Examining the President’s Proposed National Data Breach Notification Standard Against Existing Legislation

(Feb 27, 2015) President Obama’s recent proposal of a National Data Breach Notification Standard (or The Personal Data Notification & Protection Act) has received widespread attention for its promise to preempt and unify the existing patchwork of state-level requirements. IAPP Westin Research Fellow Patricia Bailin analyzes the proposed bill and how it would impact state, city and territorial laws. Read More

How Much Security is Enough? Check the FTC Casebook

(Jan 26, 2015) How will you know what the FTC deemed unreasonable in dozens of enforcement actions? As seasoned privacy experts, you can of course go to the FTC website to seek, download and plough through all of the more than 180 FTC privacy and data security cases. But, as of last week, there’s a far better way: The IAPP Westin Research Center has launched its FTC Casebook, which is available at no additional charge to IAPP members. Read More

Using the FTC Casebook to Find Your Geolocation Strategy

(Jan 20, 2015) Though you should certainly turn to the Casebook in emergency situations (as we suggested in a previous hypothetical scenario), this resource is also valuable for “preemptive” privacy and data security decision-making – aka privacy by design. Read More

Security breach through P2P network? Check the FTC Casebook

(Jan 16, 2015) After a great deal of work, the IAPP Westin Research Center has launched its casebook of FTC privacy and data security enforcement actions. The casebook is a digital resource, collecting all 180 FTC enforcement actions (for now) and making them easily accessible, full-text searchable, tagged, indexed and annotated. To help you better understand the benefits and functionality of this tool, we have developed several use cases displaying how you might search the casebook and make use of the results... Read More

Privacy Is the New Antitrust: Launching the FTC Casebook

(Jan 15, 2015) On Monday, presaging his sixth State of the Union Address, U.S. President Barack Obama visited the Federal Trade Commission (FTC) bearing a message of sweeping privacy reform. Coincidentally, it was almost exactly 101 years ago that President Woodrow Wilson, in his January 20, 1914, State of the Union Address, announced his antitrust initiative to Congress, declaring, “We are all agreed that ‘private monopoly is indefensible and intolerable.’” The result of that speech was the passage of the FTC... Read More

The FTC Refutes Wyndham’s Challenge; Unreasonable Security Is “Unfair”

(Nov 13, 2014) Generating a flurry of conversation among privacy professionals worldwide, the U.S. Federal Trade Commission (FTC) last week filed its response to Wyndham Worldwide Corporation’s interlocutory appeal in the Third Circuit. It’s the most recent activity in a case that began in 2012, when the FTC issued a complaint against Wyndham alleging data security failures that enabled three data breaches between 2008 and 2009. IAPP Westin Research Fellow Patricia Bailin, CIPP/US, examines the history of the case and the latest developments. Read More

The Blind Men, the Elephant and the FTC’s Data Security Standards

(Oct 30, 2014) Like a group of blind men encountering an elephant—one touching the trunk and thinking “snake,” another feeling a tusk and thinking “sword,” a third caressing an ear and thinking “sail”—so do commentators, lawyers and industry players struggle to identify what “reasonable data security” practices mean in the eyes of the Federal Trade Commission (FTC). In the absence of federal legislation or regulatory guidance, the reasonableness standard is assessed on a case-by-case basis through a string of ... Read More

California’s Newest Privacy Wave

(Oct 9, 2014) At a time when advocates for issues of every sort are lamenting the gridlock in Congress, privacy advocates have found solace in California. Fortifying the state’s place at the cutting edge of privacy policymaking, California governor Jerry Brown signed several bills into law last week addressing a variety of privacy, security breach notification and surveillance concerns. These bills impose limitations on activities as diverse as identity theft protection and monitoring, the distribution of sex... Read More

Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

(Sep 19, 2014) As the cloud security and privacy worlds came together last week at the IAPP Privacy Academy and CSA Congress, the IAPP released a significant new study from the Westin Research Center on the "reasonable" components of a privacy and data security program as interpreted from more than 40 Federal Trade Commission (FTC) enforcement actions. Part of the IAPP's ongoing FTC Casebook project, this report by Westin Fellow Patricia Bailin is meant to help shed light on what an acceptable level of privacy and data security could be, even as companies litigate the issue with the FTC in federal courts. Read More

IAPP Announces U.S. Student Privacy Legislative Matrix

(Aug 6, 2014) Educational privacy is big news these days, as the recent joint House subcommittee hearing on data mining and student privacy makes clear. With big data and new technologies finding their way into more and more classrooms each year, schools are proving to be a fertile ground for impassioned discussions about how students’ data should be collected, used and protected. While many have called for amendments to national educational protections, such as the Family Educational Rights and Privacy Act ... Read More