PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Our Privacy and Data Security Depend Upon Contracts Between Organizations

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 5, 2014

contracts between organizations blog 1

by Daniel J. Solove

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider.

In many cases, these contracts fail to contain key protections of data. For example, a study conducted by Fordham School of Law’s Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data. I blogged about this study previously here.

Continue Reading

The Future of Global Privacy: Conflict or Harmony?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 28, 2014

future of global privacy blog 1

by Daniel J. Solove

I recently had the opportunity to interview Christopher Kuner, Senior Of Counsel with Wilson Sonsini Goodrich & Rosati in Brussels. He is also an Honorary Professor at the University of Copenhagen, a visiting fellow at the London School of Economics, and teaches at the University of Cambridge. He is editor-in-chief of the law journal International Data Privacy Law, and has been active in international organizations such as the Council of Europe, the OECD, and UNCITRAL. His book entitled “Transborder Data Flows and Data Privacy Law” was published in 2013 by Oxford University Press. More information is available at his personal web site.

Continue Reading

5 Key Quotes from the FTC v. Wyndham Decision on Data Security

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 22, 2014

5 key points ftc wyndham blog 1

by Daniel J. Solove

This post was co-authored by Professor Woodrow Hartzog.

The long-awaited federal district court opinion in FTC v. Wyndham was finally released last week. The U.S. District Court for the District of New Jersey rejected Wyndham’s arguments that the FTC lacks the authority to regulate unfair data security practices, that the FTC is required to issues rules before bringing an unfair data security complaint, and that the FTC failed to provide fair notice of what constitutes an unfair data security practice.

I blogged about the case here last week.

Continue Reading

Heartbleed: A Data Security Bug of Titanic Proportions that Affects Most of the Internet and that Will Have Enormous Implications

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 16, 2014

heartbleed blog 1

by Daniel J. Solove

It sounds like a late April Fool’s joke, but it isn’t. Heartbleed, a data security bug in Open SSL, allows hackers to access personal data and encryption keys. This vulnerability has existed for 2+ years, and there is no way to know if your data has been compromised. And the majority of websites that encrypt use OpenSSL, such as the most popular banking and retail sites. This is a security flaw of titanic proportions. According to CNN: “Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.”

Continue Reading

One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 15, 2014

ftc wyndham blog post

by Daniel J. Solove

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and yesterday, it finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Continue Reading

Waking Up the C-Suite to Privacy and Security Risks

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 8, 2014

waking up the c suite

by Daniel J. Solove

I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.

Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.

Continue Reading

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 7, 2014

Blank chalkboard and stack of books

by Daniel J. Solove

This post was co-authored by Professor Paul Schwartz, Berkeley Law School.

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

Continue Reading

5 Things School Officials Must Know About Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 10, 2014

Video 5 Things School Officials Must Know About Privacy

by Daniel J. Solove

I have produced a new short video called 5 Things School Officials Must Know About Privacy.  The video addresses the most important points that school officials should know when it comes to privacy. These points are:

  1. Protecting privacy involves much more than following FERPA.
  2. Just because software and services can do something does not make it legal.
  3. Someone must wear the privacy hat.
  4. Protecting personal data is your responsibility – and it remains your responsibility when third parties are using data you shared with them.
  5. Members of your school community should be educated about how to protect their data.

Continue Reading

Privacy by Design with Passion and Pizazz: A Review of The Privacy Engineer’s Manifesto

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 3, 2014

C

by Daniel J. Solove

I was fortunate to pick up a copy of The Privacy Engineer’s Manifesto, a new book by Michelle Finneran Dennedy, Jonathan Fox, and Thomas Finneran.

I’ve read a lot of practical “how to” stuff about privacy before that’s vague and not very specific, but this book is so refreshingly detailed, has great depth, and is concrete. It’s a real achievement, and a book that deserves attention.

Continue Reading

Duties When Contracting with Data Service Providers

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 26, 2014

data services blog 1

by Daniel J. Solove

In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.

Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.

Continue Reading