PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Duties When Contracting with Data Service Providers

data services blog 1

by Daniel J. Solove

In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.

Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.

Continue Reading

Is Data Security Awareness Training Effective?

data security awareness blog 1

by Daniel J. Solove

A recent article in CIO explores the question: Is data security awareness training effective?

The answer: Yes.

The article points to an ISACA study that seeks to measure the effectiveness of data security awareness training. The study concludes: “Security awareness training is a vital nontechnical component to information security. As such, it is in the interest of the public and private sectors to continue to research this component that directly impacts security’s weakest link: humans.”

Continue Reading

Data Security Is an Art, Not Just a Science

data security blog 1

by Daniel J. Solove

Far too often, the mandate for data security is simply to “secure it,” and people often think of data security as a set of clear choices. This is in contrast to privacy, which is understood as a set of muddy policy issues. But data security is, in fact, quite muddy itself.

Data security is about risk management. Data security measures can reduce the risk of having a data breach, but these measures have costs. These costs can be financial, but they also can involve efficiency, convenience, and the very culture of an organization.

Continue Reading

4 Points About the Target Breach and Data Security

I

by Daniel J. Solove

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

Continue Reading

10 Reasons Why Privacy Matters

why privacy matters 1

by Daniel J. Solove

Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that.

Privacy is not just a concept—it’s your personal shield in an era where data is gold. Here are 10 compelling reasons why protecting your privacy is absolutely essential today:

1. Limit on Power

Privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. Personal data is used to make very important decisions in our lives. Personal data can be used to affect our reputations; and it can be used to influence our decisions and shape our behavior. It can be used as a tool to exercise control over us. And in the wrong hands, personal data can be used to cause us great harm.

Privacy stands as a barrier against the unchecked might of governments and corporations. Remember the shockwaves sent through the world after the Cambridge Analytica scandal? Modern laws like GDPR and CCPA have stepped in, but the ultimate power still lies with you. By guarding your data, you’re limiting overreach and keeping those in power honest.

Continue Reading

The Year in Privacy 2013 and the Year to Come

high-tech technology background with eyes on computer display

by Daniel J. Solove

2013 was a remarkable year in privacy developments. Here are four main trends I saw occurring this year:

1. The heat on the NSA for its broad surveillance programs has been sustained and productive.

The Edward Snowden leaks revealed massive NSA surveillance efforts. What is most interesting in the aftermath of the recent NSA surveillance revelations has been the strong public disapproval of the NSA surveillance and courts finally taking some leadership on the issue, such as one court declaring the surveillance likely unconstitutional. The President’s Review Group on Intelligence and Communications Technologies recommended curbs on the NSA. Congress has yet to show leadership on the issue, which remains disappointing, but we are finally seeing the stirrings of a response and perhaps change. Indeed, 56% of people in a Pew poll “say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting.”

Moreover, the story regarding NSA surveillance keeps going on. It hasn’t faded. The overall trend is that there is now sustained heat on the NSA and a sustained stirring for changing the law to provide greater oversight and controls on government surveillance.

Continue Reading

Notable Privacy and Security Books 2013

Notable Privacy Security Books 2013 - TeachPrivacy

Here are some notable books on privacy and security from 2013. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

NSA Metadata Surveillance and the Fourth Amendment

metadata

by Daniel J. Solove

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

Continue Reading

Why Schools Are Flunking Privacy and How They Can Improve

pixel cloud network icon computer

by Daniel J. Solove

Fordham School of Law’s Center on Law and Information Policy (CLIP), headed by Joel Reidenberg, has released an eye-opening and sobering study of how public schools are handling privacy issues with regard to cloud computing. The study is called Privacy and Cloud Computing in Public Schools, and it is well worth a read.

Continue Reading

Why Metadata Matters: The NSA and the Future of Privacy

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

Continue Reading