Republicans & the FTC’s Data Privacy Rules, Social Engineering & Gov Workers: November 2022 Newsletter

In the November 2022 edition of our business privacy newsletter, you’ll find our take on:

• Republican Senators Asking the FTC to Back off New Data Privacy and Surveillance Rules;
• The Increase of Social Engineering Attacks on Government Workers;
• The California Child Privacy Framework as a National Standard

Republican Senators tell FTC to Back off New Data Privacy and Surveillance Rules

In early November a trio of Republican Senators sent a letter to FTC Commissioner Lina Khan urging the agency to halt its new rule-making process on commercial surveillance and consumer data privacy. They argued FTC was usurping Congressional regulatory authority, adding to needless complexity already created by a patchwork of new state data privacy laws, and increasing compliance costs for businesses, reducing a company’s ability to innovate, and disproportionately hurting small businesses.

Our Take

In theory, the case that FTC’s timing is inappropriate has some merit given that Congress currently has a comprehensive data privacy bill (the American Data Privacy and Protection Act, “ADPPA”) before them. Additionally, control of the House has recently changed hands in Republicans’ favor, which may give the Republicans a greater opportunity to shape its future.

But neither party has shown any particular appetite for action on data privacy laws over the past decade, with each favoring either ‘no new regulation’, or a watered-down bill that renders new state laws toothless. The FTC rule-making process is also notoriously slow, and the current value it may serve is to help identify key areas for improvement that should be included in any eventual legislation

Social Engineering Attacks Increasingly Targeting Government Workers 

A recent report from security firm Lookout claims a 50%+ annual increase in phishing attacks targeting state, local, and federal employees over the past two years.  Analysts suggest growth is being driven by both adversarial nation-state actors, as well as financially motivated criminal gangs who have found targets like state benefits agencies easier pickings compared to the increasingly more threat-aware private sector.

Our Take

The pandemic has created greater risk susceptibility across the entire economy over the last two years, with a growing number of employees working remotely, and increasingly relying on personal devices for sensitive credential authentication. That government is poorly prepared and increasingly targeted, is born out in a wide range of research. While there has been growth in State and Federal cybersecurity spending over the past two years, much of it remains concentrated among a few agencies and is unlikely to change the status quo in the near term.

California’s Child Privacy Framework Could Become National Standard

In September of this year, California passed its “Age-Appropriate Design Code” into law (modeled after the United Kingdom’s ‘Children’s Code’), requiring online services accessed by children under 18 years old to comply with heightened privacy requirements.  Other states (like NY, PA, and WA) quickly introduced copycat bills, and the Senate recently advanced the Kids Online Safety Act (KOSA) –  a collection of updates to the Children’s Online Privacy Protection Act (COPPA) – out of committee.  KOSA includes many similar provisions to CA’s framework, despite many serious concerns about the inherent vagueness of the requirements, and the perverse fact that this approach to ‘privacy’ mandates more intrusive data collection by service providers rather than less.

Our Take

It may come as a surprise that this is an area of privacy regulation that many privacy advocates oppose.  As The Electronic Frontier Foundation (EFF) puts it:

“These bill(s), supposedly designed to protect our privacy, actually require tech companies to collect more data on internet users than they already do.” 

Legislators may be eager to be seen as “doing something” about privacy because it is politically popular, while quietly shelving the harder, less headline-friendly consumer privacy rules like those proposed in the American Data Privacy and Protection Act. 

DeleteMe In The News

Check out our log of where DeleteMe has been featured in the news in November.

Upcoming Events

CIO & CISO Perspectives
We are excited to meet the CIOs, CISOs, and other senior technology executives gathering to talk about the biggest IT and security issues they’ll face in 2023. Let us know if you are attending this event in San Francisco and would like to meet up by reaching out to our sales team or, even better, come by our table at the event to say hello!