PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

New Privacy and Security Awareness Training Programs

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 1, 2016

security awareness training

I created some new training programs last year, and here are some of the highlights:

Security Training Malware -- Ransomware Attack

The Ransomware Attack (~5 mins)

This short program (~5 minutes) consists of an interactive cartoon vignette about malware.  The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware.  The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.

Module Lifecycle of Personal Data 01

The Life Cycle of Personal Data (~ 15 mins)

This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data.  The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.

Continue Reading

3 Types of Incidents Account for 86% of HIPAA Data Breaches

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 25, 2016

HIPAA Data BreachA new report by Verizon, the PHI Data Breach report, analyzes 1,931 data breaches of protected health information (PHI) under HIPAA,  The incidents occurred between 1994 and 2014, with most occurring from 2004-2014.  An article from Computer World sums up the findings of the report.

Verizon 2016 Healthcare ReportOne interesting statistic is that 392 million PHI records were compromised in these breaches, more than the entire population of the United States.

The report notes that 3 types of incident account for 86% of the data breaches:

(1) Lost or stolen portable electronic devices

(2) Sending records to the wrong individual

(3) Improper access to PHI by employees

What do these things have in common?

These are problems that deal with the human factor.  The problems are preventable, and the risk of them can be significantly reduced through training.

To train on these things, organizations must do more then merely say: “Be careful” or “Do not do.”  The training must have an impact on people.  And education is most effective with repetition. People must be repeatedly educated, over and over again.

Continue Reading

Is HIPAA Enforcement Too Lax?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 19, 2016

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

Teaching Information Privacy Law

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 15, 2016

Eyes Privacy 01

I originally posted a version of this post more than 10 years ago, in 2005.  I think it is important to re-post it, with a few updates.

I strongly recommend teaching information privacy law in law schools.  I have authored several textbooks in the field, and I know that this might seem like a self-plug.  But I really am a big believer that all law schools should have not just one course on information privacy law, but several — no matter what textbooks are used!

Information privacy law remains a fairly new field, and it has yet to take hold as a course taught consistently in most law schools.  Last year, I wrote a post complaining about the fact that only about 25% of law schools have a course on privacy law. I’m hoping to change all that.

Privacy Law

So if you’re an academic interested in exploring issues involving information technology, criminal procedure, or free speech, you should consider adding information privacy law to your course package.  If you’re a practitioner, consider teaching an information privacy law course as an adjunct.

Here are some reasons to teach the course:

Continue Reading

The Scope and Potential of FTC Data Protection

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 12, 2016

FTC Privacy and Security

I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015).  I wrote the article with Professor Woodrow Hartzog.

FTC StatueThe article addresses  the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”).  We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.

The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.

GW Law Review FTC Symposium

Here is a table of contents of the issue, along with links to where you can access each essay and article.

Continue Reading

The Value of HIPAA Training

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 6, 2016

HIPAA Training

HIPAA expert Rebecca Herold offers a very compelling explanation of the value of HIPAA training.  She writes:

Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.

In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).

Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.

Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.

To this, all I can say is: Amen.

Rebecca is the author of several great resources on HIPAA, including The Practical Guide to HIPAA Privacy and Security Compliance.

Rebecca Herold Practical Guide to HIPAA

Continue Reading

Privacy Need Not Be Sacrificed for Security

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
January 6, 2016

NSA Surveillance

I’ve long been saying that privacy need not be sacrificed for security, and it makes me delighted to see that public attitudes are aligning with this view.  A Pew survey revealed that a “majority of Americans (54%) disapprove of the U.S. government’s collection of telephone and internet data as part of anti-terrorism efforts.”  The anti-NSA surveillance sentiment is even stronger in other countries, as is shown in this chart below.

Pew NSA Surveillance

According to the survey, “74% said they should not give up privacy and freedom for the sake of safety, while just 22% said the opposite.”

As I wrote in my book, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale U. Press 2011):

The debate between privacy and security has been framed incorrectly, with the tradeoff between these values understood as an all-or-nothing proposition. But protecting privacy need not be fatal to security measures; it merely demands oversight and regulation.

Continue Reading

Blogging Highlights 2015: Health Privacy+Security Issues

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 30, 2015

HIPAA Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about health privacy and security:

Why HIPAA Matters: Medical ID Theft and the
Human Cost of Health Privacy and Security Incidents

care

Continue Reading

Blogging Highlights 2015: Cybersecurity Issues

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 30, 2015

Cybersecurity Training

I’ve been going through my blog posts from 2015 to find the ones I most want to highlight.  Here are some selected posts about security:

The Worst Password Ever Created

worst password ever created

Should the FTC Kill the Password?
The Case for Better Authentication

title image

Continue Reading