Episode 103 - The Future of Data Management
Episode 103 - The Future of Data Management
William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases.
Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it.
25 min
Episode 102 - Data Brokers and Our Private Location Information
Episode 102 - Data Brokers and Our Private Location Information
Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources.
Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function.
The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private information through data brokers. If not, data brokers may be almost entirely unregulated, able to do virtually anything they wish with personal information we did not knowingly authorize them to obtain and sell. You’ll learn what businesses can do amidst a chaotic and evolving global legal compliance and what individuals can do to protect their sensitive personal location information.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
24 min
Episode 101 - Data Breaches - The impact on consumers and company personnel
Episode 101 - Data Breaches - The impact on consumers and company personnel
Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach.
Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data breach response time and other non-political aspects of cross-border data, there is none, and not even a U.S. common approach.
Tune in to understand what happens when a data breach occurs and what each of us can do to respond to it.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
20 min
Episode 100 - Spell-Jacking: Addressing a threat to personal data privacy
Episode 100 - Spell-Jacking: Addressing a threat to personal data privacy
Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening.
When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would avoid if they could.
Otto-js co-founders Maggie Louie and Josh Summitt tell how this problem was discovered and share how risks can be mitigated. While legitimate enterprises have no interest in releasing PII to mal-actors, spell-jacking as such is currently unregulated or under-regulated. Learn how industry and regulators are addressing this issue – and what consumers can do about it to protect their own personal privacy. Helpful guides for developers and consumers are available on the otto-js website.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
22 min
Episode 99 - National Cybersecurity Awareness Month
Episode 99 - National Cybersecurity Awareness Month
Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe.
1. Instagram fined 405M Euros for GDPR violations.
2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising.
3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error.
4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error.
5. China hopes to tighten its cybersecurity laws with higher fines for some violations. If the amendments are approved, fines for critical information infrastructure operators who use products or services that have not undergone security reviews could be 5% of revenue or 10 times their cost.
5. According to Acronis, ransomware losses worldwide are expected to surpass $30 billion by the end of 2023.
6. Lloyd’s of London Ltd. has told insurers that nation-state attacks and related losses will be excluded from insurance coverage after 1Q 2023. A 2022 court ruling dashed insurers’ hopes that “cyber war” exclusions would let them avoid payment for such losses.
7. Québec’s personal information privacy act takes effect September 22, a provincial statute that supplements Canada’s federal legislation, including the term “confidentiality incidents” and addressing biometric information.
8. Euractiv reports that the EC will introduce its proposal for a Cyber Resilience Act this week. The Act will address cybersecurity issues with consumer-connected devices.
9. UK - The Telecommunications (Security) Act 2021 (Commencement) Regulations 2022 have been made. They bring the Telecommunications Security Act 2021 (TSA) into force from 1 October 2022. The Electronic Communications (Security Measures) Regulations 2022 under the TSA will come into force on the same date.
10. After TikTok allegedly violated U.K. privacy regulations, the Information Commissioner’s Office sent a notice of intent including a possible fine of £27 million.
11. California Governor Gavin Newsom has signed The California Age-Appropriate Design Code Act into law.
The new legislation, signed by Newsom on September 15, 2022 and passed by the state congress in late August, will implement some of the strictest privacy requirements for children in the US, especially in relation to social media.
12. U-Haul International disclosed that it has experienced a data breach of names, drivers’ licenses/state IDs but indicated no credit card or financial information was compromised.
13. A teenage cyberattacker gained full access to Uber’s systems after impersonating an IT professional from the popular rideshare company to gain VPN access.
14. Congress is investigating Meta after The Markup discovered the tech giant’s Pixel tool gathered information on users’ private health records.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
16 min
Episode 98 - “Do not sell my personal information”
How a California statute works in practice
In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires.
Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.”
Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates.
If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.
14 min