Recapping 2018 in Data Security and Privacy

Significant breaches resulted in more legislation globally

Esther Shein

In the context of cyber security, 2018 will be remembered for several “scary and troublesome” high-profile data breaches – and more of the same can be expected this year, according to Dr. Rebecca Wynn, head of information security and data protection for the Matrix Medical Network.

Wynn made her third guest appearance on Monday night’s episode 67 of Task Force 7 Radio with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.

The discussion kicked off with Wynn noting that January is National and International Data Privacy Month. “January 28th, 2019, I want to remind everybody, is Data Privacy Day, and I also want to remind everybody that privacy and security by design should always be by default,’’ she said.

Wynn began a recap of the most notable data breaches of the year with one she said did not get a lot of attention in the U.S.: the Indian government's ID database, Aadhaar, which exposed the records of 1.1 billion citizens including identities and biometric information last March. The database was run by a company called Indane, which Wynn said hadn't secured its APIs.

The year also saw the breach of Marriott hotels’ reservation database of 500 million customer records between 2018 and September 2018, she said.

Google announced a data breach of its Google Plus, which exposed 500,000 user profiles, Wynn said, and the company announced it is getting rid of Google Plus in April.

Several airlines also disclosed breaches, including China's Cathay Pacific Airlines, which exposed 9.4 million data records, and British Airways, which had about 380,000 card payment records hacked. The travel site Orbitz had about 880,000 customers’ credit card information stolen, as well, she said.

“One that was really interesting was the deliberate targeted and well-planned attack of the Singapore government's health database,’’ Wynn said. The private information of the prime minister of Singapore was specifically targeted between May 2015 through July 4th, 2018, she said.

Other companies that experienced data breaches included T-Mobile, Quora and MyHeritage, Wynn added. “It was a big year for data breaches and a bigger year to talk about privacy,” and she hopes this could be the year that security budgets and personnel increase “so we can really do our jobs even better going forward in 2019.”

Rettas asked Wynn to hone in on the problems that plagued Facebook last year.

Wynn prefaced her response by saying she has “never been a big fan of Facebook.” She said she doesn’t think “people should expect to have a big paradigm shift in Facebook until they have leadership permanently change.”

She cited Facebook’s three major hacks in 2018: the exposure of four million records in the My Personality app. “What the app did is, it mishandled the Facebook user data by sharing information with researchers as well as companies with only limited protections in place,’’ Wynn said.

Facebook's code was hacked, exposing about 29 million data records, and then “the big one” was Cambridge Analytica, which breached 87 million data records.

Although there were “many congressional hearings,” about Facebook, Wynn called them “pretty humorous,” noting that a lot of people on Capitol Hill hadn’t heard of Facebook.

Rettas then shifted gears to Apple, saying the company had plastered an ad on the side of a building at the recent CES show stating, "What happens on your iPhone stays on your iPhone."

“It caught my eye right away when I saw it, and I think they're obviously trying to promote themselves as the protectors and pioneers of privacy,” he said, adding that “some say [Apple is] really taking a shot at Google and Facebook and Amazon.”

Wynn pointed out that Apple devices are made in China, where source code can be easily accessed and someone “can inject stuff in firmware … I don't trust it. What happens in China doesn't stay in China,’’ she said. “What happens on your iPhone in my personal opinion, doesn't stay on your iPhone as well as any other phones or anything else out there.”

The best thing, Wynn said, “is almost not to think of a thought anymore, and that way someone can't breach it.”

Data Breach Legislation

The two then began a discussion about significant data breach legislation that passed in 2018.

Wynn said 2018 “was a remarkable year” that hopefully sets the stage for a better 2019 in terms of data breach notification. South Dakota and Alabama enacted new data breach notification laws in 2018, becoming the last of the 50 states to do so, she said.

While most states require entities to provide breach notifications in the most expedient time possible and without unreasonable delay following discovery of a breach, in 2018 “several states joined a growing trend by revising their data privacy notification law to include explicit deadlines for notifying affected individuals,’’ Wynn said.

Notable among them was Colorado, which enacted a 30-day deadline from the discovery of the breach to notifying the affected individuals. That matched Florida's 30-day deadline for the shortest notification deadline in the United States, she said.

“We saw Alabama, Arizona, and Oregon all pass legislation requiring notification of affected individuals within 45 days, and then Louisiana and South Dakota also passed legislation of affected individuals within 60 days of discovery.”

Wynn said there should only be one comprehensive federal breach notification law covering every state instead of having “all these individual disparate laws all over the place that really just drive up the cost of compliance.”

Rettas asked about state-specific data breach notification laws pertaining to financial services?

Wynn said several states have begun implementing sector-specific data breach notification requirements, such as South Carolina, Vermont and Virginia, she said.

Privacy Legislation in 2018

In the show’s second segment, Rettas asked Wynn whether there was passage of any Safe Harbor laws in 2018?

Part of the California Consumer Privacy Act, known as CCPA, was passed in California in 2018, which creates a privacy right of action for certain data breach-related harms, caused by an entity's failure to implement and maintain reasonable security measures, she said. “However, the individual must provide the entity with written notice of the alleged violations and there's no private right of action if the entity cures the alleged violations within 30 days after receiving notice.”

The CCPA provides consumers with an express written statement that the violations have been cured, which goes in effect January 2020, she added.

Also in 2018, the Ohio legislature passed a bill that provides entities with a Safe Harbor from certain types of torque-based liability, which is related to data breaches, if the entity implements a cyber security program, Wynn said.

At the municipal level, San Francisco passed the Privacy First policy on Nov. 7, 2018, which gives consumers the right to know what information is being collected about them, whether it's being sold, and to whom.

Earlier in the year, Chicago passed the Personal Data Collection and Protection Ordinance, requiring businesses to obtain consent to use or sell a citizen's personal data, notify affected citizens after a data breach, gather consent to use global location data from mobile apps, offer notifications to mobile device users for location services and requires data brokers to register with the city, she said.

Rettas asked Wynn to explain what the CLOUD Act is.

On March 23rd, 2018, Congress passed, and President Trump signed into law the Clarifying Lawful Overseas Use of Data Act, which created a new framework for government access to data held by technology companies worldwide, she said.

The first part of the CLOUD Act provides that orders issued pursuant to Electronic Communication Privacy Act, can reach data regardless of where the data is stored. The second part creates a framework for new bilateral agreements with foreign governments for cross-border data requests, Wynn said.

The GDPR Impact and Other Global Privacy Issues

The big story of 2018 was the passage of the General Data Protection Regulation known as GDPR, on May 25th, 2018, Wynn observed. The law radically overhauled the European Union’s, data protection framework and may have inspired similar law legislation proposals in countries such as Brazil and India, she noted.

“The European regulators have been intensifying their enforcement of the GDPR with several investigations launched and fines levied in the past few months and even in the past few weeks,’’ and some are getting ready to go to court, she said.

In addition, in December 2018, the European Commission published the second annual review of the EU United States Privacy Shield, Wynn added. “The report concluded that the Privacy Shield continues to ensure what is said [to be] adequate levels of protection from personal data transfer from the EU to the United States.”

Also in December, the EU high level expert group on AI published the new draft guidance on AI ethics, she said.

In response to a question from Rettas about some of the highlights of the year from the APAC (Asian Pacific) region, Wynn said the region has seen its share of hacking and data loss incidents and she anticipates they will increase.  

Although Hong Kong was one of the first countries in Asia to enact a data privacy law and was considered ahead of its time because that was around 1995, Wynn said “the world has very quickly caught up, and now Hong Kong is in danger of falling behind.”

Other APAC countries updated their privacy laws to keep abreast of change in technology, she said, including Japan, China and now, Vietnam.

The Threat of Incarceration for CISOs

The show’s third segment began with a discussion of the status of the Asian Pacific Economic Cooperation (APEC), a voluntary privacy code of conduct for data controllers in the participating APAC member countries of Australia, Canada, Japan, Mexico, the United States, South Korea, the Philippines, Singapore and Taiwan.

“The CBPR certification is a badge of compliance against the privacy principles of the APEC, but it doesn't represent compliance with applicable local privacy laws,” she noted.

Then Rettas asked whether there might be overregulation in the industry, observing that some of these proposed regulations call for incarcerating CISOs for privacy failures.

“It's always the chief information security officer or the chief information officer who gets hit,” Wynn says, adding that while she isn’t advocating that all should go to jail, it sets a tone from the C-suite that CISOs need to take security seriously.

“For too long … privacy and security has taken a backseat to operations,’’ Wynn said. “If data doesn't flow and people can't sell their goods, none of us get a paycheck.” But at the same time, there is also pushback from people who complain about the sharing of their data.

Rettas said this can work both ways; if a CISO is held accountable to the point where they face incarceration if there's a data security breach, they will say they want increased personnel, tools and budgets. He asked what happen if they don’t get it?

“That's why you're seeing people leave their jobs in 18 months to two years,” Wynn responded, because the honeymoon period is over and CISOs don't want to be on the hook for a major breach.

However, she noted that more CIOs understand they need to listen more to the CISO, “whether it means that we need to get them directly speaking to me or we need to get them a step up closer to the board because it is important."

Advice for Privacy Professionals

Privacy professionals need to have more of a global perspective this year, Wynn said. That means not just concerning themselves with one or two regulations.

“I think that's really naïve. You really need to have a world perspective and you need to really be looking at data flow,” she said.

She said she thinks more executives will reevaluate their data privacy officers, chief compliance officers and chief privacy officers, if they have been in those positions for several years. They need to ask if they are the right people for the company now, or “do you need someone who's new who's more of a strategic thinker who's going to keep up on” regulations.

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes, click here.