News Alerts and Breach Report for Week of July 18, 2022
Government Agencies at Odds Over Location Data Privacy
According to records obtained by the American Civil Liberties Union (ACLU), the Department of Homeland Security has for several years purchased data from the mobile advertising industry, including location information from phones in the southwestern United States. More than 336,000 location data points from across North America were collected without a warrant as part of immigration enforcement efforts by Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE). The broker that provided the information, Venntel, boasts “that its location data could be used to track devices traveling between Mexico and the U.S., and also trace a specific vehicle’s route,” according to Politico. Location data is protected by numerous privacy protection laws, including California’s CPRA become an increasingly topical conversation as questions are raised about how this type of data could negatively impact citizens that seek abortion access in states where it’s legal. The FTC recently published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog. Per Mondaq, “The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.”
Data Privacy Best Practices for Enterprise Leaders
VentureBeat published a best practices guide on data privacy for enterprise leaders last week. The guide recommends limiting data collection in order to reduce the storage and security costs that tend to scale with data volume. Other recommendations include centralizing data storage systems, leveraging tech tools to achieve data privacy compliance, and viewing data privacy compliance as a competitive advantage (in the way that Apple does).
Amazon Ring Turns Over Data to Police Without Permission
In response to an inquiry by Senator Ed Markey (D-Mass), Amazon revealed that it turned over footage from its Amazon Ring cameras 11 times this year without first asking permission from the camera owners. Markey cited concern over law enforcement circumventing public accountability, and Amazon replied that it’s only turned over data without a warrant for “exigent or emergency circumstance.” Markey’s inquiry aligns with a broader legislative priority of cracking down on data privacy violations.
Network and Information Security Directive Shortens Breach Notification Timeline
The European Parliament’s Committee on Industry, Research and Energy approved an agreement on its impending Network and Information Security (NIS) Directive. The agreement “updates baseline requirements and significantly broadens the material scope of the first EU-wide cybersecurity legislation implemented in 2016,” according to the IAPP. The directive seeks to establish cooperation between NIS authorities, and “lists very specific measures — including identification, containment and coordinated vulnerability disclosure,” that must be taken to prove a legal basis for processing data under GDPR. The directive also will require breach notifications to be made faster than GDPR’s allotted 72 hours. Affected entities will be required to provide an early warning to data protection authorities within 24 hours of an incident, with a more detailed report due after 72 hours.
How Semiconductors Create Data Privacy Concerns
As the Internet of Things grows and increases the attack surface available to bad actors, consumers’ digital footprint grows as well. Protecting data collected by devices has in turn become an increasingly sisyphean task. Powering the increased ability by devices to collect data are semiconductors—devices that power computing—which also collect data. For example, if you open your fridge door, the semiconductors in the fridge have the ability to take note of that action and relay it to the manufacturer. Read more at CPO Magazine.
Breach Report:
* * * * * * *
To read our coverage on Cyber Insurance and the preliminary steps an organization should take prior to before deciding, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Last week, Keith Cheresko, Principal of Privacy Associates International LLC and former general counsel of the Ponemon Institute, a privacy research organization, joined Jody Westby on our Privacy and Cybersecurity podcast to discuss to discuss to discuss the increasing tangle of contractual compliance obligations in privacy laws. Our Podcasts are generally released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!