Explore the vast range of titles available.

According to the last reports covering cybersecurity issues, the attacks initiated by malicious insiders were the costliest and the longest to resolve, even though they constitute a clear minority of all data breaches. They pose significant problems in complying with the rules on personal data protection, too. The General Data Protection Regulation (GDPR) does not differentiate the personal data breaches by the source, be it internal or external. Thus, in theory, the obligations of data controllers in the aftermath of personal data breaches caused by malicious insiders and outsiders are the same. However, the breaches caused by malicious insiders are much harder to identify, causing severe problems under the GDPR regarding the distinction between breaches of security and personal data breaches, affecting the notification obligations to data protection authorities and data subjects. This article shows that malicious insider threats are hard to appropriately address under the GDPR, which may expose, on the one hand, controllers and processors to the risk of non-compliance, potentially triggering civil liability and administrative fines, and on the other hand, the data subjects to a high risk to their rights and freedoms they will never be aware of unless such risk materializes and affects them directly. Thus, the author supports the notions for legislation changes that may help to fill the existing gap, provided that they are to be followed by comprehensive amendments regarding the content of notifications of the data subjects and investigation obligations following the information about a possible breach.

New quality that has been delivered by the provisions of General Data Protection Regulation (GDPR) (EU) 2016/679 is intended to secure a higher level of safety for personal data processing operations. The following elaboration was produced as an attempt to address the questions regarding practical methods of implementation for the indispensable mechanism of GDPR compliance. The guidelines contained in the article are supposed to be helpful in enhancing the safety level for processed personal data. Theoretical and legal studies over the status and functioning of the valid legislation with reference to the practical application of personal data processing procedures have been applied in the article. The main sources of knowledge included valid legal acts, opinions from Article 29 Working Party, technical norms as well as available general knowledge. The outcomes of the said studies indicated the complexity of the issue and established the necessity to continue further studies in practical implementation methods, such as the national and European mechanism of certification or sector codes of good practices.

Ashley Madison(.com) has earned several million dollars facilitating extramarital affairs online; however, the market determinants of online infidelity matchmaking have not been researched. The now-infamous customer data breach in 2015 provided a unique opportunity to analyze a large population of individuals (N=702,309) who paid to engage in extramarital affairs using Ashley Madison. Aggregating this sensitive data into spatial units, we measured the relationship between several theorized market determinants and Ashley Madison subscription and spending rates in major United States markets. We found income is the leading market determinant for internet-facilitated infidelity, indicating the service behaves as a luxury good; further, several characteristics related to infidelity at the individual-level were also significant, including the negative relationship between religiosity and infidelity. Strong regression model performance suggests these results are robust insights into the market for online infidelity-matchmaking.

This chapter examines the responsibilities of Controller and Processor and the technical and organizational measures that form part of a coherent framework under General Data Protection Regulations (GDPR). GDPR secures a system of accountability for the protection of personal data by creating rules, bodies, and responsibilities entrusted to certain specific actors in the market. Data Controllers and Processors managed to evade, or at least dilute, responsibility by hiding behind the complications created by technology. The data protection policies are read with the accompanying duty of data protection by design and default, which ensures the safety of the data as the de facto setting when carrying out processing activities. Data breaches can occur due to a lack of appropriate organizational measures to protect data. One of the main contributions of German data protection law is the appointment of a Data Protection Officer, providing strict requirements for having a point‐person for all privacy‐related matters within an organization.

Although marketers increasingly rely on customer data, firms have little insight into the ramifications of such data use and do not know how to prevent negative effects. Data management efforts may heighten customers' vulnerability worries or create real vulnerability. Using a conceptual framework grounded in gossip theory, the authors link customer vulnerability to negative performance effects. Three studies show that transparency and control in firms' data management practices can suppress the negative effects of customer data vulnerability. Experimental manipulations reveal that mere access to personal data inflates feelings of violation and reduces trust. An event study of data security breaches affecting 414 public companies also confirms negative effects, as well as spillover vulnerabilities from rival firms' breaches, on firm performance. Severity of the breach hurts the focal firm but helps the rival firm, which provides some insight into mixed findings in prior research. Finally, a field study with actual customers of 15 companies across three industries demonstrates consistent effects across four types of customer data vulnerability and confirms that violation and trust mediate the effects of data vulnerabilities on outcomes.

The security and privacy of health care information are crucial for maintaining the societal value of health care as a public good. However, governance over electronic health care data has proven inefficient, despite robust enforcement efforts. Both federal (HIPAA [Health Insurance Portability and Accountability Act]) and state regulations, along with the ombudsman rule, have not effectively reduced the frequency or impact of data breaches in the US health care system. While legal frameworks have bolstered data security, recent years have seen a concerning increase in breach incidents. This paper investigates common breach types and proposes best practices derived from the data as potential solutions. The primary aim of this study is to analyze health care and hospital breach data, comparing it against HIPAA compliance levels across states (spatial analysis) and the impact of the Omnibus Rule over time (temporal analysis). The goal is to establish guidelines for best practices in handling sensitive information within hospitals and clinical environments. The study used data from the Department of Health and Human Services on reported breaches, assessing the severity and impact of each breach type. We then analyzed secondary data to examine whether HIPAA's storage and retention rule amendments have influenced security and privacy incidents across all 50 states. Finally, we conducted a qualitative analysis of textual data from vulnerability and breach reports to identify actionable best practices for health care settings. Our findings indicate that hacking or IT incidents have the most significant impact on the number of individuals affected, highlighting this as a primary breach category. The overall difference-in-differences trend reveals no significant reduction in breach rates (P=.50), despite state-level regulations exceeding HIPAA requirements and the introduction of the ombudsman rule. This persistence in breach trends implies that even strengthened protections and additional guidelines have not effectively curbed the rising number of affected individuals. Through qualitative analysis, we identified 15 unique values and associated best practices from industry standards. Combining quantitative and qualitative insights, we propose the \"SecureSphere framework\" to enhance data security in health care institutions. This framework presents key security values structured in concentric circles: core values at the center and peripheral values around them. The core values include employee management, policy, procedures, and IT management. Peripheral values encompass the remaining security attributes that support these core elements. This structured approach provides a comprehensive security strategy for protecting patient health information and is designed to help health care organizations develop sustainable practices for data security.

Data protection, an important aspect of the right to privacy, ensures that information about people is used fairly and properly. Among the regulatory measures that have been adopted to safeguard personal data is the requirement that individuals affected by a data breach be informed promptly, enabling them to act quickly and effectively to protect themselves from harm. At the same time, the existence of a duty to notify individuals affected by a data breach incentivises data users to adopt robust measures against data breaches. Many jurisdictions adopt a mandatory data breach notification system; this article examines the two leading notification models, the United States and EU models. It takes Hong Kong as a case study where there is only a voluntary system of notifying the Privacy Commissioner of any data breach in certain specified circumstances. It evaluates the operation of Hong Kong's voluntary notification system and examines the current moves towards adopting a mandatory notification system. It examines justifications for mandatory notification and how the notification mechanism works and concludes that mandatory notification is an indispensable element of an effective regulatory system.

In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge. In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance-and the cost of taking measures to protect against it-were too speculative to satisfy the \"injury in fact\" requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that \"intangible\" injury, including the \"risk\" of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach. In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data-breach harm and can and should find cognizable harms. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way, drawing upon existing legal precedent.

During the past decade, the problems involving information privacy - the ascendance of Big Data and fusion centers, the tsunami of data security breaches, the rise of Web 2.0, the growth of behavioral marketing, and the proliferation of tracking technologies - have become thornier. Policymakers have proposed and passed significant new regulation in the United States and abroad, yet the basic approach to protecting privacy has remained largely unchanged since the 1970s. Under the current approach, the law provides people with a set of rights to enable them to make decisions about how to manage their data. These rights consist primarily of rights to notice, access, and consent regarding the collection, use, and disclosure of personal data. The goal of this bundle of rights is to provide people with control over their personal data, and through this control people can decide for themselves how to weigh the costs and benefits of the collection, use, or disclosure of their information. I will refer to this approach to privacy regulation as \"privacy self-management.\"

Purpose This paper aims to investigate the direct relationship between person-related workplace bullying and dimensions of knowledge hiding. In addition, this study also intends to explore how relational psychological contract breach (RPCB) mediates bulling and knowledge hiding. Design/methodology/approach This study has used a survey-based research design to collect the data. The data were collected in three-time lags from 494 individuals working in IT-based firms (software houses) located in Pakistan. The data were analyzed through the variance-based structural equation modeling technique. For this purpose, the authors used SmartPLS3 software. Findings This study revealed that person-related workplace bullying impacts playing dumb and evasive knowledge hiding both directly and indirectly. In addition to this, person-related bullying does not affect rationalized knowledge hiding. This study also found that RPCB mediates the relationship between person-related bullying and knowledge hiding dimensions. Practical implications This study offers important implications for IT firms, including software houses. The findings imply that organizations should discourage person-related workplace bullying to reduce employees’ intention to engage in knowledge-hiding behavior. Moreover, the management of these firms should develop a culture of interpersonal trust among employees so that they can care for the relational psychological contract. Originality/value This study is amongst the few types of research that has investigated the impact of person-related bullying on different forms of knowledge hiding behavior through the mediating role of RPCB.