News Alerts and Breach Report for Week of July 25, 2022
House Advances American Data Privacy and Protection Act
In a landmark step forward for consumer data privacy, the U.S. House Energy and Commerce Committee voted to move forward with the American Data Privacy and Protection Act (ADPPA) last week. Lawmakers from California expressed concern over how the ADPPA might conflict with California’s CPRA, and Reps. Anna Eshoo (D-Calif.) and Nanette Diaz Barragán (D-Calif.) were the only representatives to vote against moving the bill forward. Eshoo submitted an amendment that would make the ADPPA a floor for privacy law, allowing states to go beyond the bill’s measures. The bill at this stage still includes a private right of action—a feature that has caused many privacy bills to stall at the state level. According to analysis by Wired, “the most distinctive feature of the new bill is that it focuses on what’s known as data minimization. Generally, companies would only be allowed to collect and make use of user data if it’s necessary for one of 17 permitted purposes spelled out in the bill—things like authenticating users, preventing fraud, and completing transactions. Everything else is simply prohibited. Contrast this with the type of online privacy regime most people are familiar with, which is all based on consent: an endless stream of annoying privacy pop-ups that most people click “yes” on because it’s easier than going to the trouble of turning off cookies.” The Interactive Advertising Bureau also issued an objection to the bill, which it said would impose “heavier regulations than any state currently does.”
FCC Seeks Data Privacy and Retention Info From Mobile Providers
Last Week, the chairwoman of the Federa; Communications Commission (FCC), Jessica Rosenworcel, sent a letter to 15 top mobile carriers requesting information on their data retention practices. Specifically, the letter asked companies like Verizon, AT&T, and Google how customers are notified when their geolocation information is shared with third-parties. The letter notes, “Given the highly sensitive nature of this data—especially when location data is combined with other types of data, the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy.” The recipients of the letter have until August 3 to reply.
Denmark Schools Ban Google Products Over Data Privacy Issues
Last week, Denmark’s data protection agency, Datatilsynet, issued a verdict noting that, “data processing involving students using Google’s cloud-based Workspace software suite — which includes Gmail, Google Docs, Calendar and Google Drive — “does not meet the requirements” of the European Union’s GDPR data privacy regulations,” according to TechCrunch. The verdict further noted that Google’s terms and conditions allow data collected in Denmark to be transferred to other countries, even though the data is usually stored in one of Google’s EU data centers. The ruling for now applies to schools in Helsingor, but will likely apply to all of Denmark’s schools.
Uber Admits to Massive Cybersecurity Breach
Uber covered up a massive breach in October 2016 that exposed the confidential data of 57 million customers and drivers. The breach came to light in a release from the U.S. Department of Justice last week, wherein Uber agreed to a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the breach. According to the release, “Uber admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company. According to the agreed facts, the hackers responsible for the 2016 breach used stolen credentials to access a private source code repository and obtain a private access key. The hackers then used that key to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 drivers’ license numbers. The breach was not reported to the FTC until approximately a year later, when new executive leadership was managing the company.”
Breach Report
* * * * * * *
To read our coverage on Ransomware attacks to state or local governments and their limited options following such attach, click here.
To read our coverage on the Cross-Border Data Transfer Security Assessment Measures issued by the Cyberspace Administration of China, China’s cybersecurity regulatory agency, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Our new Podcast episodes are generally released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!