AI Bellwethers in the US and EU
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: February 23, 2021
Today, The Washington Post reported that the SolarWinds attack impacted at least nine federal agencies, including the National Security Agency and the Federal Aviation Administration, as well as 100 private companies. The Biden administration announced it would sanction Russia within weeks, believing it's the culprit.
I'm a privacy reporter by trade. When I saw that the U.S. Senate Select Intelligence Committee would hold a hearing on this SolarWinds hack. I thought I'd put my reporting skills to use in hopes it's news you can use.
Here's a brief overview of what happened at the hearing today.
FireEye CEO Kevin Mandia told lawmakers the attack wasn't a "phishing expedition" to grab whatever the hackers could grab; they targeted specific individuals. FireEye was the first company to recognize and report the attack. Mandia said the hackers got so much data out of the grab that they probably could take a few days off afterward.
Solarwinds CEO Sudhakar Ramakrishna reported that some supply-chain attacks resulting from his company's breach have yet to be detected.
Lawmakers discussed how the government and the private sector might collaborate to help future breach detection and response, especially when state actors are involved.
"The number one thing the federal government can do that private companies can't is bring repercussions" for bad actors, testified FireEye's Mandia.
He added that the public sector must also be involved in detecting who's behind the threat. "The government is the best place to get attribution the most right," he said. "There are no repercussions if you don't know who did it."
Ramakrishna suggested a central government agency that could act as a repository for threat information and disseminate it accordingly. "Today, we feel like we have to communicate with multiple agencies in order to get it right," said Ramakrishna.
Maine Sen. Susan Collins indicated support for imposing mandatory breach reporting at the federal level.
Could Microsoft's Brad Smith get behind that kind of an idea?
"Yes," he told lawmakers. "Tailor it, make it confidential. But we will not secure this country without sharing that kind of information."
Enjoy reading, and we'll see you next week!
EU says data flows to UK may continue post-Brexit
The European Commission released its draft adequacy decision on data flows from the EU to the U.K., The National Law Review reports. After Brexit, the U.K. became a "third country" under EU law. For data to cross EU borders, the country in which it lands must have "adequate" privacy laws. If approved by the European Data Protection Board and EU members of parliament, the Commission's draft decision will allow those data flows to continue.
Read Story
2. Biden administration to sanction Russia over SolarWinds hack
The Biden administration has announced it will bring sanctions against Russia for the SolarWinds hack within weeks, The Washington Post reports. The administration said it would respond using "a mix of tools seen and unseen." In the meantime, the U.S. Senate Select Intelligence Committee held a hearing with technology company CEOs, including SolarWinds and Microsoft. The hearing aimed to determine how the government might work with private companies on threat detection and mitigation.
Read Story
3. Virginia passes its privacy law
Last week, Virginia's legislature passed its privacy law. The Consumer Data Protection Act moved swiftly through the legislative process, going from introduced to done deal in two months. The state's governor must now sign or veto the bill, but there is little doubt he will sign it. Oklahoma, New York and Washington state are currently considering bills of their own. This piece explores whether pressure from the states will push the U.S. government to pass a federal privacy law.
Read Story
4. Brazilian lawmaker's bill would push data protection law's enforcement to 2022
A Brazilian lawmaker has introduced a bill that would push fines over noncompliance with its privacy law, the LGPD, to January 2022. Currently, the National Data Protection Authority will have enforcement abilities beginning in August 2021. The Congressman who introduced the bill said, "We cannot expect that all the companies working with data processing will have managed to adapt to the norms foreseen in the LGPD by August 2021, since they do not even have the economic conditions to stay afloat amid this chaotic scenario of world crisis."
Read Story
5. Florida to consider state privacy bill
Gov. Ron DeSantis has introduced a privacy bill that looks similar to California's Consumer Privacy Act, StateScoop reports. House Bill 969 would allow Floridians to opt-out of businesses' data collection on them and the sale of that data. It contains a right for individuals to sue companies that violate the rules. But the bill would apply to a wide range of companies, which could make it hard to pass in a state that's typically business-friendly, the report states.
Read Story
6. Former Facebook chief security officer: Clubhouse is not private
Audio-chatroom Clubhouse has said it's working to protect user data from hackers. Still, cybersecurity experts report a user was "remotely sharing login information, pulling audio and metadata from Clubhouse to an external site." Facebook's former chief security officer, Alex Stamos, said Clubhouse users should assume they're being recorded. "Clubhouse cannot provide any privacy promises for conversations held anywhere around the world," Stamos said.
Read Story
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.