PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The Importance and Goals of HIPAA Training Programs

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 19, 2015

HIPAA Training

by Daniel J. Solove

There is a great quote in this article from HealthcareInfoSecurity: that expresses very well the importance and goals of HIPAA training programs:

Workforce training is important not only for preventing breaches, including those involving ID crimes, but also to help detect those incidents, [Ann Patterson of the Medical Identity Fraud Alliance] says. “Each employee must understand their role in protecting PHI. Equally important is regular and continued evaluation of the training programs to make sure that employees are adhering to the policies put in place, and that the ‘red flags’ detection systems are keeping pace with changing technologies and workplace practices.”

Continue Reading

Security Experts Critique Government Backdoor Access to Encrypted Data

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 14, 2015

Data Ballby Daniel J. Solove

In a recent report (link no longer available), MIT security experts critiqued calls by government law enforcement for backdoor access to encrypted information.  As the experts aptly stated:

“Political and law enforcement leaders in the United States and the United Kingdom have called for Internet systems to be redesigned to ensure government access to information — even encrypted information. They argue that the growing use of encryption will neutralize their investigative capabilities. They propose that data storage and communications systems must be designed for exceptional access by law enforcement agencies. These proposals are unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”

The report is called Keys Under Doormats: Mandating Insecurity by Requiring Government Access to all Data and Communications and is by Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, and Daniel J. Weitzner.

Continue Reading

Mr. Robot: My Review of the New TV Series

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 13, 2015

Mr Robot 01by Daniel J. Solove

I’ve really been enjoying the new TV series Mr. Robot on USA. Network.  It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security  geeks.

Mr Robot 05aThe protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City.  The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person.  Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone.  But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.

Elliot is very smart and clever, and he sees many around him as idiots.  He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people.  He lives most of his life inside his head.  The show presents the stark contrast between what he says to others and what he is thinking.  In one scene, we see him speaking to his psychiatrist, telling her hardly anything.  But we hear his thoughts and know that he is pondering quite a lot.
Continue Reading

Going Bankrupt with Your Personal Data

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 6, 2015

title image

By Daniel J. Solove

 

A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

This has long been a problem, and I’m glad to see it receiving some attention.  The issue arose in one of the early FTC cases on privacy about 15 years ago.

Continue Reading

Security Professionals in High Demand

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 1, 2015

CISO Security Professionals Security Training

by Daniel J. Solove

According to a study, the number of cybersecurity job listings increased 74% from 2007 to 2013.  This was more than double the growth rate of IT jobs.

In a survey earlier this year of ISACA members, 86% stated that there is a “global shortage of skilled cybersecurity professionals.”

According to a salary survey, CISO salaries climbed 7.1% in the past year, from a range of between about $126,000 – $190,000 to a range between $134,000 – $205,000.

Chart CISO Salaries 01

Continue Reading

What Is Privacy?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 29, 2015

Finger Print Iris Scan

By Daniel J. Solove

What is privacy? This is a central question to answer, because a conception of privacy underpins every attempt to address it and protect it.  Every court that holds that something is or isn’t privacy is basing its decision on a conception of privacy — often unstated.  Privacy laws are also based on a conception of privacy, which informs what things the laws protect.  Decisions involving privacy by design also involve a conception of privacy.  When privacy is “baked into” products and services, there must be some understanding of what is being baked in.

Far too often, conceptions of privacy are too narrow, focusing on keeping secrets or avoiding disclosure of personal data.  Privacy is much more than these things.  Overly narrow conceptions of privacy lead to courts concluding that there is no privacy violation when something doesn’t fit the narrow conception.   Narrow or incomplete conceptions of privacy lead to laws that fail to address key problems.  Privacy by design can involve throwing in a few things and calling it “privacy,” but this is like cooking a dish that requires 20 ingredients but only including 5 of them.

It is thus imperative to think through what privacy is.  If you have an overly narrow or incomplete conception of privacy, you’re not going to be able to effectively identify privacy risks or protect privacy.

In my work, I have attempted to develop a practical and useable conception of privacy.  In what follows, I will briefly describe what I have developed.

Continue Reading

New Resource Page: HIPAA Training Requirements FAQ

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 29, 2015

HIPAA Training Requirements Whiteboard 02

by Daniel J. Solove

I recently created a new resource page for the TeachPrivacy website: HIPAA Training Requirements: FAQ.

Continue Reading

Baseball’s “Hacking” Case: Are You a Hacker Too?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 25, 2015

title image

By Daniel J. Solove

 

I’m a St. Louis Cardinals fan, so I guess it is fitting that my favorite team becomes embroiled in a big privacy and data security incident.  At the outset, apologies for the feature photo above.  It pulled up under a search for “baseball hacker,” and as a collector of ridiculous hacker stock photos, I couldn’t resist adding this one to my collection.  I doctored it up by adding in the background, but I applaud the prophetic powers of the photographer who had a vision that one day such an image would be needed.

Continue Reading

Cybersecurity: Leviathan vs. Low-Hanging Fruit

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 24, 2015

Data Security Training Low-Hanging Fruit

by Daniel J. Solove

There are certainly many hackers with sophisticated technical skills and potent malicious technologies.  These threats can seem akin to Leviathan — all powerful and insurmountable.

Leviathan 01

It can be easy to get caught up focusing on the Leviathan and miss the low-hanging fruit of cybersecurity.  This low-hanging fruit consists of rather simple and easy-to-fix vulnerabilities and bad practices.

Continue Reading