The Blind Men, the Elephant and the FTC’s Data Security Standards

Omer Tene, IAPP,  Thursday, October 30, 2014

Like a group of blind men encountering an elephant—one touching the trunk and thinking “snake,” another feeling a tusk and thinking “sword,” a third caressing an ear and thinking “sail”—so do commentators, lawyers and industry players struggle to identify what “reasonable data security” practices mean in the eyes of the Federal Trade Commission (FTC). In the absence of federal legislation or regulatory guidance, the reasonableness standard is assessed on a case-by-case basis through a string of FTC enforcement actions, 47 so far, by which the agency provides the public with glimpses into its regulatory interpretation.

Taking back privacy in the post-Snowden cloud

Sean Gallagher, Ars Technica,  Tuesday, October 28, 2014

Governments aren’t going to fix cloud’s privacy problem. It’s up to the industry—and us. “In the 2000s we had this wild cloud party,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “That party ended—Edward Snowden crashed that party. And we’ve woken up with a massive privacy and security hangover that companies are now trying to shake.” How did we get in this mess? And is there any way to have both the convenience of mobile access to nearly everything while still keeping out the prying eyes of government spies and criminal crackers?

Securing video surveillance data: A three step approach

Julie Anderson by Julie Anderson, Civitas Group
Monday, October 27, 2014

Last month, the FBI updated the Federal Criminal Justice Information Services Security Policy (CJIS), which prescribes methods to keep data creation, collection, transmission, storage, and destruction to establish a standard level of data protection among all governmental bodies. State and local law enforcement agencies should build on CJIS standards and incorporate three additional measures to improve security when managing its video surveillance data. Implementing these three measures, in concert, will maximize the security of storing that data...

The Most Alarming Fact About HIPAA Audits (Part 5)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Thursday, October 23, 2014

Under the Health Insurance Portability and Accountability Act (HIPAA), various organizations can be randomly selected to be audited – even if no complaint has been issued against them and even if there has been no privacy incident or breach. What the audits thus far have revealed is quite alarming.

Corporate student data privacy pledge

Rep. Jared Polis (D-Colo.) and Brad Smith, The Hill,  Thursday, October 23, 2014

The intersection of the Family Educational Rights and Privacy Act of 1974, Children's Online Privacy and Protection Act of 1998, a growing number of state laws, district policies, vendor contracts, and privacy policies create a situation in which it is hard to tell what protections and rights exist for children or for adults. To witness this trend is to worry that legitimate privacy concerns threaten to derail the potential of education technology to improve personalized learning.

Android’s recent encryption announcement doesn’t protect your data

Karen Evans by Karen Evans, KE&T Partners
Wednesday, October 22, 2014

Apple’s default encryption announcement contained a notable distinction in the fine print. They promised not to read the content of your email messages. Not only will Apple’s default encryption protect your email from being accessed by governmental entities without permission, but Apple will not retrieve or use the content of your email for their own purposes. Android’s announcement did not offer the same protection to users. They did not make the same pledge which could be related to the fact that Google’s main source of revenue is derived from ad placements based on the content of user emails and searches.

Most cloud apps flout EU data protection rules – study

John Leyden, The Register,  Tuesday, October 21, 2014

Three in four cloud services do not conform to the current EU Data Protection Directive, according to a new study. Enterprise cloud visibility firm Skyhigh Networks found that nearly three-quarters (72 per cent) of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. The transfer of personally identifiable information outside Europe meant many services were operating at odds with the EU Data Protection Directive.

The Brave New World of HIPAA Enforcement (Part 4)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, October 20, 2014

The Health Insurance Portability and Accountability Act (HIPAA) regulations govern health information maintained by various entities covered by HIPAA (“covered entities”) and other organizations that receive health information from covered entities when performing functions for them. HIPAA is enforced by the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS).

Will new commercial mobile encryption affect BYOD policy?

Adam Mazmanian, FCW,  Monday, October 20, 2014

While law enforcement is up in arms about new default data encryption on Apple iOS and Google Android devices, experts say the policy could have some benefits for federal mobility as well.

Restoring Privacy in the Era of Big Data

Kris Alman, Student Privacy Matters,  Sunday, October 19, 2014

A parallel explosion of big data since 2001 is not coincidental. Big data utopians proclaim better integration of fragmented health and education sectors and data analysis will improve outcomes and improve value. The question never seems to be asked, “For whom?”