Sep 09 2024

AI cybersecurity needs to be as multi-layered as the system it’s protecting

Category: AI,data security,Information Security,Security and privacy Lawdisc7 @ 10:15 am

The article emphasizes that AI cybersecurity must be multi-layered, like the systems it protects. Cybercriminals increasingly exploit large language models (LLMs) with attacks such as data poisoning, jailbreaks, and model extraction. To counter these threats, organizations must implement security strategies during the design, development, deployment, and operational phases of AI systems. Effective measures include data sanitization, cryptographic checks, adversarial input detection, and continuous testing. A holistic approach is needed to protect against growing AI-related cyber risks.

For more details, visit the full article here

Benefits and Concerns of AI in Data Security and Privacy

Predictive analytics provides substantial benefits in cybersecurity by helping organizations forecast and mitigate threats before they arise. Using statistical analysis, machine learning, and behavioral insights, it highlights potential risks and vulnerabilities. Despite hurdles such as data quality, model complexity, and the dynamic nature of threats, adopting best practices and tools enhances its efficacy in threat detection and response. As cyber risks evolve, predictive analytics will be essential for proactive risk management and the protection of organizational data assets.

AI raises concerns about data privacy and security. Ensuring that AI tools comply with privacy regulations and protect sensitive information.

AI systems must adhere to privacy laws and regulations, such as GDPR, CPRA to protect individuals’ information. Compliance ensures ethical data handling practices.

Implementing robust security measures to protect data (data governance) from unauthorized access and breaches is critical. Data protection practices safeguard sensitive information and maintain trust.

1. Predictive Analytics in Cybersecurity

Predictive analytics offers substantial benefits by helping organizations anticipate and prevent cyber threats before they occur. It leverages statistical models, machine learning, and behavioral analysis to identify potential risks. These insights enable proactive measures, such as threat mitigation and vulnerability management, ensuring an organization’s defenses are always one step ahead.

2. AI and Data Privacy

AI systems raise concerns regarding data privacy and security, especially as they process sensitive information. Ensuring compliance with privacy regulations like GDPR and CPRA is crucial. Organizations must prioritize safeguarding personal data while using AI tools to maintain trust and avoid legal ramifications.

3. Security and Data Governance

Robust security measures are essential to protect data from breaches and unauthorized access. Implementing effective data governance ensures that sensitive information is managed, stored, and processed securely, thus maintaining organizational integrity and preventing potential data-related crises.

Adversarial AI Attacks, Mitigations, and Defense Strategies: A cybersecurity professional’s guide to AI attacks, threat modeling, and securing AI with MLSecOps

Data Governance: The Definitive Guide: People, Processes, and Tools to Operationalize Data Trustworthiness

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI attacks, AI security, Data Governance

Aug 17 2023

Data Privacy Solutions

Category: Information Privacy,Security and privacy Lawdisc7 @ 10:09 am

Your data is an asset. Safeguarding it will help you comply with data protection laws and allow your business to thrive

A global leader in privacy guidance, audits, tools, training and software

IT Governance is a market leader in data privacy and cyber security solutions. Their broad suite of offerings is one of the most comprehensive in the world.

ITG affordable solutions have assisted numerous individuals and organizations in understanding the tangible aspects of data privacy. With substantial legal and technical proficiency, coupled with a 15-year history in cybersecurity risk management, ITG customers have complete confidence in entrusting us with their needs.

Speed up your compliance initiatives for GDPR, CPRA, and other regulations ISO 27701 by utilizing ITG collection of top-performing Tools, Templates and eBooks.

Templates and Tools

Training and staff awareness

Books

Checkout our ISO 27701 related posts to assess and built your PMS

Checkout our previous posts on CPRA

Checkout our previous posts on GDPR

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: CCPA, CPRA, data privacy, Data Privacy Solutions, gdpr, ISO 27701

Nov 14 2022

Privacy4Cars Secures Fourth Patent to Remove Privacy Information From Vehicles and Create Compliance Logs

Category: Information Privacy,Information Security,Security and privacy LawDISC @ 10:32 am

Data-deletion service’s patent covers removing personal information such as geolocation, biometrics, and phone records from a vehicle by using a user-computing device

https://www.darkreading.com/endpoint/privacy4cars-secures-fourth-patent-to-remove-privacy-information-from-vehicles-and-create-compliance-logs

— Privacy4Cars, the first privacy-tech company focused on solving the privacy and security issues posed by vehicle data to protect consumers and automotive businesses, announced today that it has secured a new patent, further expanding its patent coverage for removing privacy information from a vehicle by using a user computing device. This patent grant marks the fourth patent that the U.S. Patent & Trademark Office has awarded to Privacy4Cars in the past three years and provides further evidence that the company is the leading innovator in the vehicle data privacy and security field.

Since its launch in 2018, Privacy4Cars has emerged as the industry standard across auto finance companies (including captives, national and regional banks, auto lenders, and credit unions), fleets and fleet management companies, and franchised and independent dealerships. Many of today’s top companies in the automotive space — including the three largest OEM’s captives — have adopted the data-deletion service powered by the Privacy4Cars platform, and a growing number of industry associations have begun speaking out about the need to clear personal information from cars, and tapping Privacy4Cars as a resource to educate members.

“Used vehicles are akin to large, unencrypted hard drives full of consumers’ sensitive Personal Information, including identifiers, geolocation, biometrics, and phone records,” said Andrea Amico, CEO and founder of Privacy4Cars. “This creates service, reputation, and increasingly major regulatory challenges, including the obligations companies face under the new Safeguards Rule (coming into effect on Dec. 9, 2022) and a host of existing and new state laws. At the same time, federal and local agencies are increasingly concerned about the personal information vehicles capture and store — which is driving more and more auto businesses to look for reliable solutions to simply and effectively delete data from vehicles while creating by design detailed compliance logs that prove their efforts,” he continued. “This new patent demonstrates Privacy4Cars’ commitment to meet the growing compliance and service needs of our partners. Privacy4Cars has established itself as the clear leader in the vehicle privacy space and companies increasingly recognize the superior efficiency, effectiveness, and compliance outcomes our proprietary solution offers, making Privacy4Cars the only obvious choice”.

Privacy4Cars’ newly awarded U.S. Patent No. 11,494,514 expands the scope of patent protection for the vehicle data privacy and security innovations of Privacy4Cars’ U.S. Patent No. 11,256,827, U.S. Patent No. 11,157,648 and U.S. Patent No. 11,113,415. The new patent covers the use of a user computing device to remove privacy information from a vehicle and to create feedback about the information removal activity, including deletion logs for use in legal compliance applications.

Privacy4Cars is currently available in the US, Canada, UK, EU, Middle East, India, and Australia, and plans to further expand its geographical reach to address the growing number of countries that have comprehensive privacy and data security laws. Privacy4Cars is available to consumers as a free-to-download app, and to businesses as a subscription service. Businesses can use Privacy4Cars’ stand-alone app or choose to integrate Privacy4Cars’ Software Development Kit to easily embed its patented data deletion solution as a feature inside their own apps.

For more information about Privacy4Cars, please visit: https://privacy4cars.com.ABOUT PRIVACY4CARS

Privacy4Cars is the first and only technology company focused on identifying and resolving data privacy issues across the automotive ecosystem. Our mission, Driving Privacy, means offering a suite of services to expand protections for individuals and companies alike, by focusing on privacy, safety, security, and compliance. Privacy4Cars’ patented solution helps users quickly and confidently clear vehicle users’ personal information (phone numbers, call logs, location history, garage door codes, and more) while building compliance records. For more information, please visit: https://privacy4cars.com/

SOURCE: Privacy4Cars

Privacy4Cars: delete car data on the App Store

Multilayered Security and Privacy Protection in Car-to-X Networks: Solutions from Application down to Physical Layer

Tags: Privacy4Cars

May 08 2022

As data privacy laws expand, businesses must employ protection methods

Category: Information Privacy,Security and privacy LawDISC @ 10:30 am
As data privacy laws expand, businesses must employ protection methods

Data protection is challenging for many businesses because the United States does not currently have a national privacy law  —  like the EU’s GDPR  —  that explicitly outlines the means for protection. Lacking a federal referendum, several states have signed comprehensive data privacy measures into law. The California Privacy Rights Act (CPRA) will replace the state’s current privacy law and take effect on January 1, 2023, as will the Virginia Consumer Data Protection Act (VCDPA). The Colorado Privacy Act (CPA) will commence on July 1, 2023, while the Utah Consumer Privacy Act (UCPA) begins on December 31, 2023.

For companies doing business in California, Virginia, Colorado and Utah*  —  or any combination of the four —  it is essential for them to understand the nuances of the laws to ensure they are meeting protection requirements and maintaining compliance at all times. 

Understanding how data privacy laws intersect is challenging

While the spirit of these four states’ data privacy laws is to achieve more comprehensive data protection, there are important nuances organizations must sort out to ensure compliance. For example, Utah does not require covered businesses to conduct data protection assessments  —  audits of how a company protects data to determine potential risks. Virginia, California and Colorado do require assessments but vary in the reasons why a company may have to take one.

Virginia requires companies to undergo data protection assessments to process personal data for advertising, sale of personal data, processing sensitive data, or processing consumer profiling purposes. The VCDPA also mandates an assessment for “processing activities involving personal data that present a heightened risk of harm to consumers.” However, the law does not explicitly define what it considers to be “heightened risk.” Colorado requires assessments like Virginia, but excludes profiling as a reason for such assessments. 

Similarly, the CPRA requires annual data protection assessments for activities that pose significant risks to consumers but does not outline what constitutes “significant” risks. That definition will be made through a rule-making process via the California Privacy Protection Agency (CPPA).

The state laws also have variances related to whether a data protection assessment required by one law is transferable to another. For example, let’s say an organization must adhere to VCDPA and another state privacy law. If that business undergoes a data protection assessment with similar or more stringent requirements, VCDPA will recognize the other assessment as satisfying their requirements. However, businesses under the CPA do not have that luxury  —  Colorado only recognizes its assessment requirements to meet compliance.

Another area where the laws differ is how each defines sensitive data. The CPRA’s definition is extensive and includes a subset called sensitive personal information. The VCDPA and CPA are more similar and have fewer sensitive data categories. However, their approaches to sensitive data are not identical. For example, the CPA views information about a consumer’s sex life and mental and physical health conditions as sensitive data, whereas VCDPA does not. Conversely, Virginia considers a consumer’s geolocation information sensitive data, while Colorado does not. A business that must adhere to each law will have to determine what data is deemed sensitive for each state in which it operates.

There are also variances in the four privacy laws related to rule-making. In Colorado and Utah, rule-making will be at the discretion of the attorney general. Virginia will form a board consisting of government representatives, business people and privacy experts to address rule-making. California will engage in rule-making through the CPPA.

The aforementioned represents just some variances between the four laws — there are more. What is clear is that maintaining compliance with multiple laws will be challenging for most organizations, but there are clear measures companies can take to cut through the complexity.

Overcoming ambiguity through proactive data privacy protection

Without a national privacy law to serve as a baseline for data protection expectations, it is important for organizations that operate under multiple state privacy laws to take the appropriate steps to ensure data is secure regardless of regulations. Here are five tips. 

It is critical to have someone on staff or to serve as a consultant who understands privacy laws and can guide an organization through the process. In addition to compliance expertise, legal advice will be a must to help navigate every aspect of the new policies. 

Identify data risk 

From the moment a business creates or receives data from an outside source, organizations must first determine its risk based on the level of sensitivity. The initial determination lays the groundwork for the means by which organizations protect data. As a general rule, the more sensitive the data, the more stringent the protection methods should be.

Create policies for data protection

Every organization should have clear and enforceable policies for how it will protect data. Those policies are based on various factors, including regulatory mandates. However, policies should attempt to protect data in a manner that exceeds the compliance mandates, as regulations are often amended to require more stringent protection. Doing so allows organizations to maintain compliance and stay ahead of the curve.

Integrate data protection in the analytics pipeline

The data analytics pipeline is being built in the cloud, where raw data is converted into usable, highly valuable business insight. For compliance reasons, businesses must protect data throughout its lifecycle in the pipeline. This implies that sensitive data must be transformed as soon as it enters the pipeline and then stays in a de-identified state. The data analytics pipeline is a target for cybercriminals because, traditionally, data can only be processed as it moves downstream in the clear. Employing best-in-class protection methods — such as data masking, tokenization and encryption — is integral to securing data as it enters the pipeline and preventing exposure that can put organizations out of compliance or worse.

Implement privacy-enhanced computation

Organizations extract tremendous value from data by processing it with state-of-the-art analytics tools readily available in the cloud. Privacy-enhancing computation (PEC) techniques allow that data to be processed without exposing it in the clear. This enables advanced-use cases where data processors can pool data from multiple sources to gain deeper insights. 

The adage, “An ounce of prevention is worth a pound of cure,” is undoubtedly valid for data protection — especially when protection is tied to maintaining compliance. For organizations that fall under any upcoming data privacy laws, the key to compliance is creating an environment where data protection methods are more stringent than required by law. Any work done now to manage the complexity of compliance will only benefit an organization in the long term.  

*Since writing this article, Connecticut became the fifth state to pass a consumer data privacy law.

Data Privacy Law: A Practical Guide to the GDPR

Information Privacy Engineering and Privacy by Design: Understanding Privacy Threats, Technology, and Regulations Based on Standards and Best Practices

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Privacy by Design, Security and privacy Law

Apr 18 2022

Trans-Atlantic Data Privacy Framework’s Impact on AppSec

Category: App Security,Information Privacy,Security and privacy LawDISC @ 1:19 pm
Trans-Atlantic Data Privacy Framework’s Impact on AppSec

Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”

This is encouraging news. As The National Law Review pointed out, the EU had concerns about the protection of their citizens’ data from U.S. government surveillance. But it may also be the push needed to advance greater data privacy protections in America.

“The joint statement references the U.S. putting in place ‘new safeguards’ to ensure that intelligence activities are ‘necessary and proportionate’, the definition and practical application of which will be one of the things that privacy campaigners will be looking at closely when the detailed text is drafted and made available,” said Stephen Bailey of NCC Group in an email comment.

Data Privacy and AppSec

The world runs on apps, so it is necessary to look at how the Trans-Atlantic Data Privacy Framework will impact app development and app security.

“For application developers, the single biggest challenge to complying with increasingly rigorous data protection frameworks is getting control of their data, particularly sensitive and personally identifiable information,” explained Chris McLellan, director of operations at the nonprofit Data Collaboration Alliance.

Today, every new app, whether bought or built, traps data in a silo, which can only be connected through the exchange of copies or point-to-point data integration.

“These copies make it incredibly difficult—and in some cases, even impossible—to support GDPR outcomes like ubiquitous data access controls, portability, custodianship, deletion (the right to be forgotten) and precision auditability: Things that could potentially, although they’re unlikely to, be included in the post-Privacy Shield framework. But they are definitely looming on the horizon both internationally and domestically, for example, in California and Utah,” said McLellan.

As data privacy frameworks become more common and we begin to see more joint efforts internationally, organizations have to think about how they share and store data in the future, taking compliance requirements into greater consideration.

Organizations need to get more serious about minimizing their use of data and start implementing strategies that introduce real control to the data they manage, McLellan says. They should be exploring ways now to eliminate data silos and copies that have resulted in rampant data proliferation.

data privacy shield security remote work

No Quick Fixes

But, as McLellan pointed out, there are no quick fixes. Unwinding years of “an app for everything and a database for every app” mantra will be difficult, and McLellan believes this is best approached in two stages.

Stage One: Immediately treat the symptoms of data proliferation by evaluating and adopting privacy-enhancing technologies that help organizations anonymize and encrypt data, and better manage consent. “They should also investigate the potential to adopt first-party and zero-party data collection practices that redirect customer and other sensitive data away from the third-party apps (e.g. Google Analytics), over which they have no control,” McLellan explained. “Organizations should also adopt processes and workflows that help them establish ‘purpose-based’ data access requests.”

Stage Two: Organizations should explore ways to address the root causes of data proliferation. Everyone within the organization’s technology teams—CIO, CDO, application development, data and IT teams—should familiarize themselves with emerging frameworks like zero-copy integration, a framework that is on track to become a national standard in Canada.

“It’s the evolution of privacy-by-design and signals the beginning of the end for application-specific data silos and copy-based data integration. Such frameworks are made possible by new categories of technology, including data fabrics, dataware and blockchain that support ‘zero copy’ digital innovation. Many leading organizations, particularly in finance and health care, are already ahead of the curve in adopting this approach,” said McLellan.

Data protection regulations at home and abroad reflect a burgeoning global trend toward citizens and consumers gaining greater control and ownership of data as its rightful owner.

“These regulatory shifts,” said McLellan, “will need to be met by an equally significant shift in how U.S. businesses manage data and build new applications if there’s any hope to comply with new laws as they’re passed.”

Data Privacy: A runbook for engineers

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Data Privacy Framework, Data privacy runbook

Mar 15 2022

Biden signs cyber incident reporting bill into law

Category: Information Security,Security and privacy LawDISC @ 9:49 pm
Biden signs cyber incident reporting bill into law

President Joe Biden on Tuesday signed into law a $1.5 million government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.

Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).

The Strengthening American Cybersecurity Act — which was attached to the spending deal that keeps the federal government open until September — requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment. 

The measure becoming law is a complete reversal from only a few months ago when it was stripped from the annual defense policy bill.

CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.

“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.

Portman, the panel’s top Republican said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”

https://

therecord.media
/biden-signs-cyber-incident-reporting-bill-into-law/

Cybersecurity Law

Tags: cyber incident reporting bill

Mar 10 2022

Build your DPO career with self-paced online learning

Category: GDPR,Information Privacy,Security and privacy LawDISC @ 10:15 am

Are you planning a career as a DPO (data protection officer)?

Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course
Are you planning a career as a DPO (data protection officer)? Our unique combined GDPR (General Data Protection Regulation) and DPO training course is now available in a low-cost self-paced online format.

Delivered by an experienced data privacy consultant, the Certified GDPR Foundation, Practitioner and Data Protection Officer (C-DPO) Accelerated Self-Paced Online Combination Training Course provides the knowledge to implement and maintain GDPR compliance and fulfil the DPO role.

Work at your own pace with self-paced online training – a more affordable, flexible and less disruptive way to study. Designed by GDPR experts, this course features pre-recorded video modules supported by a learner guide and interactive exercises and tests.

The course includes essential elements of our GDPR / Data Privacy Roles Learning Path, which provides a unique guide to which training courses and qualifications will help you enhance your GDPR or DPO career.

Don’t Panic! I’m A Professional Data Protection Officer – 2023 Diary: Funny 2023 Planner Gift For A Hard Working Data Protection Officer

Tags: data protection officer, DPO, DPO (data protection officer)

Feb 19 2022

Google Privacy Sandbox promises to protect user privacy online

Category: Information Privacy,Security and privacy LawDISC @ 12:34 pm
Google Privacy Sandbox promises to protect user privacy online

Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.

“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.

Google is also committed tp fighting and reducing covert data collection.

The goals of the Privacy Sandbox are:

  • Build new technology to keep your information private
  • Enable publishers and developers to keep online content free
  • Collaborate with the industry to build new internet privacy standards

Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.

“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”

The Watchman Guide to Privacy

Tags: Guide to Privacy, privacy

Feb 17 2022

50 Key Stats About Freedom of the Internet Around the World

Category: Cyber Communication,Cyber sanctions,Cyber surveillance,Information Privacy,Information Security,Security and privacy Law,Security AwarenessDISC @ 3:26 pm

Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.

Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.

Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.

To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:

Digital Rights

Freedom of Information

Right to Internet Access

Freedom from Internet Censorship

Net Neutrality

The Bottom Line

The Internet in Everything: Freedom and Security in a World with No Off Switch

Tags: digital privacy, Freedom of the Internet Around

Jan 13 2022

CPRA Cheat sheet

Category: Cheat Sheet,Information Privacy,Security and privacy LawDISC @ 1:34 pm

Download ISO/IEC 27701 2019 Standard and Toolkit

CPRA compliance gap assessment tool 

Tags: CPRA, CPRA Cheat sheet, CPRA compliance gap assessment tool, ISO 27701 2019 Standard and Toolkit

Sep 09 2021

50 Key Stats About Freedom of the Internet Around the World

Category: Information Privacy,Security and privacy LawDISC @ 11:15 am

50 Key Stats About Freedom of the Internet Around the World

Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.

Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.

Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.

To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:

Digital Rights

Freedom of Information

Right to Internet Access

Freedom from Internet Censorship

Net Neutrality

The Bottom Line

Freedom and the Future of the Internet

Tags: Freedom of the Internet

Apr 16 2021

New Federal Data Privacy Legislation Proposed

Category: Information Privacy,NIST Privacy,Security and privacy LawDISC @ 2:32 pm
New Federal Data Privacy Legislation Proposed

In late March 2021, Representative Susan DelBene (D-WA 01) introduced legislation to the 116th Congress to protect consumer privacy and put control of consumers’ data in their own hands.

DelBene noted that states are surging ahead of the federal government in creating privacy laws, each with their own flavor and each serving the needs of a particular constituency/demographic. DelBene argued that having a federal policy will stem consumer confusion and put the United States back into the conversation on global privacy policies. The EU, for example, is pushing their General Data Protection Regulation (GDPR) as the global standard.

The Information Transparency and Personal Data Control Act (pdf) will ensure that an individual’s personal identifying information (PII), and all information pertaining to children under the age of 13, are protected. The bill requires:

  • Companies produce their privacy policies in “plain English” within 90 days of the bill’s passage.
  • Users must “opt in” before companies my use their sensitive PII. In doing so, the user is made aware of how the information may be used and more importantly how it is not to be used. Companies will have 90 days to put in place this capability once the legislation becomes law.
  • Companies must be transparent when it comes to sharing user information – who, what, where, how and why.
  • The Federal Trade Commission (FTC) will be given the authority to fine bad actors on their first offense and empower state attorneys general to pursue offenders. If the FTC doesn’t act on a complaint within 60 days, the state attorney general may pursue legal remedies.
  • Trust, yet verify by requiring, every two years, a “neutral” privacy audit to ensure companies (with information from 250,000 or more people) are handling PII in accordance with the provisions of the Act.

The bill will provide to the FTC 50 additional full-time employees, of which 15 must be technical experts (not further defined), and initial funding for the program will be $35 million.

DISC InfoSec Shop

Mar 31 2021

3 steps to meeting data privacy regulation compliance through identity programs

Category: Information Privacy,Security and privacy LawDISC @ 9:49 am
3 steps to meeting data privacy regulation compliance through identity programs

Lesson 1: Take stock of identities and lock them down

When it comes to data protection, security and compliance, organizations must keep the potential technology risk within acceptable limits, which means mobilizing efforts to identify data lakes and applications where personally identifiable information (PII) and other sensitive information is stored. Organizations should then use digital transformation as the catalyst to lock those applications down with the proper controls to prevent the unauthorized use of data and use analytics to gain visibility into the management-sensitive data.

The key to any data privacy compliance is proper data protection because under these laws, consumers retain the right to deny and revoke the collection of their data. The first step in any plan around compliance is to have a basic understanding of whose data you have, where it is, and who has access to it. This principle is the foundation of identity management and governance.

Source: 3 steps to meeting data privacy regulation compliance through identity programs

Active Directory Administration Cookbook: Actionable, proven solutions to #identitymanagement and authentication on servers and in the cloud

Tags: compliance through identity programs, identity management and authentication, Privileged Identity Management

Mar 14 2021

America, Your Privacy Settings Are All Wrong

Category: Information Privacy,Security and privacy LawDISC @ 5:00 pm
Using an opt-in approach will help curb the excesses of Big Tech.

Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner’s automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.

But that’s the daily reality on the internet. Every minute a person spends online helps countless companies build a thicker dossier about that person.

Despite what corporations profess, much of this personal data is used not to improve products themselves, but to make those products more attractive to advertisers.

One straightforward solution is to let people opt in to data collection on apps and websites. Today, with few exceptions, loads of personal data are collected automatically by default unless consumers take action to opt out of the practice — which, in most cases, requires dropping the service entirely.

Virginia recently had the opportunity to extend firmer data protection rights to its residents. But the state’s Consumer Data Protection Act, signed into law this month, is a business-friendly package, supported by Amazon and Microsoft, that puts the onus on consumers to opt out of most data collection, except for the most sensitive personal details. Washington State lawmakers are advancing similar legislation.

More on: America, Your Privacy Settings Are All Wrong

Extreme Privacy: What It Takes to Disappear

Tags: Privacy Settings Are All Wrong

Mar 12 2021

What are the best books on data privacy?

Category: Information Privacy,Security and privacy Law,Security trainingDISC @ 12:41 pm
Luke Irwin

Looking for affordable ways to keep your data secure? Sometimes the simplest solutions are the best – and nothing beats the simplicity of a book.

With books, you get expert advice at your fingertips. You can study whenever is convenient and the information is always there for you to reference.

So, which books are right for you? That depends on what you want to know. Fortunately, IT Governance has a selection of titles covering everything you need to know, including the GDPR, Cloud security and the CCPA.

Let’s take a look at some of our most popular titles. Below are the four best books on Data Privacy.

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition

This bestselling guide is the ideal companion for those trying to understand how the GDPR affects their organisation.

It explains the Regulation’s requirements in terms you can understand and helps you understand data subjects’ rights and the way consent requests have changed.

You’ll also gain a deeper understanding of the GDPR’s technical requirements, such as the appointment of a DPO (data protection officer), international data transfers and the obligations of data controllers and processors.

Buy now

Data Protection and the Cloud – Are you really managing the risks?

Cloud computing is becoming a bigger part of the way organisations do business, but you need to understand the privacy risks that come with it.

In this guide, data protection expert Paul Ticher shows you how to use the Cloud safely and in line with the requirements of the GDPR and the NIS (Network and Information Systems) Regulations 2018.

Buy now

EU GDPR: An international guide to compliance

Written by Alan Calder, IT Governance’s founder and executive chairman, this book is an essential introduction to the GDPR.

It’s ideal for anybody who is new to the Regulation or needs a refresher, explaining the legal terminology and compliance in simple terms.

It also provides invaluable advice on how you can meet the GDPR’s requirements.

This includes broad measures that your organisation should implement as well as tips on things you should and shouldn’t do when processing personal data.

Buy now

The California Consumer Privacy Act (CCPA): An implementation guide

If your organisation collects California residents’ personal data, you must comply with the CCPA (California Consumer Privacy Act).

The law, which took effect on 1 January 2020, applies to certain companies depending on their annual turnover, how much personal data they collect and whether they sell the information for profit.

Written by data protection expert and consultant Preston Bukaty, this handbook provides a comprehensive explanation of the law’s scope and how to achieve compliance.

Buy now

Tags: best books on data privacy

Feb 20 2021

How to stay safe while remote working this Data Privacy Day

Category: Information Privacy,Security and privacy LawDISC @ 10:53 am
How to stay safe while remote working this Data Privacy Day

OneLogin’s recent research into remote working practices shows it is proving to be fertile ground for hackers – Here’s how to stay safe

How to stay secure

Another key step to keep your business safe from breaches is to ensure that your employees are following security best practices. To celebrate Data Privacy Day, we’ve provided some practical steps to do this. For example:

  • Don’t share your work computer with friends, housemates or family members: 26% of respondents admitted doing this
  • Don’t download personal applications onto a company device: 23% of respondents admitted doing this
  • Don’t work on a public wifi that is not protected: 22% of respondents admitted doing this
  • Don’t share your corporate password with others: 12% of respondents admitted doing this
  • Don’t leave your corporate devices unattended in a public space:10% of respondents admitted doing this
  • Do encourage your company to engage with multi-factor authentication (MFA), which gives you multiple layers of protection: Only 36% of respondents suggested that MFA had been implemented

Source: How to stay safe while remote working this Data Privacy Day

Feb 15 2021

California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Category: Information Privacy,Security and privacy LawDISC @ 2:24 pm
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Training course outline

The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).

Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.

Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:

  • Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction 
  • Define terms used in the CCPA/CPRA and contrast to the GDPR 
  • Articulate the rights of consumers, and determine the duties of a business 
  • Examine the CPRA’s security requirements and prepare relevant responses 
  • Use the CPRA to determine what action(s) should be taken in the event of a breach 
  • Demonstrate an understanding of the CPRA’s penalty provisions 

California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course

Tags: California Consumer Privacy Act, CCPA

Feb 13 2021

Court documents show FBI could use a tool to access private Signal messages on iPhones

Category: Information Privacy,Security and privacy LawDISC @ 2:41 pm
Court documents show FBI could use a tool to access private Signal messages on iPhones

Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.

The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.

“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”

Tags: access private Signal messages on iPhones

Feb 02 2021

5 key privacy trends for 2021

Category: GDPR,Information Privacy,NIST Privacy,Security and privacy LawDISC @ 3:28 pm
No alt text provided for this image

Source: 5 key privacy trends for 2021

As organisations become increasingly reliant on the use of personal data, the risks they face grow exponentially.

We saw last year a record number of data breachesand a surge in penalties for regulatory violations, but 2021 is set to be even more perilous as the public demand for data privacy grows, COVID-19 scams continue and data protection laws get more complex following Brexit.

Here are our five key data privacy trends for this year.

1. There will be more public awareness of privacy rights

This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.

All of this information is helping consumers become more aware of their rights.

Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.

The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.

There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.

Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.

2. Brexit will continue to cause headaches

Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.

For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.

Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.

3. We shouldn’t expect an adequacy decision imminently

Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.

For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.

But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.

Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.

In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.

The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.

4. GDPR enforcement will be more consistent

In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.

In some cases, the fines were miniscule, but in others the penalties were large.

It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.

We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.

Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.

5. Cookie laws will come under greater scrutiny

From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.

This is evident in the £91 million fine levied against Google for its ad tracking practices, as well as the recent actions from Max Schrems and his organisation NOYB.

So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.

Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.

Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.

Meet your data privacy requirements with IT Governance

You can find out more about data privacy and the steps you must take to protect the information you process with our Privacy by Design Foundation Training Course.

One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.

Sep 17 2020

iOS 14 default app settings automatically reset to Mail and Safari after reboot – 9to5Mac

Category: cyber security,Security and privacy Law,Web SecurityDISC @ 11:53 pm

One of the new features in iOS 14 is the ability to change the default email or browser app to a third-party alternative such as Chrome, Edge, or Outlook. A bug in the first public release of iOS 14, however, causes your default browser or mail app setting to reset to Mail or Safari when […]

Source: iOS 14 default app settings automatically reset to Mail and Safari after reboot – 9to5Mac

In the version of iOS 14 released to the public this week, there is a massive caveat to the new default browser and settings. If you reboot your iPhone or iPad, the default app setting will reset to Apple’s first-party Mail and Safari applications.

What this means is that if you set Chrome as the default browser, but then your iPhone dies or you need to reboot it, Safari will once again become the default browser app until you go back into the Settings app and make the change again. The same applies to email apps such as Microsoft Outlook and Spark as well.

This is almost certainly some sort of bug on Apple’s side, because it is affecting email and browser apps from multiple companies including Google, Microsoft, and Readdle. On Twitter, a Google Chrome engineer has acknowledged the problem, though the ball is likely in Apple’s court to roll out some sort of fix — unless this is bizarrely the intended behavior.




Next Page »