Welcome to FILED Newsletter, our monthly round-up of relevant news, opinion, guidance, and other useful links in the world of data, records and information management. This month:

• What is the ADPPA?  
• there were settlements galore in various privacy lawsuits
• some decidedly unsettling security breaches and ransomware attacks
• and learn how RecordPoint helped the Australian Human Rights Commission to fill a gap in staffing.

‍

If you only read one thing

Learn more about the ADPPA, the United States' upcoming(?) federal privacy bill

With bipartisan support, the American Data and Privacy Protection Act (ADPPA) is out of the U.S. House of Representatives Committee on Energy and Commerce by a vote of 53-2 on July 20, 2022. The bill still needs to pass the full House and the Senate in the coming months.

Let's quickly review what's in the bill, and what it may mean for organizations.

What’s in the ADPPA?  

The American Data Privacy and Protection Act is a long-awaited, comprehensive, federal privacy law that aims to restrict the collection, processing, and transfer of the personal data of Americans and gives U.S. citizens greater rights over their personal data.

The bill excludes three big data categories: deidentified data, employee data and publicly available information.

How ADPPA protects data

The act would require data collection to be as minimal as possible. The bill allows covered entities to collect, use or share an individual’s data only when reasonably necessary and proportionate to a product or service the person requests or to respond to a communication the person initiates. It allows collection for authentication, security incidents, prevention of illegal activities or serious harm to persons, and compliance with legal obligations.

People would gain rights to access and have some control over their data. ADPPA gives users the right to correct inaccuracies and potentially delete their data held by covered entities.

The bill permits data collection as part of research for public good. It allows data collection for peer-reviewed research or research done in the public interest – for example, testing whether a website is unlawfully discriminating. This is important for researchers who might otherwise run afoul of site terms or hacking laws.

How should organizations prepare?

It’s important to consider what controls you’ll need to meet these potential data protection obligations.  

The key consideration? Organizations need to know how much data was proportional to collect, and ensure they have a process to minimize its collection, so they can limit it to that which is reasonably necessary.  

Organizations also need to be prepared to deactivate (dispose) of data in systems when requested and offer even greater protection to ensure data collected from children or minors stays protected within the organization.

🤫 Privacy & governance

Facebook “dramatically” agreed to settle a lawsuit seeking damages for the Cambridge Analytica scandal, for an undisclosed sum. The settlement unfortunately means we’ll miss out on six hours of testifying from Mark Zuckerberg and Sheryl Sandberg.

Rival social media company Snap settled their own lawsuit, raised under the Illinois Biometric Information & Privacy Act. The suit alleged Snap collected a consumer’s biometric data without proper notice or consent, and without a publicly available retention schedule, guidelines for permanently destroying users’ biometric identifiers, or the initial purpose for collecting such identifiers.

Speaking of settlements, cosmetics retailer Sephora will pay $1.2 million for selling customers data without telling them, in the first significant settlement under the California California Privacy Act.

In Victoria, Australia, the police force had nobody to run privacy training for a year. The initiative apparently wasn’t a priority due to low complaint numbers. File under:  ¯\_(ツ)_/¯

We need a new “geolocation data privacy paradigm”, argues this post in the International Association of Privacy Professionals.

🔐 Security

Russia-linked hacking group BlackCat has claimed responsibility for a ransomware attack on Italy’s GSE energy agency.  You might remember this group did the same to Luxembourg energy provider Encevo Group last month.

Samsung suffered a data breach over the weekend. Affected customers are being contacted, but the company isn’t saying exactly what system was compromised. Data potentially accessed includes, according to Forbes, US customers’: names, contact details, date of birth, demographic details, and product registration data.

Aaaand another breach, this time at password manager LastPass. No user data should be impacted, but the attacker did get portions of source code and proprietary information. If a new password manager competitor called Second-to-LastPass springs up in the next few months, we’ll all know where they got their ideas.

Maintaining records of privacy incidents is important for all organizations. Learn about the operational advantages of a good privacy breach record keeping program.

‍

📣 The latest from RecordPoint  

The Australian Human Rights Commission ran into staffing issues, meaning they needed a solution to meeting the high standards required of their organization. Learn how our Records Management as a Service (RMaaS) solution allows the Commission to fill the gap.

Learn more about RMaaS and other new RecordPoint offerings in our Quarterly Product Webinar.

Organizations using Microsoft 365 for their records management needs may need to implement a more powerful records management system alongside. Learn more in our ebook.

Managing physical records is (still) an important part of records management, but the advent of hybrid and remote working has brought new challenges to an already complex task. Learn how a records management solution like RecordPoint can help.

Lastly. learn about the challenges agencies face in responding to public information requests like FOIA and how RecordPoint can help speed up responses and help agencies ensure they do so in a safe, compliant way

That is everything we have for you this month. Welcome to everyone who may be receiving this for this time, I hope this (very new!) newsletter was worthwhile. We'll have more for you next month.

‍