Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.
Week of: Sep 24-Oct 1
Multiple articles this week emphasise the rising financial cost of data breaches, particularly as a result of substantial regulatory fines. Major organisations such as Facebook, Equifax and Uber are all reportedly facing sizable penalties as a result of recent data breaches. The financial hit coincides with heightened discussion and reporting of privacy issues and complaints, likely the result of public awareness having increased in the wake of new legislation introduced over the past 12 months.
Summary: Uber paid hackers $100,000 to delete data that they had illegally accessed on 57 million customers and drivers, as well as to keep the breach quiet. Now they’re paying $148 million as a result of a legal settlement related to the breach.
Key risk takeaway: The large pay-out draws sharp focus to the poor quality of Uber’s initial response, which was to keep the breach quiet. Businesses are increasingly being judged not merely for having had a breach, but on how well they respond. To mitigate the risk of a poorly handled response, organisations should have well-rehearsed breach response plans and practice approaching public disclosure of security and privacy incidents with transparency and accountability.
Tags: #breach #response #comms
Summary: A European Union privacy watchdog could fine Facebook as much as $1.63 billion for a data breach in which hackers compromised the accounts of over 50 million users.
Key risk takeaway: A series of recent incidents – including the Cambridge Analytica scandal – continues to undermine Facebook’s public standing on privacy and security issues. The sizeable potential fine here demonstrates the significant financial penalties outlined under recently introduced privacy regimes, such as GDPR and the Notifiable Data Breach scheme. Given growing public expectations around privacy, regulators will likely be keen to visibly enforce these new regulations. Organisations should accordingly prioritise achieving a thorough understanding of their obligations under these regulatory regimes.
Tags: #breach #privacy #regulations #GDPR
Summary: Credit monitoring giant Equifax has been hit with the maximum penalty from the UK’s data protection agency for its actions related to the company’s massive data breach.
Key risk takeaway: While the credit monitoring company received the maximum penalty from the UK’s data protection agency relating to a 2017 breach, this was under the pre-GDPR regime. Businesses face significantly higher fines (as much as 4 per cent of global turnover) under GDPR, so would be well advised to understand their obligations.
Tags: #breach #privacy #regulations #GDPR
Summary: Facebook confirmed it uses the phone numbers provided by users specifically for security purposes to also target them with ads.
Key risk takeaway: While Facebook defended this practice as using information provided by users to “offer a better, more personalised experience”, and pointed out that the practice was outlined in it data use policies, the tech giant has faced criticism for having acted unethically. This illustrates the importance not only of transparency around data use and collection, but ensuring it is carried out in line with customer expectations.
Tags: #privacy #security
Summary: Tech giants Apple, Amazon, Google and Twitter were in front of the US Senate Commerce Committee to outline their approaches to user privacy, and to persuade lawmakers on their preferred approach to regulation and legislation.
Key takeaway: Governments and regulators are looking to visibly respond to the growing public expectation around data protection, as evidenced by the introduction of new legislative regimes and conducting of hearings such as the one outlined in this article. Even in the US (which is often deemed less stringent on privacy) consideration is now being given to mirroring the EU’s GDPR, with California already having done so via its new digital privacy laws. The tech giants are reportedly advocating instead for federal privacy legislation which would supersede state legislation such as California’s, and which they would likely seek to influence. In light of this global patchwork of regulations, organisations should seek to understand the extent of their obligations under different regimes, particularly where they offer services to international customers.
Summary: Researchers have unearthed new malware attacking a large number of Internet-of-Things (IoT) devices.
Key takeaway: There continues to be growing signs of cyber attackers targeting internet-connected devices, particularly routers. Organisations should conduct thorough inventory of their assets to understand the devices in their environment, and any vulnerabilities. Device security “hygiene” – such as patching devices and changing default passwords – is critical.
Tags: #security #IOT
Summary: Australia’s Assistance and Access Bill – which the Government argues is necessary to bolster national security and law enforcement – is attracting concern from around the world over its potentially weakening effect on online security.
Key takeaway: Under the legislation, communications companies could be required to assist the Government to access encrypted communications. A broader takeaway from the criticism of the legislation by privacy advocates (as well as concerns raised by technology companies) is the underlying community expectation that organisations will protect customer data.
Tags: #privacy #government #security
Summary: Another European data protection agency reports a sharp rise in the numbers of complaints since the EU introduced GDPR.
Key takeaway: Increased noise around new privacy regulations is translating into increased consumer awareness, and subsequently, complaints. Given these trends, organisations must become more proactive on data protection matters.