Most privacy professionals thought it may take months, if not years, for US privacy laws to catch up to the EU but it looks like California decided to push up the timeline. Last month, the California Consumer Privacy Act of 2018 was passed by California legislature, expanding the definition of personal data and including more rights for California residents. The act includes a new scope to accompany the new requirements, applying to businesses meeting one or more specified criterion, whether they are located in the state of California or elsewhere. The IAPP has estimated that the new act will impact more than 500,000 businesses across the United States. You can read more about the study to determine the number of impacted businesses here.
GDPR was the star of the show for the 2018 IAPP Global Privacy Summit. No surprise there. What was surprising was the range of content and speakers that were there. There were multiple data protection commissioners in the building, including Isabelle Falque-Pierrotin from France and Helen Dixon from Ireland, as well as the newly elected chair of the Article 29 Working Party, Andrea Jelinek from Austria. There were some sessions on understanding the basics of the GDPR, sessions on preparing your organization for the upcoming deadline, as well as some sessions speaking to the different consulting and attestation options available to help meet the Regulation. Everywhere you looked it was GDPR and this overwhelming feeling of “The End is Nigh!” There were even shirts given out at the Convention Center that substituted “GDPR” for “Winter” in the popular “Winter is Coming” line from HBO’s series Game of Thrones.
The other week, Chris Lippert, Privacy Technical Lead at Schellman, wrote an excellent blog post that explores overlaps and differences between GDPR and other frameworks, including ISO/IEC 27000, NIST, and PCI, as well as ways organizations can start to bridge the gaps to achieve alignment with GDPR.
Originally published on www.industryera.com
2016 and the beginning of 2017 was an incredible year for the cybercriminal. It has brought the hacker untold millions on the back of ransomware attacks across all industry sectors. 2016 saw cybercriminals become cleverer in how they approached an attack, building threats on the back of online ads and videos - the first half of 2016 seeing an increase of 400% in ‘bad ads’ also known as malvertising. As well as cybersecurity threats to the integrity and availability of our data, the privacy of these data has also taken a hit in 2016. Data breaches in healthcare have continued to blight our Protected Health Information (PHI) despite HIPAA regulations. At the time of writing, according to the U.S. Department of Health and Human Services Office for Civil Rights, there were 304 data compromises of PHI in 2016; the largest breach being at Banner Health with just over 3.6 million records.
There was a quiet revolution that took place a while back within the marketing landscape. Investors were falling over themselves to invest in an idea known as ‘targeted marketing’ or ‘targeted advertising.’ If you’ve ever used Facebook, you’ll know exactly what I mean, as Facebook is one of the biggest users of targeted ads. On that site, if you leave your relationship status as single, you can bet you’ll be served up ads for dating sites. If you have “liked” anything to do with fashion, you’ll get ads for designer shoes, and so on. Targeted ads can be extremely annoying, and they also feel very intrusive. However, they are effective—almost twice as effective as non-targeted ads, in fact.
On 21 October 2016, something happened that could have been straight out of a science fiction movie. Many parts of the Internet, which we take for granted, stopped working. Twitter went down; Airbnb and Spotify were inaccessible. Even security expert Brian Krebs’s blog was shut down. It was as if the Internet had stopped working. What had occurred was a massive distributed denial-of-service attack (DDoS). The difference between this attack and most others is that instead of focusing the attack on an individual website, the focus was on a centralized service provided by the vendor, Dyn. Dyn offers services, including routing of incoming traffic, so that heavily used sites, such as Twitter, can offer better service to their visitors. The DDoS hackers took a hit-the-mothership approach to deliver a much more widespread impact, bringing down multiple websites.
There have been many changes in the privacy world in the last few years. People are becoming more aware and concerned with the way the government and the private sector are collecting and handling their personal data. With the GDPR being approved and replacing the Data Protection Directive in the EU comes the realization that data protection initiatives implemented by single governmental entities no longer only affect the residents and companies in those countries. Before the GDPR, the U.S-EU Safe Harbor framework was invalidated without an immediate replacement, leaving many organizations in limbo until the Privacy Shield was introduced and approved as its successor. These changes in regulation demands enterprises to truly reassess their personal data handling procedures. 2017 will be a busy year In the privacy realm.