Is data privacy ascendent or struggling?

Hi there,  

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

• The EU has passed its landmark AI regulation.
• A sophisticated, state-sponsored hacking campaign breached 70 organizations across 45 countries.
• More than 11,000 cybercrime incidents have been linked to last year's Medibank data breach.

But first: a check in on the state of data privacy, as a practice and a movement.

If you only read one thing:  

Is data privacy winning?

Since the passage of the General Data Protection Regulation (GDPR) in 2016, we have had many reasons to cheer the progress of data privacy. We see examples of lawmakers taking the issue more seriously, passing laws compelling companies to do the same. Meanwhile, consumers are growing more aware of their data’s importance, so they are more demanding of companies to treat their data with respect, and will vote with their wallets. Underscoring all this proactive change is the threat of data breaches, which provides more impetus for everyone to improve their security and risk posture.

But is data privacy as a concept, as a practice really on the upswing? A couple of stories from this month offered a conflicting narrative.

On the positive side of the argument, it was interesting to read detailing how the advertising industry is responding to increasing data privacy measures.

Thanks to privacy-by-design methods and privacy legislation, advertisers are struggling with “signal loss” (i.e. user data), resulting in more generic and less effective advertising. This is reshaping the industry, with new training, new departments, and a shift to first-party data.

Adding to the narrative, recent moves made by the United States federal government and the Federal Trade Commission (FTC) have targeted mass data collectors and made clear that to the executive, at least, "browsing and location data are sensitive, full stop”.

Think of the children

But on the other side of the ledger, let’s reflect on how normalized the process of collecting customer data has become.

Amid all the drama surrounding the US House of Representatives passing a bill to force ByteDance to divest TikTok or face a ban, there was a detail that stuck out.

Remember, lawmakers had several distinct arguments for the effort, including its potential effect on children, but the relevant one for us is that TikTok could make sensitive data available to the Chinese government.

Leaving aside the fact that there are a lot of other ways that China already collects this data, let’s assume this is a real threat.

TikTok collects an enormous amount of data on users, both to tune its advanced machine learning models and to bolster its advertising business. But no more so than other social media platforms, according to researchers. The question is whether the platform is governing this data appropriately. Again, you could ask the same question of Meta, Twitter/X, and any other social media platform.

In discussing the ban, White House National Security Advisor Jake Sullivan had this to say: "Do we want the data from TikTok — children’s data, adults’ data — to be going — to be staying here in America or going to China?"

It was interesting to hear this issue framed in this way, like the data collection must happen, the only questions are who does it and where the data goes. Yes, this was a throwaway line from someone who should know better, but I think it represents a common belief, and not one unique to the United States.  

While this mass data collection has been a part of our internet experience for decades, does it need to be?

Perhaps a better question than “who collects our children’s data?” would be, “Do we want companies to collect all this data in the first place, with such limited oversight?” And perhaps a better mechanism to address the issue in the US would be a federal privacy law.

For those hoping for such a law, the proposal last week of a new bipartisan bill—the American Privacy Rights Act—will be welcome news, though early responses to the bill from lawmakers and privacy experts have been mixed. Will this be the one that sticks?

Because it's clear that while progress has been made in data privacy, our embedded attitudes toward data collection are holding us back.

.

🕵️ Privacy & governance

The European Union passed its landmark AI legislation, expected to go into effect in May.

Cyber-attacks on US healthcare providers and their suppliers are leading some lawmakers to consider cybersecurity regulations for the sector, an idea industry groups stridently oppose.

Google will destroy billions of records to settle a lawsuit claiming it secretly tracked users of incognito and private browser modes.

The US Department of Transportation will review the security and privacy practices of US airlines.

The results of a global survey of general counsels indicate data privacy laws have impacted Australian companies across the board, and most general counsels in the country have established processes to deal with compliance and vendor risk management for privacy laws.

🔐 Security

A Chinese Advanced Persistent Threat (APT) group known as 'Earth Krahang' has been running a sophisticated hacking campaign since 2022, breaching 70 organizations and targeting at least 116 across 45 countries.

A review into a 2023 Microsoft Exchange Online security breach concluded that the breach was preventable, and the result of “a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management.”

As a good example of the long-term consequences of a data breach, Australian police have linked over 11,000 cybercrime incidents to the Medibank breach.

Streaming platform Roku was hacked, with 15,000 customer accounts being sold for as little as 50c each. In some cases, victims’ credit card details were used to purchase other streaming subscriptions.

This examination of the almost-successful XZ Utils backdoor, which was uncovered late in March, is fascinating/terrifying. If the backdoor had been successful, it would have dwarfed the SolarWinds event in 2020.

Forget about ransomware, Australian Home Affairs minister Claire O’Neil is warning of a growing cyber sabotage threat to the country’s power, telecommunications, health and water infrastructure.

📣 The latest from RecordPoint  

📖 Read:  

With more unstructured data comes more risk. But companies struggle to manage this data appropriately. Learn how the right tools can help improve unstructured data governance and reduce risk.

🎧 Listen:

Two new episodes to talk about this month, focused on each of our two passions in this newsletter:

RecordPoint’s very own Miles Ashcroft, Head of Risk, joins Anthony and Kris in the latest episode of FILED to discuss how he approaches risk and why compliance should be seen as an asset, not a burden.

And then Votiro VP of Product Management Eric Avigdor, whose company builds a platform for proactive cybersecurity management, discusses the dangers of reactive cybersecurity—i.e. the standard way to approach cybersecurity. He also discusses how the concepts of shift-left and zero-trust offer solutions to all organizations.

‍