Welcome to the first part in an ongoing blog series, On Our Radar. The RADAR team is constantly researching and reading about the privacy industry. In this ever-shifting field, we recognize how important it is to stay on top of the latest advancements, news, and research impacting the way privacy professionals go about their work. This continuing blog series, hosted by alternating members of the RADAR team, will be our place to share what we’ve learned and what we’re keeping an eye on with all of you.
With that, here are some of the news stories we’re currently following:
Last week’s IAPP Data Protection Intensive in London was an excellent opportunity to reflect on the impacts of the last year of privacy news, including the impacts of GDPR (and the issue of over-reporting) as well as how the Information Commissioner’s Office supports innovation while maintaining public trust. As UK information commissioner Elizabeth Denham put it in her conference session, “Across the world, people are beginning to wake up to the importance of personal data, and it is up to us – as regulator and those striving to comply with the law – to keep that fire burning. If we fearlessly and tirelessly apply the principles that the ICO and the IAPP hold dear, we can build people’s trust and confidence, because their data matters.”
The Conference of State Bank Supervisors last week released comments on legislative efforts to establish a federal privacy law in which they “would strongly oppose any federal proposal which seeks to preempt states from playing a leading role in advancing consumers protections in the areas of data privacy, security, and control.”
In a recent Freedom of Information request it was revealed that, in the year prior to the GDPR’s effective date, 91% of reports to the ICO failed to include important information such as impact of the breach, recovery process and dates. In fact, on average businesses waited three weeks after discovery to report to the ICO. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO,” said Mark Nicholls, director of cybersecurity at Redscan, which made the information request. “This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”
A recent ransomware attack in Norway impacted more than 35,000 employees across 40 countries. This type of attack blocks access to a computer system until a sum of money is paid, and is considered to fall under the category of an availability breach. Two years ago, another ransomware variant known as WannaCry resulted in hospitals in the UK closing and even turning patients away. Here is an article we posted at that time with tips to avoid this type of attack.
With the enforcement date for the California Consumer Privacy Act (CCPA) rapidly approaching, privacy professionals are keeping an eye on the changing landscape of the law and doing their best to prepare for the regulatory burden of compliance. When it comes to data breach notification requirements, the act as currently written does not alter breach notification obligations under sections of the California Civil Code and California Health and Safety Code – at least for now. A number of proposed bills in California reportedly seek to expand data breach notification requirements within the state. One proposes to amend the CCPA, while another seeks to expand the definition of personal information to include biometric information and government-issued ID numbers.
… that’s all for now! If you’d like to share what privacy and data breach news is currently on your radar, we would love to hear from you at [email protected]