Saturday, April 13, 2019


Philosophy or policy? Interesting questions. How much more interesting if they were asked in court with the CEO in the witness chair?
Attorney Matt Fisher writes:
Notice of a new data breach is posted at least once a day. A frequent feature of many notices is the disclosure that the conduct giving rise to the breach happened months earlier, with the delay sometimes going into years in some instances.
The notices typically do not provide much insight into the reasoning for the delays, which gives rise to the question; when should notice of a data breach be provided?
The answer is seemingly straightforward. The HIPAA data breach notification rule states that, absent certain narrow exceptions, a covered entity needs to provide notice without unreasonable delay, which should be no more than 60 days following discovery of the breach.
The language “without unreasonable delay” is key.
Read more of Matt’s commentary on Health Data Management The issue of when a breach is considered “discovered” for purposes of starting any clock is one I grapple with on almost a daily basis. Matt seems to take a fairly firm position about what “discovered” means, but I am aware that there are entities who argue to the effect of “Well, how do you know who to notify and what to tell them if you are still investigating at 60 days?”
That seems to be a fairly logical argument, until I respond, “Well, why couldn’t you have have determined that sooner?” Did you allow too much ePHI to accumulate in employees’ email accounts? Did you fail to check logs regularly? Did you not hire enough people to investigate this breach intensively?” When did you start the intensive investigation after discovery?
But then, it’s easy to sit at a desk in my office and lob questions at entities when I would not want to change places with those trying to respond to an incident.




I’m probably missing dozens (hundreds?) of articles on CCPA.
Joseph J. Lazzarotti of JacksonLewis writes:
As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.
If SB 561 becomes law, it would make a number of significant changes to the current law.
Read more on Workplace Privacy, Data Management & Security Report. Alan Friel of BakerHostetler also comments on this over on Data Privacy Monitor.
In other news about CCPA proposed amendments, Liisa Thomas, Craig Cardon, Rachel Tarko Hudson and Brian Anderson of ShepherdMullin discuss AB-25 in their post, Will CCPA’s Definition of Consumer Be Narrowed?


(Related) “No on expects the Spanish Inquisition!”
New Report Highlights Potential Privacy Blind Spot Resulting from Data Sharing and Data Inventory Practices
A comprehensive new study (“2019 Data Privacy Maturity Study”) from Seattle-based Integris Software suggests that many mid- to large-sized enterprises simply are not prepared for the avalanche of private data in the marketplace today, or for the growing proliferation of data sharing agreements with other companies. Add in the fact that government regulations appear to be mushrooming on a state-by-state basis across the United States, and it’s easy to see why a clear majority (79%) of these enterprises now support a federal privacy law that would provide clear guidelines on data sharing and data inventory practices.
However, the big question is whether enterprises are really able to scale their data sharing and data inventory practices past a certain level. Enterprises with more than 500 employees, for example, typically have far-flung operations all over the globe. Moreover, they have a huge network of vendors, suppliers and partners. Recognizing the inherent complexity involved in navigating all of this personal data, only 23% of enterprises said they were ready for the upcoming California Consumer Privacy Act, which is set to go into effect in 2020. Moreover, only 36% said they were ready for the General Data Protection Regulation (GDPR), which went into effect in May 2018. This last figure is particularly troubling, because it has now been almost one year since the GDPR went into effect, and the majority of enterprises are still having a hard time coping with the new rules surrounding data subjects, data mapping, data sharing and data inventory.
[From the report:
Forward looking organizations are treating privacy as part of a broader data protection strategy where privacy tells you what’s important and why, and security is the how.


(Related) Words you can’t use in French? Will this ruling translate?
Catherine Muyl and Marion Cavalier of Foley Hoag write:
It has been rough weather for Google in France. Three weeks after the French ‎Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google. This decision was rendered on February 12, 2019 in an action that was initiated against Google Inc. in 2014 by an old French consumer not-for-profit organization, UFC QueChoisir.




Perspective. Miracles aside, could we create an AI indistinguishable from God?
How Southern Baptists Are Grappling With Artificial Intelligence
Traditional theist religions have “turned from a creative into a reactive force,” as historian Yuval Noah Harari put it in his 2016 book, Homo Deus. “They now mostly agonize over the technologies, methods and ideas propagated by other movements.”
That reputation makes a statement on artificial intelligence released Thursday by the Southern Baptist Convention all the more intriguing. The SBC’s public-policy arm, the Ethics and Religious Liberty Commission, spent nine months researching and writing “Artificial Intelligence: An Evangelical Statement of Principles,” and it has been signed by 68 prominent evangelical thinkers. The brief document is intended to respond to the “existential questions” raised by A.I. technology. It takes a strikingly optimistic tone in doing so. “This was created not out of fear, but out of an understanding that [A.I.] is a tool that God has given us,” said Jason Thacker, who headed the project at the ERLC.




Any technology invented before the Civil War is not advisable in modern business.



No comments: