PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Social Dimensions of Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
August 27, 2015

Digital Person 02
I recently received my copy of Social Dimensions of Privacy, edited by Beate Roessler & Dorota Mokrosinska.  The book was published by Cambridge University Press this summer.

Social Dimensions of Privacy ISBN 9781107052376I’m delighted as I look over this book.  The book has a wonderful selection of short philosophical essays on privacy, and I’m honored to be included among the terrific group of chapter authors, who include Anita Allen, Paul Schwartz, Helen Nissenbaum, Judith Wagner DeCew, Kirsty Hughes, Colin Bennett, Adam Moore, and Priscilla Regan, among many others.  Each chapter is succinct and well-chosen.

From the book blurb: “Written by a select international group of leading privacy scholars, Social Dimensions of Privacy endorses and develops an innovative approach to privacy. By debating topical privacy cases in their specific research areas, the contributors explore the new privacy-sensitive areas: legal scholars and political theorists discuss the European and American approaches to privacy regulation; sociologists explore new forms of surveillance and privacy on social network sites; and philosophers revisit feminist critiques of privacy, discuss markets in personal data, issues of privacy in health care and democratic politics. The broad interdisciplinary character of the volume will be of interest to readers from a variety of scientific disciplines who are concerned with privacy and data protection issues.”

My chapter is entitled “The Meaning and Value of Privacy.”

Here’s a full table of contents:

Continue Reading

The FTC Has the Authority to Enforce Data Security: FTC v. Wyndham Worldwide Corp.

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
August 24, 2015

FTC 01by Daniel J. Solove

The U.S. Court of Appeals for the 3rd Circuit just affirmed the district court decision in FTC v. Wyndham Worldwide Corp., No. 14-3514 (3rd. Cir. Aug. 24, 2015).  The case involves a challenge by Wyndham to an Federal Trade Commission (FTC) enforcement action emerging out of data breaches at the Wyndham.

Background

Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security.  Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.”  Deception and unfairness are two independent bases for FTC enforcement.  During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled.  Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.

Among the arguments made by Wyndham, three are most worth focusing on:

FTC PNG 02a(1) Because Congress enacted data security laws to regulate specific industries, Congress didn’t intend for the FTC to be able to regulate data security under the FTC Act.

(2) The FTC is not providing fair notice about the security practices it deems as “unfair” because it is enforcing on a case-by-case basis rather than promulgating a set of specific practices it deems as unfair.

(3) The FTC failed to establish “substantial injury to consumers” as required to enforce for unfairness.

The district court rejected all three of these arguments, and so did the 3rd Circuit Court of Appeals.  Here is a very brief overview of the 3rd Circuit’s reasoning.

Continue Reading

Should the FTC Kill the Password? The Case for Better Authentication

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
August 10, 2015

title image

Co-authored by Professor Woodrow Hartzog.

Authentication presents one of the greatest security challenges organizations face. How do we accurately ensure that people seeking access to accounts or data are actually whom they say they are? People need to be able to access accounts and data conveniently, and access must often be provided remotely, without being able to see or hear the person seeking access.

Continue Reading

Big Brother on the Cover: 50+ Original1984 Book Cover Art Examples

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
August 3, 2015

1984 book cover Big Brother Is Watching You Poster

by Daniel J. Solove

Privacy Training Blog George Orwell
George Orwell

One of the most well-known classic privacy books is George Orwell’s 1984, and it has been published in countless editions around the world.  I enjoy collecting things, and I’ve gathered up more than 50 original 1984 book cover art examples featured on various editions of the novel.  I find it interesting how various artists and designers try to capture the novel’s themes.  I thought I’d share the covers with you.

Orwell’s 1984 chronicles a harrowing totalitarian society, one that engages in massive surveillance of its citizenry.  Everywhere are posters that say “NSA Big Brother Is Watching You.”   From the novel:

Continue Reading

Understanding the FTC on Privacy and Security

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 30, 2015

Privacy Training Blog FTC

by Daniel J. Solove

Privacy Awareness Training Blog TRUSTe FTC WebinarI recently held a webinar about the Federal Trade Commission (FTC) for TRUSTe called Understanding the FTC on Privacy and Security.   The webinar is free and is archived at TRUSTe’s site.

Here is a brief synopsis of the webinar:

For the past nearly two decades, the FTC has risen to become the leading federal agency that regulates privacy and data security. In this webinar, Professor Daniel J. Solove will discuss how the Federal Trade Commission (FTC) is enforcing privacy and data security.  What are the standards that the FTC is developing for privacy and data security?  What sources does the FTC use for the standards it develops?

A common misconception is that the FTC’s jurisprudence has been rather thin, merely focuses on enforcing promises made in privacy policies. To the contrary, a deeper look the FTC’s jurisprudence demonstrates that it is quite thick and has extended far beyond policing promises. The FTC has codified certain norms and best practices and has developed some baseline privacy and security protections. The FTC has laid the foundation for an even more robust law of privacy and data security. Professor Solove will discuss some of the potential ways this body of regulation could develop in the future.

My webinar was written up at the Wall Street Journal.  If you’re interested in seeing it, it’s free and available here.   Below is some background about the FTC as well as some of my writings about the FTC that may be of interest if you want a deeper dive.

Continue Reading

Lessons from the Latest HIPAA Enforcement Action

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 29, 2015

HIPAA Training OCR Enforcementby Daniel J. Solove

Recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) publicized its resolution agreement in its HIPAA enforcement action against St. Elizabeth’s Medical Center (SEMC).  SEMC agreed to pay $218,000.

The case began with a complaint filed with OCR back in 2012 that employees were sharing PHI of nearly 500 patients via an online sharing application without a risk analysis on such activities being undertaken.  OCR investigation found that the medical center “failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome.”

Continue Reading

Patient Access to Medical Records Under HIPAA: Significant Reform Needed

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 26, 2015

Doctor taking notes in his office, isolated

by Daniel J. Solove

Recently, I wrote about the challenges in accessing health information about family members.  In this post, I will explore patients’ access to their own medical records.

HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.

Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.

Continue Reading

OPM Data Breach Fallout, Fingerprints, and Other Privacy + Security Updates

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 22, 2015

OPM Fallout

By Daniel J. Solove

Co-authored by Professor Paul Schwartz

This post is part of a post series where we round up some of the interesting news and resources we’re finding. For a PDF version of this post, and for archived issues of previous posts, click here. We cover health issues in a separate post.

general devels

News

Mayer Brown survey of executives: 25% of organizations lack both a CPO and CIO (March 2015)

stats

Continue Reading

HIPAA’s Friends and Family Network: Access to Health Information

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 20, 2015

HIPAA Training Blog Sharing PHI with Friends and Family 02

by Daniel J. Solove

Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.

The doctor thinks that you can only have the information with a signed written authorization. Is this correct?

No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.

So has the doctor violated HIPAA by refusing to disclose the PHI?

Continue Reading

The Importance and Goals of HIPAA Training Programs

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 19, 2015

HIPAA Training

by Daniel J. Solove

There is a great quote in this article from HealthcareInfoSecurity: that expresses very well the importance and goals of HIPAA training programs:

Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, [Ann Patterson of the Medical Identity Fraud Alliance] says. “Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the ‘red flags’ detection systems are keeping pace with changing technologies and workplace practices.”

Continue Reading