Weekly News #2
New information on Facebook’s user data misuse causes a $30 billion market-value loss. US senators propose the Data Care Act to regulate privacy across the 50 states. Reporting data breaches is now mandatory in Canada. The Department of Health and Human Services wants to modify HIPAA.
Facebook lost $30 billion in market value after the New York Times published on December 18 documents detailing different agreements that Facebook had with companies like Microsoft, Netflix, Spotify, Amazon, and Yahoo to access Facebook users’ data. For example, Netflix and Spotify could read users’ private messages. However, that was not everything. On December 14, Facebook notified its users of a bug in the Photo API that gave developers access to non-shared photos of 5.6 million users.
Pushed by the recent data breaches, 15 senators in the US proposed the Data Care Act on Wednesday to regulate privacy across the 50 states. The Data Care Act main guidelines are:
- Duty of Care – Must reasonably secure individual-identifying data and promptly inform users of data breaches that involve sensitive information;
- Duty of Loyalty – May not use individual-identifying data in ways that harm users;
- Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual-identifying data;
- Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene;
- Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.
On November 1st, it became mandatory to notify data breaches in Canada. This is an important step for Canadian privacy regulation and is something that will require a shift in the operation of Canadian businesses because according to Statistics Canada only 10% of the businesses affected by a cyber attack reports it.
The Department of Health and Human Services (HHS) issued a Request For Information (RFI) for input on how to modify HIPAA on the following issues:
- Encouraging information-sharing for treatment and care coordination;
- Facilitating parental involvement in care;
- Addressing the opioid crisis and serious mental illness;
- Accounting for disclosures of protected health information for treatment, payment, and health care operations;
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices;
After having a 2018 plagued with data breaches and important privacy regulation (GDPR), we can expect that 2019 will be a year in which protecting privacy becomes a must for public and private organizations. SC magazine has eight privacy predictions for 2019, most of them revolve around regulations and their impact on the behavior of organizations and consumers.