In the April 2023 edition of our business privacy newsletter, you’ll find our take on:
Iowa and Indiana have become the sixth and seventh states to pass comprehensive consumer online privacy laws; others are expected to follow later this year. Both new laws largely track the approach of the “WPA Model” shared by CO, CT, and VA and are considered generally weaker than California’s CCPA framework. A comparison of existing state privacy law details is available here.
The Washington state legislature recently passed the My Health, My Data Act, which includes a private right of action similar to the IL Biometric Information Privacy Act (BIPA) and broadly defines both ‘health data’ and covered entities. This will be one to pay attention to.
Additionally, Arkansas has joined Utah in passing age-verification restrictions on social media use, and the Montana legislature advanced a complete ban on TikTok, which now awaits the Governor’s approval. Social media age-verification proposals are also quickly advancing in other states, including Ohio, Connecticut, and Minnesota.
While more states are passing relatively weak, cookie-cutter privacy legislation, we still see it as a welcome trend. It provides a foot in the door for future improvement and will pressure Congress to meet a higher standard with any eventual Federal privacy laws.
By contrast, we think the current ‘age-verification’ regulations are negative developments for online privacy, as well as likely to eventually end up facing constitutional challenges.
Including the private right of action in Washington’s Health Data bill is notable and may prompt similar me-too legislation elsewhere.
The House Oversight and Investigations Subcommittee will hold a hearing on “The Role of Data Brokers in the Digital Economy,” scheduled for April 19th [view recording]. As described by committee members:
“This hearing will give our members a chance to shine a light on the role of data brokers and educate Americans on unchecked collection of their sensitive personal information. It will also highlight the further need for a strong national data privacy standard.”
Also this month: CISA, the US Cyber Defense Agency, published a “Secure by Design, Secure by Default” set of recommendations for software developers to improve base-level privacy and security standards as part of Biden’s recently proposed National Cybersecurity Strategy.
While the standards have no regulatory force, they represent, according to the Washington Post, “a potentially contentious multiyear effort that aims to shift the way software makers secure their products.”
The recent congressional data breach might motivate a few members to take consumer data privacy regulation more seriously. Still, we have low expectations for new developments in Federal data broker oversight or hardening enforcement around cybersecurity standards.
Kapersky Labs reports that hackers increasingly provide ‘how-to guides’ and software toolkits to automate the data collection and targeting processes of social engineering attacks, and they’re doing so via automated bots on platforms like Telegram. A report from Cofence noted in January that the use of Telegram bots for credential phishing grew 800% in 2022 over 2021.
While phishing toolkits are nothing new, the use of relatively low-tech, mainstream platforms like Telegram indicates the growing maturity of the industry and the relative ease with which aspiring hackers can begin launching attacks at scale.
The International Association of Privacy Professionals just held its Global Privacy Summit in Washington DC and in case you didn’t attend, here is a good summary of takeaways from the event.
Also, their Privacy and Consumer Trust Infographic provides some insights from their recent global consumer survey which highlights, among other interesting facts, that cybersecurity incidents do impact which companies consumers are willing to buy goods/services from.
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.