The data privacy regulation floodgates have opened. Time to catch up.

It’s time to focus on data governance, not just the firewall.

Anthony Woodward


Share on Social Media
November 14, 2023

Subscribe to FILED Newsletter

Get your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.  

This month:

  • Biden calls for data privacy regulation while he takes action on AI.
  • Young people care about protecting their privacy.
  • More fallout out from the HWL Ebsworth and MOVEit attacks.

But first, it’s time to move beyond the firewall.

If you only read one thing:  

The privacy regulation floodgates have opened, how well are you prepared?

While we are a little early for the end-of-year round-ups and the 2024 prognostications – rest assured, they will come in next month’s newsletter – it is undeniable that this year has seen an explosion in data privacy regulations.

As IAPP’s excellent round-up of 2023 in US state-level privacy developments makes clear. This was the year when the floodgates opened when it came to consumer privacy laws, with seven new laws enacted in states like Delaware, Indiana, and Iowa.

Meanwhile, thanks to a new law with a very catchy name, “the Delete Act”, Californians can now request all data brokers in the state scrub their information, with data brokers required to register with the California privacy protection agency (CPPA). And in Washington State, personal health data that falls outside the Health Insurance Portability and Accountability Act (HIPAA) is newly protected under the state’s My Health, My Data law. This law passed in April, and will gradually come into effect between July 2023 and June 2024.

In Australia, the federal government announced its intention to overhaul the nation’s privacy laws, which will include introducing a “right to be forgotten”, bans on targeted advertising for children, and a right to sue for privacy invasions. Legislation will be introduced next year.

Change is coming at the state level as well, with the Western Australia government announcing it is drafting privacy legislation which will include a privacy commissioner and a mandatory breach reporting scheme.

Change is here, are you ready?

We say this often, but you need to be prepared for these laws. In this case, preparation looks like data mapping; understanding your data estate and considering how you will apply these privacy laws to your collection of platforms and storage systems.

However, the results of our Pulse of the Industry Report 2023, released last month, suggest many organizations in Australia are still at the fundamental early stages of data governance; they are focused on the firewall, not the governance. Organizations are focused on keeping bad actors out, rather than pruning and caring for their data.

It should be obvious now that this approach is insufficient. Hackers will always find a way in, no matter your organization’s size or sophistication. You must prepare for this eventuality so you can minimize the impact. Ensure you have visibility over all your data, so you can remove what is no longer needed.

2024 must be the year we start thinking about the data and not just the firewall. If the law does not compel you, the hackers will.

Privacy & governance

Younger people (especially in their 20s and 30s) are more active in protecting their privacy, compared with older generations, including understanding privacy regulations. The kids are alright!

US president Joseph Biden’s executive order on AI includes plenty actions focused on strengthening privacy, including calling on Congress to pass comprehensive privacy legislation. While we wait, the order also includes actions like providing support for the development of privacy preserving techniques in AI systems and strengthening privacy guidance for federal agencies.

New York City attorney general Letitia James fined a Long Island-based home health care company, Personal Touch, for failing to protect patient and employee data and leaving it vulnerable to a ransomware attack.

How to decide whether your company should join the EU-US Data Privacy Framework.

Australia’s National Disability Insurance Agency (NDIA) says 645 participants’ and prospective participants’ information were caught up in the HWL Ebsworth data breach.

Meet your new cyber auditor – your insurer.


The Securities and Exchange Commission charged SolarWinds and its chief information-security officer with fraud and the failure to fully disclose cybersecurity weaknesses, in connection with the 2020 cyber attacks.

Russian hackers breached 632,000 Department of Justice and Pentagon email addresses as part of the major MOVEit hack earlier this year.

Cloud apps are increasingly being used to spread malware, according to a new report from Netskope.

An alliance of 40 countries, including the United States and Australia, will sign a pledge not to pay ransoms to cybercriminals.

Job hunters should beware fake job ads on LinkedIn, with fake ads for roles at memory and gaming accessories company Corsair, with the apparent goal of seizing access to the Facebook accounts of businesses.  

Hackers are using AI for phishing attacks.

The latest from RecordPoint  


The Pulse of the Industry Report 2023. The second in an annual series, and built in partnership with RIMPA, this report acts as a measure of progress for the industry, providing an industry-wide health check. This year, as well as reviewing a standard range of measures, we wanted to understand how members’ organizations have managed change in a time of ongoing data breaches and privacy challenges. Read the report.

What is information management? A one-stop resource for the next time someone asks you why records and information management professionals are needed.


Director of Third-Party Risk Management at UpGuard Aaron Spiteri discusses the challenges organizations face managing their third-party risk and offers suggestions for organizations to ensure vendors are maintaining a high level of security.

Co-founder and managing director of ISD Cyber Yvonne Sears offers her perspective on how public and corporate attitudes towards privacy have evolved, what may be next for privacy regulation, and what organizations need to do better to ensure they meet their obligations.    


Get hooked on FILED

This can be a fast-paced, complex industry and it can get overwhelming. FILED is here to help you navigate it.