Privacy Research

A Brief History of Safe Harbor

By Ernst O. Wilhelm On 16 May 2000: The EU Article 29 Data Protection Working Party adopted an opinion on the level of protection provided by the “Safe Harbor Principles” highlighting in its conclusions that the proposed adequacy finding of U.S. Safe Harbour refers to a system that is not yet operational and that there is a need that any adequacy finding on the Safe Harbour has to be to reviewed in the light of experience. On 26 July 2000: The European Commission adopted the “Safe Harbour Ad... Read More

Data Security Breaches: Incident Preparedness and Response

Jena Valdetero, CIPP/US, and David Zetoony of Bryan Cave authored this Washington Legal Foundation Monograph, which provides a basic framework to assist in-house legal departments with handling a security incident. The handbook explains security incidents, outlines ways in-house counsel can help prepare for an incident and offers steps that should be taken in responding to an incident as well as costs involved. Read Now... Read More

2014 Information Security Breaches Survey

This survey conducted by PricewaterhouseCoopers for the UK Department for Business, Innovation and Skills demonstrates the continuing risks associated with doing business in cyberspace, as well as the encouraging steps some businesses are taking to improve their information security. Read Now (PDF 1.1M)... Read More

Privacy and Children's Data - An Overview of the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act

The purpose of this paper by Dalia Topelson, Christopher Bavitz, Ritu Gupta and Irina Oberman of the Berkman Center for Internet & Society’s Cyberlaw Clinic is to provide schools, parents and students alike with an overview of some of the laws that may apply as schools begin to use cloud computing tools to help educate students. Read Now (PDF 1.67M)... Read More

Full Report: Benchmarking Privacy Management and Investments of the Fortune 1000

Over the summer of 2014, the IAPP embarked on the first of what will be an annual effort to research and benchmark the privacy programs of the Fortune 1000. In partnership with third-party research firm Fondulas Strategic Research, we queried roughly 275 privacy leads at Fortune 1000 companies, all of them large, private, for-profit firms operating from a base in the United States, and got a 23-percent response rate, providing us with one of the most comprehensive samples of corporate privacy le... Read More

Benchmarking Privacy Management and Investments of the Fortune 1000

Over the summer of 2014, the IAPP embarked on the first of what will be an annual effort to research and benchmark the privacy programs of the Fortune 1000. In partnership with third-party research firm Fondulas Strategic Research, we queried roughly 275 privacy leads at Fortune 1000 companies, all of them large, private, for-profit firms operating from a base in the United States, and got a 23-percent response rate, providing us with one of the most comprehensive samples of corporate privacy le... Read More

No silver bullet: De-identification still doesn't work

Arvind Narayanan and Edward W. Felten of Princeton University rebut past articles indicating de-identification is a valid tool for protecting privacy. The authors claim there is no evidence that de-identification works and “attempts to quantify its efficacy are unscientific and promote a false sense of security by assuming unrealistic, artificially constrained models of what an adversary might do.” Read Now (PDF 299K)... Read More

Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

Westin Research Fellow Patricia Bailin, CIPP/US, has pieced together the most comprehensive view to date of the FTC’s reasonable data security standards. This study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security progr... Read More