News Alerts and Breach Reports for Week of February 13, 2023
EDPB to Review Data Transfer Guidelines
The European Data Protection Board will meet this week to discuss the proposed EU-U.S. Data Privacy Framework, elect a new chair and deputy chair, and discuss its WhatsApp decision.
EU Issues Ruling on DPOs, Conflicts of Interest
As the EU’s General Data Protection Regulation (GDPR) gains maturity, the role of Data Protection Officer (DPO) has become more important and visible. With that has come a reckoning with how much power and independence the role should have. According to Lexology, the Court of Justice of The European Union issued a ruling on DPOs that settled the issue. According to Article 38(6) of the GDPR, the DPO may fulfill other tasks and duties within an organization if those tasks and duties dont interfere with their role as a DPO: “As a rule of thumb, conflicting positions within an organization may include “senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)” as well as “other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing.’” This matters now because the EDPB has announced it will launch a coordinated enforcement action against regulators to determine the role of the DPO.
ChatGPT Presents Cybersecurity Issues, Potential
A new AI tool, ChatGPT, can take human input—in the form of a question or command phrased in natural language—and spit out some pretty spectacular results in the form of poetry, academic essays, and even bits of code. The AI tool can even explain to users complex scientific concepts. But with great power comes…opportunity for exploitation. And thats exactly what’s begun to happen with ChatGPT in the form of spoof apps that are designed to collect personal data from unsuspecting downloaders. “One of the most concerning capabilities of ChatGPT is its potential to create realistic-sounding conversations for use in social engineering and phishing attacks, such as urging victims to click on malicious links, install malware, or give away sensitive information. The tool also opens up opportunities for more sophisticated impersonation attempts, in which the AI is instructed to imitate a victim’s colleague or family member in order to gain trust,” says Information Age. Of course, the tool could also be a powerful weapon against such exploits. AIs with a nuanced understanding of natural language could, in the future, be used to monitor chats and identify bots or phishers—and in general automate a lot of the tedious security monitoring tasks currently done by humans.
World Economic Forum Forecast Bleak For Cybersecurity
According to the World Economic Forum’s Global Cybersecurity Outlook 23 Insight Report published in collaboration with Accenture, business leaders are more aware of cybersecurity threats to their organization—but still believe they’re more or less incapable of combatting said threats. According to Robison+Cole, ‘“business and cyber leaders believe global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.” Respondents understand the changing landscape of cyber attacks and they “now believe that cyberattackers are more likely to focus on business disruption and reputational damage. These are the top two concerns among respondents.”’ There’s some hope though, respondents generally recognize that their cybersecurity risk is tied closely to their vendors’ and that cybersecurity regulations generally are an effective tool for reducing risk.
* * * * * * *
To read our latest article, Biden Takes Strong Stance on Cybersecurity, click here.
This week on our podcast, ADCG on Privacy & Cybersecurity, Jody Westby interviews Lauren Wallace, Chief Privacy Officer and General Counsel for RadarFirst, a leading tool for cyber incident management, as they discuss how privacy and cybersecurity incidents are converging and the difficulty large companies are having in managing the vast array of data involved in incident response, especially as it relates to U.S. and global privacy and cybersecurity compliance requirements. They also delve into the complexity of notification requirements, involving law enforcement, consumer protection agencies, attorneys general, regulators, and victims and how incident response tools can help manage the notification process and decrease notification.
Listen here: 86 | Using Tools to Help Manage Incident Response
Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
85 | How Incident Response Has Changed (with guest Violet Sullivan)
84 | Internet Archive Project Related to Russia’s War with Ukraine (with guest Mark Graham)
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.