AI Bellwethers in the US and EU
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: February 2, 2021
This week, Washington state disclosed a breach at its auditors' office. In it, 1.4 million people claiming unemployment had their personal data exposed. That data included their banking information, Social Security numbers and driver's license numbers. As one source said in The Seattle Times' coverage of the breach: With this data, nefarious actors "have everything they need in order to take whatever money is in that account and electronically transfer it to an account that they control."
Sort of wild and weird aside, here: The auditor's office had collected the now-exposed data to figure out how the state recently lost $600 million to fraudulent unemployment claims.
But here's the essential part: The breach didn't occur at the hands of the auditor's office itself, but because of a third-party software service with whom the auditor contracts to transfer large data files, called Accellion. The state has been on an auto-renewal subscription notice with Accellion for 13 years.
As a result of the breach, the auditor's office now must work with the state's cybersecurity officials and federal law enforcement to figure out what happened.
State Auditor Pat McCarthy said, "We believed that we were getting a secure system and we expected that — and the citizens of Washington state should expect that as well." Meanwhile, Accellion said the data breach was a result of the company's "legacy product," which is 20 years old and which the company has been "encouraging customers to stop using."
But it doesn't matter that it was a third-party vendor that caused the breach, it puts the state auditor's office on the hook. They were responsible for the data and its well-being.
Increasingly, privacy bills are introduced that mirror the EU's General Data Protection Regulation and its provisions on third parties, as well as California privacy law's provisions on "service providers." It's not enough to hire a vendor, share personal data with it and dust your hands off. You are responsible for that data, so you must ensure it's being responsibly treated by your contractual partners. The story in Washington state is a good reminder to check in on the entities with whom you share data or deploy a trusted software service who can do that for you (wink). It's important your vendors' policies and procedures stand up to your customers' expectations and your obligations. Or you might end up in the news.
Enjoy reading, and we'll see you next week!
Here are the top stories you might have missed:
State auditor's software vendor breached, 1.47 million affected
Washington is alerting residents who filed unemployment claims their personal data has been exposed after a third-party vendor the state's auditor's office had contracted with was breached, reports The Seattle Times. State Auditor Pat McCarthy said software company Accellion, which the office uses to transfer large computer files, was breached in December, compromising 1.47 million residents' Social Security numbers, driver's license and bank information.
Read Story
2. Facebook to ask iOS users to opt-in to tracking
As the virtual showdown between Facebook and Apple on data privacy continues, Facebook has announced it will ask for users permission to track them for ad targeting purposes. The social media network says it will deploy a pop-up notification to iOS users telling them they'll "get ads that are more personalized" and clicking "yes" will "support business that rely on ads to reach customers." Now being tested, full deployment of the pop-ups is slated for spring.
Read Story
3. Human rights body releases guidelines on facial recognition tech
The Council of Europe, which functions to protect human rights, has published guidelines for governments and private companies on deploying facial recognition technology, ZDNet reports. It calls for a ban on facial recognition technology to determine a person's skin color, religion, ethnicity or age unless doing so is "necessary and proportionate." In addition, the guidance outlines rules for law enforcement to apply in cases that facial recognition deployment can in fact be justified.
Read Story
4. National SIM card registration raises privacy concerns
The Philippines' National Privacy Commission has said plans to register pre-paid SIM cards could increase the risk of a personal data breach, Inquirier.net reports. The push to register personal SIM cards aims to help with national security matters, but some lawmakers say such a "massive collection" of personal data is dangerous. Proponents of the SIM card plan say the country's data privacy commission and "very robust" Data Privacy Act will protect citizens' privacy adequately.
Read Story
5. What you need to know about drafting your privacy policy
Any company aiming to comply with privacy laws and regulations has to start in one place: the privacy policy. That's where a privacy regulator will look if there's a concern about your data practices or you experience a data breach. While privacy policies have a reputation as verbose multi-page documents crawling with legalese that the common user has neither the legal degree nor patience to digest, they're changing. Legislative changes, combined with heightened consumer awareness of data privacy risks based on news-making breaches, has put the heat on companies to exemplify strong data privacy programs. Here's some advice on what to do and how to avoid common pitfalls.
Read Story
6. Washington state rep introduces rival privacy bill
Another data privacy bill has been introduced in Washington state. On Jan. 28, Rep. Shelley Kloba (D - Kirkland) introduced the People's Privacy Act (HB1433), which would regulate corporations, government agencies and other corporations that fall under a certain threshold. The bill rivals that of Sen. Reuven Carlyle (D - LD 36), Senate Bill 5062.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.