Privacy law is a rich and varied field, growing tremendously each year, said law Professor Daniel Solove in an interview with TAP. Professor Solove, of George Washington University Law School, is an internationally-known expert in privacy law. He spoke with TAP about his recent research on reconciling personal information in the E.U. and U.S.; why he created a security and privacy training program; as well as his thoughts on the public’s reaction to the NSA leaks.
TAP: What brought you to your current position as the John Marshall Harlan Research Professor of Law at the George Washington University Law School?
DANIEL SOLOVE: I had wanted to teach law for a long time, and I began my career at Seton Hall Law School. I then had the opportunity to visit George Washington University in the fall of 2003 and was permanently hired there in 2004.
TAP: What first sparked your interest in privacy law?
SOLOVE: I became interested in privacy law in the mid-1990s. I took one of the early courses in cyber-law while at Yale Law School. I realized in that class that these issues were posing some of the most challenging and interesting questions in law. I began to focus on this important issue of privacy, which at the time wasn’t getting much attention. It struck me that the Internet and the Information Age would have profound effects on privacy. So I began researching and writing in that area.
I wanted to write on the privacy implications of computer databases, but I realized that to do so, I had to first understand what privacy was. So I read everything written on privacy – something that was actually possible back then. The topic was fascinating – and very deep.
When I began teaching, I proposed a course in privacy law and was afforded the opportunity of offering it. I created a reading packet with an extensive array of materials, which later became my casebook. After I posted my first privacy law paper online, I began getting calls from journalists who thought I was an expert on privacy law. I was surprised. I thought: I just wrote one paper on it and I taught one class on it, so I’m hardly an expert. But I liked the sound of being called an expert.
Ultimately, privacy law was a rabbit hole that I went down and I haven’t returned from Wonderland. It’s such a rich and varied field, and it has grown so tremendously each year. What seemed once like a small subtopic is now a gigantic universe of issues, and I have never ventured out into other cyber-law issues. There’s no need – there is plenty to do in privacy for the next 1,000 years!
TAP: You are also the founder of TeachPrivacy, a company that provides privacy and data security training programs. What inspired you to create this company?
SOLOVE: I learned that privacy and data security were increasingly being taught in companies, healthcare institutions, and other organizations to their workforce. Most people who learn about privacy and data security today learn about it from their organization’s training. I became familiar with some of the training programs on these topics that were on the market, and I found many to be quite dull, not very informative, and not particularly effective from a pedagogical perspective. I couldn’t believe that topics that I find so fascinating, that my students find so fascinating, could be presented in such a flat manner.
So I thought: Hey, I can do this. Education is what I do. So I set out to create programs that are engaging, fun, filled with passion and enthusiasm for the topic. That matters to learners. They can sense enthusiasm, and they learn a lot more when they are being taught by someone with a love for the topic. I have developed material on more than 50 topics now, and there’s a lot more I intend to create. I really enjoy creating training material. I believe that if you don’t enjoy making it, then people won’t likely enjoy taking it!
I have spoken to hundreds of privacy officers and security officers to learn about what would be most effective, and I continue to do so. I learn a lot with each conversation. I constantly strive to improve my training. It’s really an extension of what I do in the classroom and what I do in invited lectures – find ways to engage the audience and convey fascinating information that I love. So it’s another form of teaching. And the great benefit is that with TeachPrivacy, I can have a much wider reach in the number of people I educate. It’s no longer a small group of law students, but tens of thousands of people at organizations – likely hundreds of thousands. If I’m able to convey information effectively, maybe I can help prevent a breach or an incident or help people more deeply understand privacy and design for it or better protect it.
I love what I do, and TeachPrivacy allows me to do it on a much larger scale.
TAP: How will this summer’s National Security Agency leaks change the discussion of privacy law for Congress after returning from the August recess?
SOLOVE: I think that the media coverage and public’s reaction teaches Congress that people really do care about privacy. When scaremongering tactics aren’t used, a majority of people have expressed a clear desire to have meaningful oversight and control over government surveillance. Whether Congress will listen or learn is a different story, but I think that public reaction has been much more balanced and thoughtful now than it was a decade ago.
TAP: You recently released a draft of your essay, “Reconciling Personal Information in the European Union and the United States,” that you co-wrote with Paul Schwartz. What is the biggest difference between the E.U. and U.S. when it comes to stances on personal data?
SOLOVE: The E.U. has a very broad approach, and it is an approach that is very philosophical and idealistic. I like the fact that the E.U. approach has more consistency and fewer gaps than the U.S. approach. But E.U. privacy law can be too rigid in places and can sometimes create compliance nightmares without significant benefits to individuals. The U.S. approach is quite fragmented and inconsistent. It has some glaring gaps, and sometimes it falls far short of providing effective protection to individuals. But its virtue is that it is practical, and a lot of good ideas and approaches have come out of U.S. privacy law. I think both the E.U. and U.S. have a lot to learn from each other.
TAP: You wrote about four key steps for improving data security for mobile and cloud providers on your LinkedIn blog. What are these steps?
SOLOVE: This blog post discussed a June 2013 study conducted by the Ponemon Institute that revealed a stunning need for improvement on managing the risks of mobile devices and cloud computing services. I proposed the following four steps for improvement among providers:
1. Educate the Cs. The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
2. Develop Policies. The Ponemon study I quoted indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
3. Educate the Workforce. Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
4. Instill Some Fear. The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.
TAP: The HIPAA-HITECH regulation was updated earlier this year and September 23 is the compliance date for most of the new provisions. What will be the biggest challenge for the affected companies?
SOLOVE: Building a culture of compliance. For companies that didn’t focus much on HIPAA before, they are now waking up to the fact that they must comply and that the U.S. Department of Health and Human Services has direct enforcement powers over them. They must now really understand HIPAA, something they might not have understood as much before. And HIPAA is complicated! Compliance isn’t something that can suddenly be installed like a new piece of software. It is something that takes a lot of time and education to flourish. It needs to be taken seriously at the top of an organization, and training needs to effectively get everyone on board. A compliance culture must develop, and that takes time and effort.
TAP: Fun Question: What is your favorite novel and why?
SOLOVE: Kafka’s The Trial – this novel works on so many levels. It is astounding how much is packed into this novel. It is also extremely funny. The humor really comes out after a few readings. At first, the novel seems dark and depressing, but now I see it as a very clever work of comedy!
A tie with The Trial is Dostoyevsky’s The Brothers Karamazov. This book has it all – fascinating characters, a riveting mystery, a great trial, and tons of philosophy. A lot of books today pretend to be philosophical by dropping a few philosopher names and having some trite recycled material from Philosophy 101. Dostoyevsky explores the biggest questions, and does so in a truly original and brilliant way.
As you can see from my choices, I like literature that not only tells a great story, but also transforms the way you think.