Hello all, and happy Thursday!
With nearly 3 billion records exposed, the National Public Data breach is up there with the largest data breaches of all time. Technically, that dubious honor belongs to Yahoo, whose 2013 breach affected 3 billion accounts. National Public Data’s breach only exposed 2.9 billion records (which doesn’t necessarily mean 2.9 billion individuals).
Fortunately, a significant portion of the exposed data appears to be inaccurate. This, too, is unsurprising considering that National Public Data is alleged to have collected it via scraping.
But this suggests another question: Why would National Public Data undertake this incredibly risky, ethically dubious mass collection of personal information for data that isn’t even accurate? Why put your organization at risk in this way when the payoff is so unreliable? One can only assume that these questions were simply never considered.
Best,
Arlo
P.S. If you don’t know where your data lives, you don’t know if it’s generating excess risk for your organization. Register for our upcoming webinar, A Sneak Peek into Data Mapping, to find out how data mapping can give you insight into and control over the data you handle.
Learn how Lattice puts privacy first by building compliance into marketing operations
The Cost of Noncompliance: More Than Just Fines
Thursday. August 29th | Save Your Seat
Thursday, September 12th | Save Your Seat
Class action complaints across the state of Arizona allege that certain common uses of pixel-tracking technology in marketing emails violate Arizona’s Telephone, Utility, and Communication Service Records Act. The complaints contend that the information procured by these pixels (e.g. information indicating when an email is opened and read) constitutes a “communication service record” as defined by the act. The act forbids organizations from obtaining communication service records without consent by fraudulent, deceptive, or false means.
Recent activity out of Texas suggests the Lone Star State is trying to stake its claim to being a lead authority on alleged consumer protection and privacy violations. The Texas attorney general's office recently netted a USD 1.4 billion settlement with Meta over alleged nonconsensual biometric data use. The office followed that up with a lawsuit against automaker GM claiming it sold driving data to insurance companies without knowledge or consent. Additionally, the attorney general's office has sent more than 100 compliance letters to companies citing a lack of data broker registrations in violation of the Data Broker Law. More enforcement actions may be on the horizon, particularly regarding the Texas Data Privacy and Security Act.
A US Court issued an opinion partially upholding—and partially vacating—the District Court for the Northern District of California’s preliminary injunction preventing the California Age-Appropriate Design Code Act (CAADCA) from going into effect. Specifically, the opinion upheld the district court’s injunction related to privacy impact assessment (PIA) provisions. Although the court's decision has not yet gone into effect, businesses subject to the CCPA may soon find themselves on the hook for complying with many provisions in the CAADCA.
The Swiss Federal Council has added the US to the list of countries with an adequate level of data protection. Effective September 15, 2024, US organizations that certify to the Swiss–U.S. Data Privacy Framework (DPF) can commence receiving transfers of personal data from Switzerland without implementing additional safeguards.
New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. Recently, it was discovered that another NPD data broker (which shares access to the same consumer records) inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!