PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The $500,000 Value of Data Security Awareness Training

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 26, 2014

data security awareness training

by Daniel J. Solove

It has long been difficult to quantify the ROI of data security awareness training.

But finally, I have been able to locate a number. According to a 2014 PricewaterhouseCoopers study: “The financial value of employee awareness is even more compelling. Organizations that do not have security awareness programs—in particular, training for new employees—report significantly higher average financial losses from cybersecurity incidents. Companies without security training for new hires reported average annual financial losses of $683,000, while those do have training said their average financial losses totaled $162,000.”

Continue Reading

Lawsuits for HIPAA Violations and Beyond: A Journey Down the Rabbit Hole

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 24, 2014

hipaa lawsuits 1

by Daniel J. Solove

At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don’t provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies.

Continue Reading

People Care About Privacy Despite Their Behavior

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 19, 2014

people care about privacy

It is often said that people don’t care much about privacy these days given how much information they expose about themselves. But survey after survey emphatically concludes that people really do care about privacy.

Continue Reading

Should the FTC Be Regulating Privacy and Data Security?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 14, 2014

ftc

by Daniel J. Solove

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

Continue Reading

The Most Alarming Fact of the HIPAA Audits

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 3, 2014

hipaa audits 1

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #5 of a series called Enforcing Privacy and Security Laws.

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach.

What the audits thus far have revealed is quite alarming. I’ll discuss more on that later.

Continue Reading

Ebola and Privacy: Snooping, Confidentiality, and HIPAA

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 28, 2014

Ebola Virus Confidential

by Daniel J. Solove

The recent cases of Ebola in the United States demonstrate challenges to health privacy in today’s information age — both in preventing employees from snooping into patient information as well as preventing the disclosure of patient identities.

Continue Reading

The Brave New World of HIPAA Enforcement

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 28, 2014

hipaa enforcement

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #4 of a series called Enforcing Privacy and Security Laws.

hhs logoThe Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS). Additionally, state attorneys general (AGs) may enforce HIPAA – only a few federal privacy laws can also be enforced by state AGs.

Continue Reading

Who Are the Privacy and Security Cops on the Beat?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 21, 2014

privacy and security

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #3 of a series called Enforcing Privacy and Security Laws.

Continue Reading

The Privacy Pillory and the Security Rack: The Enforcement Toolkit

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 17, 2014

privacy pillory

law blog 2

by Daniel J. Solove

Are privacy and security laws being enforced effectively? This post is post #2 in a series called Enforcing Privacy and Security Laws. See the end of this post for links to other posts in this series.

What kind of sanctions do privacy and security laws use for enforcement? In this post, I will discuss the various tools that are frequently used in the enforcement of privacy/security laws.

Continue Reading

Why Enforce Privacy and Security Laws?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 15, 2014

law blog 1by Daniel J. Solove

law blog 2

PART 1

Are privacy and security laws being enforced effectively? This post is part of a series called Enforcing Privacy and Security Laws.

How are privacy and security laws enforced? How should they be enforced? What enforcement works well? What doesn’t? What are the various agencies that are enforcing privacy laws doing? How do the agencies compare in their enforcement efforts?

I plan to explore these questions in a series of posts. Collectively, I’ll call this series “Enforcing Privacy and Security Laws.”

Continue Reading