Philosophy
or policy? Interesting questions. How much more interesting if they
were asked in court with the CEO in the witness chair?
Attorney
Matt Fisher writes:
Notice
of a new data breach is posted at least once a day. A frequent
feature of many notices is the disclosure that the conduct giving
rise to the breach happened months earlier, with the delay sometimes
going into years in some instances.
The
notices typically do not provide much insight into the reasoning for
the delays, which gives rise to the question; when should notice of a
data breach be provided?
The
answer is seemingly straightforward. The HIPAA data breach
notification rule states that, absent certain narrow exceptions, a
covered entity needs to provide notice without unreasonable delay,
which should be no more than 60 days following discovery of the
breach.
The
language “without unreasonable delay” is key.
Read
more of Matt’s commentary on Health
Data Management The
issue of when a breach is considered “discovered” for purposes of
starting any clock is one I grapple with on almost a daily basis.
Matt seems to take a fairly firm position about what “discovered”
means, but I am aware that there are entities who argue to the effect
of “Well, how do you know who to notify and what to tell them if
you are still investigating at 60 days?”
That
seems to be a fairly logical argument, until I respond, “Well,
why couldn’t you have have determined that sooner?” Did you
allow too much ePHI to accumulate in employees’ email accounts?
Did you fail to check logs regularly? Did you not hire enough people
to investigate this breach intensively?” When did you start the
intensive investigation after discovery?
But
then, it’s easy to sit at a desk in my office and lob questions at
entities when I would not want to change places with those trying to
respond to an incident.
I’m
probably missing dozens (hundreds?) of articles on CCPA.
Joseph
J. Lazzarotti of JacksonLewis writes:
As
we reported, in
late February, California Attorney General Xavier Becerra and Senator
Hannah-Beth Jackson introduced Senate
Bill 561, legislation
intended to strengthen and clarify the California Consumer Privacy
Act (CCPA). This week, the Senate Judiciary Committee referred the
bill to the Senate Appropriations Committee by a vote of 6-2. This
move came despite concerns raised about the scope of the amendment’s
expanded private right of action. It is worth noting that a
restricted private right of action is believed to have been
fundamental to the compromise that led to the CCPA becoming law.
If
SB 561 becomes law, it would make a number of significant changes to
the current law.
Read
more on Workplace
Privacy, Data Management & Security Report. Alan
Friel of BakerHostetler also comments on this over on Data
Privacy Monitor.
In
other news about CCPA proposed amendments, Liisa Thomas, Craig
Cardon, Rachel Tarko Hudson and Brian Anderson of ShepherdMullin
discuss AB-25
in
their post, Will
CCPA’s Definition of Consumer Be Narrowed?
(Related)
“No on expects the Spanish Inquisition!”
New
Report Highlights Potential Privacy Blind Spot Resulting from Data
Sharing and Data Inventory Practices
A
comprehensive new study (“2019 Data Privacy Maturity Study”) from
Seattle-based Integris
Software suggests
that many mid- to large-sized enterprises simply are not prepared for
the avalanche of private data in the marketplace today, or for the
growing proliferation of data sharing agreements with other
companies. Add in the fact that government regulations appear to be
mushrooming on a state-by-state basis across the United States, and
it’s easy to see why a clear majority (79%) of these enterprises
now support a federal privacy law that would provide clear guidelines
on data sharing and data inventory practices.
… However,
the big question is whether enterprises are really able to scale
their data sharing and data inventory practices past a certain level.
Enterprises with more than 500 employees, for example, typically
have far-flung operations all over the globe. Moreover, they have a
huge network of vendors, suppliers and partners. Recognizing the
inherent complexity involved in navigating all of this personal data,
only
23% of enterprises said they were ready for the upcoming California
Consumer Privacy Act,
which is set to go into effect in 2020. Moreover, only
36% said they were ready for the General Data Protection Regulation
(GDPR), which went into effect in May 2018. This last figure is
particularly troubling, because it has now been almost one year since
the GDPR went into effect, and the majority of enterprises are still
having a hard time coping with the new rules surrounding data
subjects, data mapping, data sharing and data inventory.
[From
the report:
Forward
looking organizations are treating privacy as part of a broader data
protection strategy where privacy
tells you what’s important and why, and security is the how.
(Related)
Words you can’t use in French? Will this ruling translate?
Catherine
Muyl and Marion Cavalier of Foley Hoag write:
It
has been rough weather for Google
in
France. Three weeks after the French
Data Protection Authority imposed
a record fine against Google for non-compliance with the GDPR,
the Paris District Court (“Tribunal de Grande Instance”)
invalidated 38 clauses of Google’s Privacy Policy and Terms of Use
for Google+, the Internet-based social media network owned and
operated by Google. This decision was rendered on February 12, 2019
in an action that was initiated against Google Inc. in 2014 by an old
French consumer not-for-profit organization, UFC
QueChoisir.
Perspective.
Miracles aside, could we create an AI indistinguishable from God?
How
Southern Baptists Are Grappling With Artificial Intelligence
… Traditional
theist religions have “turned from a creative into a reactive
force,” as historian Yuval Noah Harari put it in his 2016 book,
Homo
Deus.
“They now mostly agonize over the technologies, methods and ideas
propagated by other movements.”
That
reputation makes a statement on artificial intelligence released
Thursday by the Southern Baptist Convention all the more intriguing.
The SBC’s public-policy arm, the Ethics and Religious Liberty
Commission, spent nine months researching and writing “Artificial
Intelligence: An Evangelical Statement of Principles,”
and it has been signed by 68 prominent evangelical thinkers. The
brief document is intended to respond to the “existential
questions” raised by A.I. technology. It takes a strikingly
optimistic tone in doing so. “This was created not out of fear,
but out of an understanding that [A.I.] is a tool that God has given
us,” said Jason Thacker, who headed the project at the ERLC.
Any
technology invented before the Civil War is not advisable in modern
business.