Uncategorized

Uncategorized

Credit Card Security for Small Business (Pt. 1)

Business, Data Breach, PCI DSS, Prevention, Privacy, Security, Uncategorized 3 comments

Staples recently suffered a data breach that resulted from malware infecting its point-of-sale (“POS”) systems at several stores.  This should not be surprising, since a recent study by Verizon showed that a significant portion of data breaches are the result of POS system intrusions. So what’s a business to do?

Many small businesses avoid this problem by refusing to accept credit cards and only accepting cash or checks.  But that’s not a solution for businesses that wants to accept credit cards.  For these merchants, the only realistic solution is to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

PCI DSS is administered and managed by the Payment Card Security Standards Council (PCI SSC) that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).  PCI DSS is a rigorous set of security requirements (“Requirements”) designed to ensure that all companies that process, store or transmit credit card information maintains a secure environment in order to protect cardholder data.  “Cardholder data” is any personally identifiable data associated with a cardholder, such as an account number, expiration date, name, address, social security number, etc.

Every merchant that accepts credit cards agreed to abide by the PCI DSS as part of their merchant account processing agreement. See e.g., NPC Merchant Processing Agreement at § 12.B.ii, 14.O. Failure to adhere to these requirements can lead to stiff penalties, an exorbitant PCI DSS non-compliance fee, and/or increased transaction fees or a termination of the right to accept credit cards.

If a security incident, such as a data breach, occurs, a business is potentially liable for the following charges:

  • Data Security Fine– Up to $500,000 fine per security incident.
  • PCI Non-Compliance Fines– Up to $50,000 per day for non-compliance with published standards.
  • Card Replacement Fees– $3 – $10 per card x total number of cards compromised.
  • Refund Fees– Potentially held liable for all fraud losses incurred from compromised account holders.

These penalties are assessed by credit card brands, acquiring bank, and the merchant’s credit card processor, and are in addition to other losses, such as harm to business reputation, that can result from a data breach, as I discussed in an earlier blog post.

To avoid this parade of horribles and decrease the likelihood that cardholder data will be lost, small to mid-sized businesses need to regularly comply with PCI DSS requirements.

Compliance with PCI DSS is an ongoing process and typically involves the following four steps:

  1. PCI DSS Scoping– Determines what organization system components and computer networks are in scope for PCI DSS assessment.
  2. Assessing– Exam and assess the compliance of system component and computer networks in scope following the testing procedures for each PCI DSS Requirement.
  3. ReportingPCI DSS Qualified Security Assessor (QSA) and/or business submits required documentation to validate compliance with PCI DSS (e.g., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls.
  4. Clarifications– QSA and/or business clarifies ROC and/or SAQ, if need at the request of the acquiring bank, processor or payment card brand.

The first two steps will be discussed in this week’s blog post and the last two will be discussed next week.

I.   SCOPE OF PCI DSS REQUIREMENTS

The first step of PCI DSS is to accurately determine the scope and breadth of the environment in your business regarding credit cardholder data.  The Cardholder Data Environment (CDE) is composed of all people, processes and technology that handle or have access to cardholder data or sensitive authentication data.  The scoping process includes identifying all system components that are located within or connected to the CDE and can include the following:

  • Network devices (wired and wireless)
  • Servers
  • Applications
  • Virtualization components, such as virtual machines, virtual switchers/routers, virtual appliances, virtual applications/desktops, and hypervisors.

Scoping needs to occur at least annually and prior to the annual assessment for PCI compliance validation. An organization must identify all locations and flows of cardholder data to ensure that all applicable parts of the CDE are included in the scope of PCI DSS assessment.

Network Segmentation

One helpful way to reduce the scope of PCI DSS assessment is to use segmentation, which isolates cardholder data environment from the remainder of your organization’s network.  Reducing the scope of PCI DSS assessment can lower the cost and difficulty of maintaining PCI DSS controls and reduce the risk for you business.

To be outside the scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that the security of cardholder data would not be compromised if the security of the out-of-scope component was compromised. More details on segmentation are contained in the Requirements at p. 11 and in Appendix D.

Use of Third Party Service Providers/Outsourcing

Another helpful way to reduce the scope of your PCI DSS assessment is by using a third-party to store, process or transmit cardholder data on your behalf or to manage CDE components. If you use third party service providers, however, you must clearly identify the specific roles and responsibilities of the service provider with respect to cardholder data and PCI DSS. PCI DSS specifically calls for developing and maintaining a responsibilities matrix for each service providers. See id. at Requirement 2.2.1.

Many service providers have these matrices available to describe their standard service to PCI merchants. To obtain one, simply ask for the “PCI Responsibilities Matrix.” If your service provider does not have any idea what you are talking about, it’s time to find a new service provider. PCI DSS allows you to outsource much of the handling of cardholder data to third-parties, but you cannot avoid responsibility for ensuring that the data is kept secure and complying with PCI DSS.

II.  PCI DSS ASSESSMENT

The second step is to assess whether your business’s CDE complies with the 12 PCI DSS Requirements and the accompanying procedures contained in the Requirements. There are two main ways to fulfill your assessment obligations:

  1. Hire a PCI DSS QSA
  2. Do-It-Yourself

Hiring a PCI DSS QSA

PSI DSS QSA’s are organizations that have been certified by the PCI Security Standards Council to assess compliance with PCI DSS standards. QSA’s perform data security assessments, make recommendations, and certify compliance. Hiring a QSA will save you the time it would take to perform your own PCI DSS assessment and provide you with the peace of mind that the job was done properly.

The big downside to hiring a QSA is cost. QSA fees are generally quite expensive. One quote charged a base $5,000 fee plus $200 for every hour. Additional costs may include the equipment/software to fix whatever problems the QSA finds, which is also costly.

If you’re interested in hiring a QSA, here is a list of PCI DSS certified QSA companies.

Do-It-Yourself

Another way to assess your CDE for PCI DSS compliance is to do-it-yourself.  This may seem like a daunting task but it can be done and may not be that difficult depending on the complexity of your organization and how you process cardholder data.  The PCI SSC website provides a helpful section here that is geared towards helping small merchants comply with the Requirements.

The website also provides a helpful Quick Reference Guide that summarizes the Requirements.  It is a must-read for any business that accepts credit cards and is considering conducting their own PCI DSS assessment.  The Guide is a fairly readable 40 pages with helpful tips and explanations.

Here’s a brief overview of the Requirements and some tips for assessing in order to give you an idea of about whether self-assessment is feasible. This overview is not sufficient to assess whether your organization’s CDE complies with the Requirements. To conduct your assessment, you need to review the Requirements and follow the procedures for assessment.

Requirement 1:  Install and Maintain a Firewall Configuration to Protect Cardholder Data

This Requirement is fairly straightforward and easy to implement.  A firewall should be installed on any network, computer or device that is part of your CDE and contains or accesses cardholder data.  For most small businesses, this means ensuring that your PC’s and network have a firewall.  Most operating systems come with some sort of security package that includes a firewall.  Just make sure that you regularly check to see that the firewall is working, and update it as necessary.  If you don’t have a firewall, look into a commercial firewall, such as Symantec, to install on your computer and protect your network.

Requirement 2:  Do Not Use Vendor Supplied Default Passwords

This Requirement is also fairly straightforward and easy to implement.  The easiest way for a hacker to access your internal network is to try vendor default passwords or default system software settings in your payment card infrastructure.  Far too often, merchants do not change default passwords or settings when hardware or software is deployed.

 Don’t let this happen to you! Change your vendor supplied passwords and system settings immediately.  Follow these Microsoft Tips for Creating a Password when choosing a new password or use this password generator.

Requirement 3:  Protect Stored Cardholder Data

As a general rule, cardholder data should not be stored unless it is absolutely necessary to meet the needs of your business. Sensitive data on the magnetic stripe or chip must never be stored.

If your business stores the primary account number associated with a credit card, it must be made unreadable through encryption or other technological measures. This can get very expensive and risky, so consult with a QSA to ensure compliance with PCI DSS. Best practice, however, is not to store any cardholder data.

Requirement 4: Encrypt Transmission of Cardholder Data across Open Public Networks

Cybercriminals may be able to intercept transmissions of cardholder data over open public networks, so it is essential to prevent their ability to view this data.  Encryption renders transmitted data unreadable by an unauthorized person.

If you accept credit card data on your website, then you should obtain an SSL Certificate.  A SSL certificate ensures than any sensitive data transmitted through your website is encrypted. One place to use a SSL is on a payment page during checkout.  There are plenty of SSL Certificate vendors out there, so choose one that’s reputable.

If credit card data is transmitted over a wireless network, your wireless router should be password-protected and encrypted.  This is fairly easy to do and your wireless router should have instructions about how to password protect and encrypt your router.  Encrypt your  wireless router with the industry standard IEEE 802.11i (WPA2) and not WEP, which is no longer accepted as a security control by PCI DSS.

Requirement 5: Protect systems against malware and regularly update anti-virus software

This is also a no-brainer and easy to do.  Use anti-virus software on all systems, such as PCs and servers, commonly affected by malicious software.  This anti-virus software should be kept current, perform periodic scans, and generate audit logs that need to be retained according to PCI DSS Requirement 10.7.  Make sure that the anti-virus mechanisms are continuously running and cannot be disabled or altered by users.

Requirement 6:  Develop and Maintain Secure Systems and Applications

Security vulnerabilities in systems and applications allow criminals to access cardholder data. Some of these vulnerabilities are eliminated by using PCI approved PIN transaction security devices (i.e. PIN pads and credit card terminals) and PCI validated POS (Point-of-Sale) & payment gateway software.  Check the links above to make sure your current security device is compliant and your current software is validated.  If not, both should be upgraded.  Regularly install all vendor-provided updates, software and security patches to maintain compliance.

Requirement 7: Restrict Access to Cardholder Data

Cardholder data should only be accessed by authorized personnel and not by everyone in your company. Put systems and processes in place to limit access based on need to know and according to job responsibilities. Janitorial staff that cleans your offices should not be permitted to have access to cardholder data!

Requirement 8:  Identify and Authenticate Access to System Components

Assign a unique identification (ID) to each person with access to cardholder data and don’t allow sharing of ID’s. You want to be able to trace all activities relating to cardholder data on your system to known and authorized users. If there is a problem, you will be able to determine and isolate the source in order to prevent additional difficulties. If an employee with authorized access gets terminated, lock out their ID and prevent them for continuing to access cardholder data.

Requirement 9: Restrict Physical Access to Cardholder Data

Any physical access to data or systems that house cardholder data provides an opportunity for a person to access or remove devices, data, systems or hardcopies. To minimize this risk, restrict access to appropriate personnel and develop procedures to ensure that only appropriate personnel have access to cardholder data.

One way to do this is through the use of ID cards that only allow certain employees to have access to certain areas. Visitors should only be allowed access to certain locations, such as the front of a cash register, and not be allowed to view cardholder data. Furthermore, all media containing cardholder data should be locked in a secure location that only authorized personnel can access.

Requirement 10:  Track and Monitor All Access to Network Resources and Cardholder Data

Organizations must also track and monitor all access to cardholder data and related network resources. Logging mechanisms and the ability to track user activity are critical for effective forensics and vulnerability management, and a merchant must ensure the presence of logs that allows thorough tracking and analysis in the event something goes wrong and cardholder data is improperly accessed.

Requirement 11:  Regularly Test Systems

An organization must also have their system scanned for internal and security vulnerabilities by an Approved Scanning Vendors (ASVs).  ASVs are organizations that validate adherence to certain PCI DSS requirements by performing vulnerability scans of merchants and service providers.

Internal and external vulnerability scans are conducted in a similar fashion.  Both scans are automatically administered via a computer program and an Internet connection, but one program usually cannot simultaneously conduct both scans.  An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network.  By contrast, an internal vulnerability scan operates inside your business’s firewall(s) to identify real and potential vulnerabilities inside your business network.  Internal scans may be performed by internal staff, but all external scans must be performed by ASVs for PCI DSS compliance.  Scans must be performed as needed, until passing scans are obtained.

To comply with PCI DSS, your business needs to pass an initial internal and external scan, and then pass 4 consecutive quarterly scans in subsequent years.  As part of these scans, regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.  Talk to your ASV to make sure that they are checking for this and for tips about how to monitor yourself.

Requirement 12:  Maintain a Policy that Addresses Information Security for all Personnel

Your organization must also develop and maintain an information security policy that informs employees of their expected duties related to security.  All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.  This policy should be reviewed annually and updated when the environment changes.

That’s it for this week.  Thanks for reading and please let me know if you have any questions. Check back next week for the last two steps that need to be taken in the process of complying with PCI DSS.

How to Prepare for A Data Breach (Part 2)

Tags: , , Business, Data Breach, Preparation, Small Business, Uncategorized 1 comment

In addition to the steps discussed last week, a business should take the following steps to prepare for a data breach:

Step 5: Arrange Possible Remedies for Customers

A recent study shows that 25% of individuals notified of a data breach go on to suffer identity theft.  To combat this, most companies now offer – and consumers expect – some form of credit monitoring services for affected individuals.

Credit monitoring services are directed at fraud in connection with new financial accounts.  This fraud occurs when a criminal uses a victim’s personal information to open a new credit card or other financial account.  Credit monitoring does not prevent the opening of new accounts, but notifies an individual when a new account is opened, so that the individual can determine whether it is fraudulent.

Although credit monitoring service is nice, it is not that effective at actually preventing identity theft and is often a waste of money.  See Brian Krebs “Are Credit Monitoring Services Worth It?”  Notably, there are at least five types of identity theft fraud not covered by credit monitoring services:

Existing account fraud:  Occurs when a criminal uses an individual’s current financial account, such as a credit card account or bank account, to make a purchase from a vendor or withdraw money from the individual’s bank account.

Social Security number and tax refund fraud:  Occurs when a criminal uses an individual’s SSN to obtain employment, for tax reporting purposes, or for other illegal transactions.  Tax refund fraud is a rapidly growing problem and the IRS is attempting to combat it.

Criminal identity theft:  Occurs when an imposter provides another person’s name and personal information to a police officer during an arrest.  The imposter often fraudulently obtained a driver’s license in the victim’s name and provides the identification document to law enforcement.

Medical Identity Theft:  Occurs when a crook uses an individual’s name and/or other information, such as insurance information, to obtain or make false claims for medical goods or services.  Medical identity theft may result in false entries being entered into a medical record, or the creation of fictitious records in the victim’s name.

See Privacy Rights Clearinghouse, Fact Sheet 33: Identity Theft Monitoring Services.

To try and combat some of these other types of identity theft, many vendors now offer expanded identity theft monitoring services that provide additional monitoring services, such as monitoring commercial and public databases and online chat rooms.  These services vary widely, so you’ll need to investigate carefully to determine what service is best for your customers in the event of a data breach.  The Consumer Federation of America provides some helpful guidance about selecting an identity theft service provider and some assessments of the services offered.  See Consumer Federation of America: Best Practices for Identity Theft Services: How Are Services Measuring Up? Things may have changed since 2012, so make sure to update the information and look for additional identity theft monitoring service providers.

By looking into remedies now, you will be able to evaluate and assess the complete range of available remedies, and select the one that makes the most sense for your customers and business in the event of a data breach. You may also be able negotiate the best price and gain service concessions. None of this could be done in the middle of a data breach crisis.

Step 6: Draft Incidence Response Plan

You can now be begin drafting your Incident Response plan (the “Plan”). As a word of warning, this document can get very long and detailed, depending on the size and complexity of your organization. There are a lot of available on-line guides that can give provide guidance, such as the guides at the SANS Information Security Resources, However, to ensure the Plan is done properly, you may want to consult with a privacy and data security attorney or some other third-party vendor.

The basic elements to include in the Plan are:

Overview:  The Plan should have an overview section that outlines the goals, scope, purpose and assumptions of the Plan.

Roles and Responsibilities of Incident Response Team members:  The Plan should identify each incident response team (the “Team”) member, their contact information, and his/her role or responsibility.  It is better to have this information in writing so each Team member knows exactly what he/she is responsible for when a data breach occurs.  This information should be continuously updated, especially if one member leaves the organization.

Incident Definition and Classification:  The Plan should create an event classification system that defines what constitutes an incident, when an incident is serious, and the specific types of incidents that will set the plan in motion.  For example, port scans are not usually particularly serious, and it is doubtful that these events will set the Plan in motion. But a web security breach or a malware infection should warrant a more urgent response and the Team may need to be notified and the Plan set in motion.

Notification:  The Plan should identify the specific triggers to notify and procedures to follow when notifying the following:  the Team, insurers, law enforcement, outside attorneys, third-parties and customers.  Depending on the type and severity of the event, these groups will be notified at different times, and there will be specific procedures that need to be followed.  Include all statutory and contract breach notification requirements in the Plan.  Also include all insurance notification requirements.  If you choose to use a third-party vendor to notify customers, include all relevant contact information and details of any negotiated deal in the Plan.

Current Network Infrastructure & Payment Processing Systems:  The Plan should also identify, diagram, and include all supporting documentation regarding your organization’s web system architectures, network infrastructure, information flows, payment processing systems, and any other applicable system that contains or processes sensitive personal information.

Existing Security Safeguards:  The Plan should identify all currently operating safeguards that can assist with detection and prevention, including an intrusion-prevention system (IPS), firewall, web-application firewall (WAF), and endpoint security controls for the web, applications, and database servers.

Detection, Investigation and Containment:  The Plan should outline the procedures for detecting, investigating and containing the incident.  Keep in mind that these procedures should vary by the type of incident, the system involved, and may involve contacting third-parties such as law enforcement and forensic investigators.  Identify the circumstances when these third-parties will be brought in and include all potentially relevant information in the Plan.

Customer Remedies:  If your organization chooses to offer remedies to customers, such as identity protection service, then your Plan should identify the specific circumstances when the remedies will be offered. It should include the contact information of the third-party service provider and the terms of any deal that was negotiated.

Eradication, Cleanup and Recovery:   The Plan should also contain the procedures to follow to get the infected system back up and running.  The cleanup will vary depending on the type of system and the type of attack, but you want policies and procedures in place about how to handle it.  In order to preserve other parts of your IT system, you also want to have procedures about the steps to take before putting the infected system back into production.

Post-Incident Review and Follow-up:  Your Plan needs to include the date for a mandatory follow-up meeting with the Team in order to learn from the incident.  The purpose is to process all of the information that was learned from the incident and figure out if your security posture needs modification to prevent future attacks.  There are likely several questions that will need to be addressed, but try to avoid spending the meeting finding someone to blame. It will be a waste of time and energy and will not improve the security of your organization.

Step 7: Employee Awareness and Readiness Training

As part of your organization’s privacy program, your employees are probably already trained on privacy fundamentals like data collection, retention, use and disclosure.  Your organization should also train every employee about basic breach response procedures and protocols, like what constitutes a data breach and whom to call if a data breach is suspected.  You should also require third-party vendors to do the same.  Team members should receive regular in-depth training about how to investigate a data breach, report findings, and communicate with media and regulatory authorities.  Any completion of required training should be documented and reported to management for internal policy compliance.

Step 8: Crisis Simulation & Revision

It is important to know how your organization will fare during a breach crisis and identify and correct any gaps.  The best way to assess your organization is by running two types of breach crisis simulations: a table-top exercise and a “live” simulation.

A tabletop exercise is a simple way to practice executing your Plan without the expense or interruption of a full scale drill.  In a tabletop exercise, Team members talk through a breach crisis scenario in a “war room” type of setting.  These exercises should involve everyone on the Team so that every member has an opportunity to think through their role during a breach event.

“Live” simulations are more elaborate and tend to mimic real-world conditions more closely than tabletop exercises.  “Live” simulations are usually impromptu events that can occur at any time, including the evening or a holiday, like a real breach.  The most effective simulations involve breach response vendors that your organization has contracted with, as well as your internal Team.  In a “live” simulation, systems are actually compromised and even social media uproars can be created. Talk with your service providers to develop simulation exercise that includes everyone.

After conducting simulations, evaluate the effectiveness of your Plan to identify any gaps in your organization’s response.  Revise your Plan to fill these gaps and ensure that your organization improves.

If you follow all eight of these steps, your organization will be better prepared for the inevitable data breach.  Thanks for reading.  Please let me know if you have any questions or wish to offer suggestions based on your experience.

Understanding Privacy

Tags: , , , , , , , Definition, Uncategorized 2 comments

Since I am writing a blog about privacy, it seems only natural that I explain what I mean by the word “privacy.” Unfortunately, this is easier said than done and scholars have struggled with an appropriate definition for many years. But, the essential idea was stated succinctly by Louis Brandeis and Samuel Warren when they defined “privacy” as “the right to be left alone.” See Samuel Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4 (1890).

This definition seems correct, but is woefully vague and cries out for further explanation. Unfortunately, any attempt to clarify becomes immensely complicated and messy. Two questions in particular complicate the issue:

1.  Who do we want to leave us alone?

2.  In what ways do we want to be left alone?

Let’s take a look at each question and see why the issue is so complicated.

Entities We Want to Leave Us Alone

The initial response to (1) may be: “We have the right and want to be left alone by everyone!” This may be true. Anyone can decide to throw everything away, move into the woods, and live like a hermit and avoid society. If you move far enough away and are willing to forego enough amenities, you can avoid the bank you owe a mortgage to, your spouse and children who you now owe alimony and child support, your student loan payments, and the IRS. After all, Ted Kaczynski, the Unabomber, and Whitey Bulger —the infamous gangster— were able to avoid detection for many years.

Few of us, however, actually want to go this far (although sometimes — I admit — it seems attractive when staring at my mortgage payment and dealing with my eight year old daughter!!).  However, we still want to be left alone at various times in life. With respect to privacy concerns, it is helpful to think in terms of four broad categories of entities:

1.  The Government

2.  Other Individuals in Society

3.  Companies

4.  Employers

Each category can probably be broken down further, but they serve as a good starting point to start thinking about privacy. Most of us have different privacy interests with respect to each category and want different protections with respect to the different entities.

For example, in U.S. v. Jones, 133 S. Ct. 945 (2012), the Supreme Court found that the police could not track a suspect with a GPS device placed on his car without obtaining a search warrant. The Court found that the government’s use of the GPS device violated the Fourth Amendment, which provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.”

Fourth Amendment protection is completely irrelevant with respect to companies, such as Google and Apple, who regularly track the location and movement of their customers. See Julia Angwin & Jennifer Valentin-Devries, Apple, Google Collect User Data, Wall St. J. April 22, 2011. These companies rely on consumers’ consent to track their location, which is cheerfully given in order to use these amazing devices and services. For most, it seems like a small price to pay.

Similarly, many people are willing to share intimate aspects of their lives with friends and connections on Facebook, Linked-in, and other social media. We do this under the supposed protections of the companies’ privacy policies and terms of service, although few of us read or understand the details of these policies. It only becomes a problem when something is unwittingly shared with the wrong group of people, such as the poor kids who revealed their homosexuality to their parents through Facebook.  See Geoffrey A. Fowler, When the Most Personal Secrets Get Outed on Facebook, Wall. St. J, Oct. 13, 2012.

Conversely, most people are wisely unwilling to share this information with potential employers, even though employers ask for social media usernames and passwords. Many states now prohibit, or are in the process of prohibiting, employers from asking for social media login credentials. See National Conference of State Legislators, Employer Access to Social Media Passwords Legislation.
 
This blog will explore the different ways that we want to be left alone with respect to the government, companies, other individuals, and employers. I will evaluate these differences, make comparisons about the different methods of protecting our right to be left alone, and make recommendations about ways to improve our protections.

Ways to Be Left Alone

My second question also complicates matters: In what ways do we have the right to be left alone? Scholars have struggled to identify the types of activities that can be considered privacy violations. William Prosser, the famous torts scholar, identified four types of harmful activities considered common-law privacy torts:

1.  Intrusion upon a plaintiff’s seclusion or solitude or into his private affairs.

2.  Public disclosure of embarrassing private facts about the plaintiff.

3.  Publicity which places the plaintiff in a false light in the public eye.

4.  Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.

See William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 389 (1960).  See also Restatement of the Law, Second, Torts, § 652 (identifying privacy torts). More contemporary scholars criticize Prosser’s focus on torts and attempt to identify a wider array of privacy harms that better reflect modern society. See, e.g., Daniel J. Solove, Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006) (identifying taxonomy of privacy harms).

I will not get bogged down in these disputes, but will focus on three areas of our lives:

•  Personal Information

•  Location/Territory

•  Communications

Personal Information

Personal information is any piece of information about a living identifiable human being. This information includes: financial information, social security numbers, medical information, education records, friends/associations, reading habits, pictures, and many, many other intimate aspects of our lives.

Most of us want to keep much of this personal information secret and maintain control over who accesses this type of information. Invasions and intrusions of personal information occur in the following situations: monitoring, unauthorized accessing, data breaches, unwanted disclosure, inaccurate information, deanonymization and identification, identity theft, misuse of information, and other types.

Despite our desire to maintain control over personal information, most of us are willing to allow companies, the government, and other people to have access to some parts of our personal information. Usually, we allow access for the sake of convenience, entertainment, or to maintain personal relationships. In this blog, I will explore the situations when we are willing to grant access to our personal information, the types of protection in place to maintain our control, the adequacy of these protections, and how to improve them.

Location/Territory

Location/Territory refers to our physical space, location and environment. Most people want to ensure that others do not intrude in our physical space and environment without our consent. Invasions and intrusions take the form of video surveillance, tracking, trespassing, photography, unlawful searches, and others.

Although we do not want our physical space invaded or to be tracked without our consent, consent is often freely given to companies when they ask. I am constantly bombarded with requests from my smart-phone about apps that want to access my location. I usually let them, even though it’s often unclear why the app wants my location. In this blog, I will explore the tensions in our thoughts about location privacy, and explore our willingness to share our location with companies while we are unwilling to share it with the government, other individuals, or our employer.

Communications

Communications refers to the exchange of information through writing, speaking, typing or any other method of exchanging information. This includes, but is not limited to, the following forms of communication: postal mail, telephone conversations, email, in-person communications, and many others. Most of us want to keep our communications private and do not want to share them with unintended recipients. Invasions or intrusions take the form of monitoring, recording, unauthorized access, inadvertent disclosure, wiretapping, and others.

Although we want our communications to be kept private, most of us regularly use one of the most unsecure forms of communications: e-mail. Employees are constantly warned not to use their employers’ computers for private communications, but constantly ignore these warnings and these communications are accessible to the employer. Furthermore, Edward Snowden revealed widespread collection by the NSA of Americans’ phone records and monitoring of the internet, but these revelations have not lead to widespread reforms and most people continue to use email without encrypting their messages.  See Andrea Peterson, A year after Snowden’s revelations, government surveillance reforms’ a work in progress, Wash. Post. June 5, 2014.

In this blog, I will also explore our thoughts about communication privacy, including the steps that we are willing to take to protect the privacy of our communications, and how to counterbalance this with other interests such as security, convenience, accessibility, and others.

In short, there is a lot to talk about. Thanks for taking the time to read this and I welcome your thoughts about privacy and anything discussed here.