In the August 2022 edition of our business privacy newsletter, you’ll find our take on:
Regulatory Roundup: Interest Groups Take Competing Sides on ADPPA; FTC Begins Process for Privacy Rule-Making
Over the past month privacy advocates, think tanks, editorial boards, and state privacy agencies have each voiced support or opposition to the American Data Privacy and Protection Act, which was delivered to the House in July but remains pending any formally scheduled vote.
In other regulatory news, FTC issued an advance notice of proposed rule-making (ANPR) on commercial surveillance and data privacy and will be holding a forum for public comment on September 8th. Over the past year, FTC has been pressured repeatedly by congress and the president to increase its oversight of commercial data collection and use.
We disagree with the position currently taken by EFF and California’s own privacy agency, that state preemption should be a key deal-breaker for the ADPPA. ADPPA provides many consumer rights (like limited private right of action) and civil rights protections that California does not, and its data minimization requirements go farther than any state law to date. We do think, however, that the likelihood of passage still remains slim.
Whether it does or not, FTC will remain the most important data privacy regulator in the US and we will be watching closely how it independently expands its mandate over the coming months. Earlier this year, Consumer Reports provided its own recommendations on how FTC rule-making could be used to impose new data-minimization requirements.
Twilio and Cloudflare Hit by Social Engineering Attacks Using Employee and Family Member Home Phone Numbers
On August 4, API communications provider, Twilio, and Cloudflare, a content delivery and security service were hit with simultaneous targeted social engineering (phishing) attacks that compromised the credentials of 74 employees and ultimately led to the breach of 1900 Signal user accounts. The timing of the messages was done in such a way that it bypassed automated systems designed to identify and block spoofed company assets.
While the breach wasn’t particularly large or technically unique, it provides a concrete example of what we have argued for years: that publicly available employee PII is a real attack vector, and that open-source scraping of PII for use in social engineering is becoming increasingly sophisticated. While dumb, broad-net ‘spam’-like phishing attacks are still common, it is easier than ever to create highly convincing and targeted phishing attacks using improved open-source intelligence tools.
Illuminate Education Breach Leads to Scrutiny of Student Surveillance Practices
A cyberattack on Illuminate Education earlier this year – which provides K–12 technology systems with tools for instruction, assessment, and data analytics – compromised personal information of students across the nation’s largest public school systems. The list of schools exposed in the breach has grown steadily, now encompassing millions of students across dozens of districts.
The event has drawn more attention to the surveillance practices of schools, many of which expanded during the pandemic. A recent New York Times feature story reviewed the range of sensitive data now being tracked and highlighted the lack of oversight over EdTech providers.
Educational institutions – both K-12 and Universities – have been among the top sectors targeted by cyberattacks in recent years. The mix of lax IT security, increased scope of data collection practices, limited liability, and growing reliance on 3rd party cloud service providers, make them both uniquely vulnerable and poorly resourced to address the issue.
Check out our log of where DeleteMe has been featured in the news this month; including interviews and quotes where we discuss privacy, cybersecurity, our solution, and everything in between.
If you have any suggestions for next month’s edition, please let us know