2.0
The Funniest Hacker Stock Photos 1.0

Hacker Stock Photo #1

Hacker

I have no way to explain this one except that it is Barbie marketing gone wrong.

Hacker Stock Photo #2

Hacker

Neon masks are the new “in” thing for hacking these days.

Hacker Stock Photo #3

Hackers

This one was AI generated. I guess AI think that people need to be wired into something in order to work. Also, the AI thinks that there’s no need for eyes when hacking.

Continue Reading

Are Many Privacy Violations Also Data Breaches?

Privacy and Security

Data breaches and privacy violations have long been thought of as different things, but actually, there is a lot of overlap.

Two recent FTC cases address this issue. These cases involve the Health Breach Notification Rule, 16 CFR Part 318, which covers health data breaches beyond HIPAA. The Rule had long existed, but the FTC only started enforcing it in 2021 (see the FTC’s announcement here). Under the Rule, a “breach of security” is defined as “acquisition of [PHR identifiable health information] without the authorization of the individual.”  Unlike the FTC Act Section 5, which has no monetary penalties (unless a consent decree is violated), the Health Breach Notification Rule carries fines of more than $50,000 per violation

In its enforcement of the Rule, the FTC has claimed that privacy violations are data breaches that should have been reported under the Rule. 

  1. In In Re GoodRx Holdings, Inc., (FTC 2023) the FTC claimed that GoodRx shared health data with advertisers, contradicting its privacy notice that stated it didn’t share such data with third parties. This is traditionally a privacy violation — a classic broken promises case.  But the FTC contended that this was a data breach because the third parties obtained the data without the proper authorization.  The FTC imposed a $1.5 million penalty for violating the Rule.
  2. In another case from this year, In re Easy Healthcare Corp., (FTC 2023), a fertility app called Premom shared user health data with third parties in violation of its privacy notice. The FTC asserted that this was a data breach that should have been reported under the Health Breach Notification Rule.

These cases are quite notable, and they go far beyond the Health Breach Notification Rule. As I have been arguing for years, privacy and cybersecurity are quite interrelated and should not be understood as the often-siloed separate domains that they are today. Data breaches need not be caused by hackers breaking in or when data is leaked or lost. They can occur even when a company intentionally shares data improperly — a common privacy violation.

Continue Reading

Dataministeriet Podcast Interview About Privacy Law

DataMinisteriet logo

I had a great discussion with Filip Johnssén about various privacy law issues on his podcast, Dataministeriet. It begins in Swedish, then turns to English after a brief introduction.

Listen Button

Continue Reading

Counterman and the U.S. Supreme Court’s Overly Mechanical First Amendment Protection of Threats

Threat Counterman 01

In Counterman v. Colorado (June 27, 2023), the U.S. Supreme Court held that in order for a defendant to be convicted of a crime for making a threat to another person, the “State must show that the defendant consciously disregarded a substantial risk that his communications would be viewed as threatening violence.”  In other words, the Court held that subjective intent (recklessness) must be required for criminalizing threats. The Court held that objective reasonableness isn’t restrictive enough a standard to criminalize threats.

For a period of years, Counterman harassed a woman online by sending hundreds of Facebook messages. Whenever she would block him, he created a new account and kept sending messages. The messages said that he was watching her, described her activities, and also made angry threats of violence.  According to the Court’s summary of the facts:

She believed that Counterman was “threat[ening her] life”; “was very fearful that he was following” her; and was “afraid [she] would get hurt.” As a result, she had “a lot of trouble sleeping” and suffered from severe anxiety. She stopped walking alone, declined social engagements, and canceled some of her [singing] performances, though doing so caused her financial strain. Eventually, C. W. decided that she had to contact the authorities.  (citations omitted)

Counterman was convicted of violating a Colorado statute that criminalizes one who:

Repeatedly follows, approaches, contacts, places under surveillance, or makes any form of communication with another person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship in a manner that would cause a reasonable person to suffer serious emotional distress and does cause that person, a member of that person’s immediate family, or someone with whom that person has or has had a continuing relationship to suffer serious emotional distress. Colo. Rev. Stat. §18–3–602(1)(c) (2022).

The Court began by stating that “[t]rue threats of violence, everyone agrees, lie outside the bounds of the First Amendment’s protection.” However, the Court held that the absence of a subjective mental state “will chill protected, non-threatening speech” and that at least recklessness must be proven as to the speech’s threatening character.

This holding, however, is problematic for protecting people against online threats of violence. Ironically, under the reckless standard required by Counterman, a deranged stalker will fare better than one who understands what is reasonable; the deranged stalker’s threats can’t be criminalized. The most frightening threats are those by obsessed stalkers who have no awareness of unreasonable they are being.  These people are acting beyond reason. They are unhinged.

Continue Reading