Weekly News #2

Weekly News #2

Facebook privacy issues

New information on Facebook’s user data misuse causes a $30 billion market-value loss. US senators propose the Data Care Act to regulate privacy across the 50 states. Reporting data breaches is now mandatory in Canada. The Department of Health and Human Services wants to modify HIPAA.

Facebook lost $30 billion in market value after the New York Times published on December 18 documents detailing different agreements that Facebook had with companies like Microsoft, Netflix, Spotify, Amazon, and Yahoo to access Facebook users’ data. For example, Netflix and Spotify could read users’ private messages. However, that was not everything. On December 14, Facebook notified its users of a bug in the Photo API that gave developers access to non-shared photos of 5.6 million users.

Pushed by the recent data breaches, 15 senators in the US proposed the Data Care Act on Wednesday to regulate privacy across the 50 states. The Data Care Act main guidelines are:

  • Duty of Care – Must reasonably secure individual-identifying data and promptly inform users of data breaches that involve sensitive information;
  • Duty of Loyalty – May not use individual-identifying data in ways that harm users;
  • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual-identifying data;
  • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene;
  • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

On November 1st, it became mandatory to notify data breaches in Canada. This is an important step for Canadian privacy regulation and is something that will require a shift in the operation of Canadian businesses because according to Statistics Canada only 10% of the businesses affected by a cyber attack reports it.

The Department of Health and Human Services (HHS) issued a Request For Information (RFI) for input on how to modify HIPAA on the following issues:

  • Encouraging information-sharing for treatment and care coordination;
  • Facilitating parental involvement in care;
  • Addressing the opioid crisis and serious mental illness;
  • Accounting for disclosures of protected health information for treatment, payment, and health care operations;
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices;

After having a 2018 plagued with data breaches and important privacy regulation (GDPR), we can expect that 2019 will be a year in which protecting privacy becomes a must for public and private organizations. SC magazine has eight privacy predictions for 2019, most of them revolve around regulations and their impact on the behavior of organizations and consumers.

Join our newsletter



Weekly News #1

Weekly News #1

Marriot and Quora Data breach

US legislators are proposing fines and jail for CEO’s of breached companies after the data breach of Marriot and QuoraThe US Census Bureau is using differential privacy to protect data privacy while allowing data analysis. FTI Consulting is offering a Data-Protection-Officer-as-a-service.

In just one week, we learned about two major data breaches, at Marriott and Quora, compromising the data of 600 million people. In 2018, there have been 15 data breaches, 8 more than in 2017.

Marriott has lost $4.08 billion in market value since November 29th, when the breach was reported; however, this loss could potentially worsen because of fines and lawsuits. Under GDPR, Marriott could be fined with $912 million, and there is a $12.5 billion damages lawsuit in the process.

Quora reported on Monday that hackers had gained access to the data of 100 million users. The information comprised names, email addresses, passwords, and data from social networks.

All these breaches have pushed legislators in the US to propose bills that would fine not only the affected companies but also the CEOs. Senator Ron Wyden’s proposal includes up to 20 years of jail for chief execs and $5 million fines for CEOs.

However, there are processes and technologies that can help organizations protect their customers’ data privacy.

One solution is to designate a Data Protection Officer (DPO), a role that was introduced by the GDPR. While not every company is required to have a DPO, having someone in charge of data privacy and protection is a must. FTI Consulting is now offering DPO-as-a-service to help companies satisfy regulatory requirements.

Another solution is to use technologies, such as differential privacy, to keep the data private. Differential privacy is already used by companies like Apple and Google, but one of the earliest adopters is the Census Bureau. By mandate, the Bureau has to keep each person’s information private and to provide useful data, and Differential Privacy allows it to do so.

No single solution is a silver bullet, but a combination of privacy-preserving technologies and processes will help organizations protect their customers’ data privacy.

Join our newsletter