PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Heartbleed: A Data Security Bug of Titanic Proportions that Affects Most of the Internet and that Will Have Enormous Implications

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 16, 2014

heartbleed blog 1

by Daniel J. Solove

It sounds like a late April Fool’s joke, but it isn’t. Heartbleed, a data security bug in Open SSL, allows hackers to access personal data and encryption keys. This vulnerability has existed for 2+ years, and there is no way to know if your data has been compromised. And the majority of websites that encrypt use OpenSSL, such as the most popular banking and retail sites. This is a security flaw of titanic proportions. According to CNN: “Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.”

Continue Reading

One of the Most Important Data Security Cases Was Just Decided: FTC v. Wyndham

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 15, 2014

ftc wyndham blog post

by Daniel J. Solove

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and yesterday, it finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Continue Reading

Waking Up the C-Suite to Privacy and Security Risks

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 8, 2014

waking up the c suite

by Daniel J. Solove

I was recently interviewed in the Journal of AHIMA on how the C-suite is waking up to the new realities of privacy and data security risks. Before the HITECH Act in 2009, HIPAA enforcement was based on a cooperative model where HHS was not punitive in its approach. Now, big fines are being issued. There is auditing. The climate has changed.

Privacy and security risks are quite costly. This is true not just under HIPAA, but also as a general matter. At many organizations, the C-Suite doesn’t fully appreciate the magnitude of the risk. Back about 10 years ago, for many organizations, privacy and security risks were barely on the radar. Now they are recognized for many organizations, but the significance of the risk is often not fully understood or appreciated.

Continue Reading

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 7, 2014

Blank chalkboard and stack of books

by Daniel J. Solove

This post was co-authored by Professor Paul Schwartz, Berkeley Law School.

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

Continue Reading

5 Things School Officials Must Know About Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 10, 2014

Video 5 Things School Officials Must Know About Privacy

by Daniel J. Solove

I have produced a new short video called 5 Things School Officials Must Know About Privacy.  The video addresses the most important points that school officials should know when it comes to privacy. These points are:

  1. Protecting privacy involves much more than following FERPA.
  2. Just because software and services can do something does not make it legal.
  3. Someone must wear the privacy hat.
  4. Protecting personal data is your responsibility – and it remains your responsibility when third parties are using data you shared with them.
  5. Members of your school community should be educated about how to protect their data.

Continue Reading

Privacy by Design with Passion and Pizazz: A Review of The Privacy Engineer’s Manifesto

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 3, 2014

C

by Daniel J. Solove

I was fortunate to pick up a copy of The Privacy Engineer’s Manifesto, a new book by Michelle Finneran Dennedy, Jonathan Fox, and Thomas Finneran.

I’ve read a lot of practical “how to” stuff about privacy before that’s vague and not very specific, but this book is so refreshingly detailed, has great depth, and is concrete. It’s a real achievement, and a book that deserves attention.

Continue Reading

Duties When Contracting with Data Service Providers

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 26, 2014

data services blog 1

by Daniel J. Solove

In the world of data protection, it’s an old story: Personal data gets shared with a third party data service provider, and then something goes wrong at the provider.

Whose fault is it? The organization that shared the personal data with the vendor certainly has responsibility, as organizations are generally responsible for the actions of their independent contractors. But even though an organization might have to pick up the tab, it can still put all the blame on the vendor.

Continue Reading

Is Data Security Awareness Training Effective?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 25, 2014

data security awareness blog 1

by Daniel J. Solove

A recent article in CIO explores the question: Is data security awareness training effective?

The answer: Yes.

The article points to an ISACA study that seeks to measure the effectiveness of data security awareness training. The study concludes: “Security awareness training is a vital nontechnical component to information security. As such, it is in the interest of the public and private sectors to continue to research this component that directly impacts security’s weakest link: humans.”

Continue Reading

Data Security Is an Art, Not Just a Science

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 5, 2014

data security blog 1

by Daniel J. Solove

Far too often, the mandate for data security is simply to “secure it,” and people often think of data security as a set of clear choices. This is in contrast to privacy, which is understood as a set of muddy policy issues. But data security is, in fact, quite muddy itself.

Data security is about risk management. Data security measures can reduce the risk of having a data breach, but these measures have costs. These costs can be financial, but they also can involve efficiency, convenience, and the very culture of an organization.

Continue Reading

4 Points About the Target Breach and Data Security

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 3, 2014

I

by Daniel J. Solove

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

Continue Reading