Our 2024 predictions in the world of data privacy and security

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• Two versions of the European Union’s Artificial Intelligence Act were leaked online.
• Why do organizations struggle to navigate data privacy laws and compliance? They lack the money and don’t understand why it matters.
• The Mother of All Data Breaches means you should probably change your passwords.

But first, what will 2024 bring when it comes to data privacy and data security?

‍

If you only read one thing:  

On the agenda for 2024: privacy laws, security talk, and hacks

Welcome back to FILED for another year. We hope you managed to get a break over the holidays, and you’re approaching 2024 refreshed rather than bleary eyed. But what is on the horizon for 2024? It should be another busy year in the areas we care about, with new privacy regulations and initiatives, and probably a fair helping of unscheduled events like data breaches. Let’s outline what’s on the agenda, from the “definites” to the “probablies”.

Significant regulation is on the horizon

Privacy regulation

At the state level, the United States is in for another busy year, with Iowa, Indiana, Montana, and Texas all having privacy laws due to go into effect this year. The Utah Consumer Privacy Act (UCPA) also went into effect on Dec. 31, 2023, so you can include that as part of the line-up as well.

In Australia, 2024 should see the federal government release a revamped Privacy Act, in response to attorney general, Mark Dreyfus’ review of the legislation. Changes flagged include a right to sue for “serious” breaches of privacy, a right to opt out of targeted advertising, enhanced protections for children, and an end to the small business exemption.

AI regulation

Generative AI is also ripe for regulation, with the European Union’s AI Act set for passage early this year (more on that below) which will include measures that prohibit certain types of AI systems, require others to be classified, and ensure transparency obligations for how AI systems interact with people.

Other countries will follow suit. Following the Biden administration’s executive order on AI last year, expect a lot of talk about regulating the sector ahead of the 2024 federal election (more on that below), particularly in the context of election ads and deepfakes.

Australia is considered by some to be “at the back of the pack” when it comes to regulation. While the government consulted industry on AI regulation earlier this year (read our response), it has yet to announce a response or next steps in the process.

Cybersecurity gets increased attention from governments

Given the number and severity of data breaches in 2022 and 2023, and the relatively low preparedness of businesses and organizations, governments are going to step in more to enable, and sometimes force, businesses to act.

The Australian Federal Government’s Cyber Security and Home Affairs Minister Clare O'Neil unveiled the country’s 2023-2030 Australian Cyber Security Strategy (pdf) late last year. The strategy’s goal is to make Australia a world leader in cybersecurity, focusing on issues like ransomware via methods like a “playbook”, as well as standards for IoT and software development, and an effort to identify and secure the country’s most sensitive datasets. Overall, the strategy represents an ambitious goal, though notably the word “mandatory” is only used three times in the document and the strategy requires buy-in from businesses.

With 2024 being a United States federal election year, it will be interesting to see how cybersecurity is discussed, both as a policy issue and in the context of the actual election process. Already we have seen discussion of the risk of hacking and misinformation, expect these issues to grow more prominent throughout the year.

A major breach impacts millions

Put this one in the “probably” pile. It’s hard to believe that businesses have spent their break rapidly improving their data privacy or security posture, and equally hard to believe that cyber criminals have had a change of heart en masse, so expect another breach to impact millions and prompt another round of, “how the hackers got in,” discourse, but not much reflection on why the victims probably should not have possessed so much data.

Another “probably”, more than one major hack will involve AI-generated code. Fingers will be pointed, the issue of who is to blame will be unresolved, and the pressure for regulation will grow. Perhaps ChatGPT could write something that works for everyone.

🕵️ Privacy & governance  

Two unofficial versions of the EU’s proposed Artificial Intelligence Act were leaked, showing how progress with the law is going. Depending on your level of interest and attention span, you have the choice of an 892-page version, leaked by Euractiv Technology Editor Luca Bertuzzi, or a consolidated 258-page document, leaked by European Parliament Senior Advisor Laura Caroli.

A lack of budget and poor understanding are key obstacles for organizations navigating data privacy and compliance with data protection laws, according to a new survey from industry body ISACA.

Seven data privacy regulation trends for 2024, a handy resource to help simplify the patchwork of state-level privacy laws in the United States.

🔐 Security

26 billion records – 13 terabytes of data – were exposed online in the biggest data leak ever. While this is technically not a new breach, but a compilation of records exposed in previous data breaches, security researchers are still calling this the MOAB (Mother of All Breaches). Worried? Might be worth making a visit to HaveIBeenPwned to see which passwords you should change.

State-backed Russian hackers broke into Microsoft’s corporate email system and accessed the accounts of members of the company’s leadership team and its cybersecurity and legal teams. The hack occurred in November but was only discovered on Jan 12.

📣 The latest from RecordPoint  

Read:  

Learn about data destruction – what it is and why it is an essential part of every organization’s data security and privacy practices.  

Finding it difficult to convince your team of the importance of strong data management and security? Calculate the potential cost of a data breach with our Data Breach Calculator. The numbers may surprise them.

Listen:

As we approach season two of the FILED, listen back on our bumper season one finale, where Kris and I shared our favorite moments from the first season.