CISA Updates Guidance on Secure Cloud Migrations
The U.S. Cybersecurity and Infrastructure Agency published the second version of its Cloud Security Technical Reference Architecture, providing guidance for organizations on secure transitions to the cloud, security management and more. CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein said, “all organizations using or migrating to cloud environments should review this document and adopt the practices therein as applicable to most effectively manage organizational risk.”
California Age Authentication Bill Could End Anonymous Web Browsing
The California state legislature is considering a bill that would require websites to verify users’ ages. The bill, titled the California Age-Appropriate Design Code Act, would require companies to collect personal user information website visitors have historically been reluctant to provide in order to authenticate the person’s age. Critics of the bill claimed it would end adults’ ability to browse the web anonymously. Supporters of the legislation claimed it would work similarly to the U.K. Age-Appropriate Design Code.
European, U.S. Groups Fire Salvo of Privacy Complaints Against Google
Consumer groups from five European countries are planning to file formal complaints against Google’s data collection practices. The groups allege users are not informed of how their data is used for targeted advertising and that opting out of data collection requires several steps, while opting in takes one click. Several U.S. technology and consumer groups are also planning to outline similar complaints in a letter to the U.S. Federal Trade Commission.
Biden to Warn FTC About Abortion-Related Data Sharing
U.S. President Joe Biden is drafting a letter calling on the U.S. Federal Trade Commission to tighten its monitoring and enforcement of unfair and deceptive practices related to women’s health data. Biden’s urging seeks to support protections for women’s health and reproductive privacy rights in the wake of the U.S. Supreme Court’s reversal of Roe v. Wade. The FTC set precedent for such enforcement when it reached a settlement with women’s health application Flo in January over its data practices.
US House Subcommittee Explores Privacy Impacts of Biometric Tech
United Press International reports the U.S. House Committee on Science, Space and Technology’s Subcommittee on Investigations and Oversight held a hearing on privacy rights and standards associated with biometric technologies. The subcommittee discussed the benefits and risks of biometrics with an eye toward addressing the growing prevalence of such technologies. In testimony, U.S. National Institute of Standards and Technology Information Technology Lab Director Charles Romine discussed NIST’s work around biometrics and privacy’s “critical role in safeguarding fundamental values.”
Biden Issues Executive Order to Protect Women’s Health, Reproductive Privacy
U.S. President Joe Biden signed an executive order to protect women’s reproductive health care services, including commitments related to privacy protections. According to a White House factsheet, the order calls for action to address “the transfer and sales of sensitive health-related data” and “combatting digital surveillance related to reproductive health care services.” Actions under the order will include recently reported urgings to the Federal Trade Commission and the Department of Health and Human Services for increased guidance and enforcement to ensure proper privacy protections and data handling in the reproductive health context.
CPPA Launches CPRA Rulemaking Process
The California Privacy Protection Agency officially launched the formal rulemaking process for the California Consumer Privacy Rights Act. The CPPA announced draft regulations in early June that maintain pre-existing California Consumer Privacy Act regulations, while modifying certain provisions and proposing new regulations. The public is invited to participate in the rulemaking process by submitting written comments by Aug. 23 or attending public hearings scheduled for Aug. 24 and 25, both in-person and online.
ICO Rolls Out Strategic Plan ICO25
The U.K. Information Commissioner’s Office unveiled ICO25, its strategic plan that Information Commissioner John Edwards said prioritizes issues that are “disproportionately affecting already vulnerable or disadvantaged groups.” The plan focuses on children’s privacy, discriminatory impacts of artificial intelligence, algorithmic bias and malicious telemarketing. The ICO’s proposed strategy also includes increased guidance resources, featuring a database of the ICO’s organizational and sectoral advice, privacy-by-design templates, and a moderated compliance discussion platform. The plan aims to achieve its goals by 2025.
Chinese Authorities Seek Details on Data Breach Affecting 1 Billion Citizens
Chinese authorities have asked Alibaba Group executives to talk about the June breach of a Shanghai police database containing data on 1 billion citizens. The database was reportedly stored on Alibaba’s cloud platform and cybersecurity researchers said a management dashboard was left open without a password for at least a year. Alibaba is investigating the breach and access to the database has been temporarily disabled.
US Lawmakers Release Amended American Data Privacy and Protection Act
Authors of the proposed American Data Privacy and Protection Act released an amended version of the bill ahead of the U.S. House Committee on Energy and Commerce’s July 20 markup session. Notable updates include changing the private right of action’s effective date from four years to two years post-adoption, enforcement tweaks related to the authority of the U.S. Federal Trade Commission and the California Privacy Protection Agency, and technical changes to the definitions for “covered entity” and “service provider.”
UK Unveils Data Protection Reform, AI Regulations
The U.K. government Monday introduced a pair of post-Brexit data reform initiatives aimed at guiding responsible use of data while promoting innovation in the economy. In the House of Commons, the government released the Data Protection and Digital Information Bill. In parallel with the new legislation, the government also unveiled a set of proposals to regulate the use of artificial intelligence.
Google’s Location Data Could be Used by Prosecutors in Anti-Abortion States
Google’s practice of collecting cellular location data could offer investigative material to law enforcement in states that have criminalized abortions. Between 2018 and 2020, the company received more than 5,700 “geofence” warrants from 10 states that have outlawed abortions. The purpose of the warrants is to use GPS data to show specific cell phones located in an area of interest in a criminal investigation.
Children’s Privacy Bills on US Senate Committee Markup Agenda
The U.S. Senate Committee on Commerce, Science, and Transportation scheduled a July 27 markup to consider a pair of children’s privacy bills. The committee will discuss proposals for the Children and Teens’ Online Privacy Protection Act and the Kids Online Safety Act. The Children and Teens’ Online Privacy Protection Act, introduced in May 2021, is geared toward limiting practices on children’s data collection and use. The Kids Online Safety Act, first introduced in February, offers provisions focused on prohibiting algorithms and targeted advertising to children ages 16 and under.
NIST Updates Health Data Security Guidance
The U.S. National Institute of Standards and Technology published a draft of its revised cybersecurity guidance related to the Health Insurance Portability and Accountability Act Security Rule. The guidance will help “maintain the confidentiality, integrity and availability” of patient data according to HIPAA standards. NIST Cybersecurity Specialist Jeff Marron said the revisions are “more actionable” and aim to create “more of a resource guide” for health care entities.
Children’s Privacy Bills Get Advocate Support Ahead of US Senate Markup
More than 100 advocacy groups joined a letter to U.S. Senate Committee on Commerce, Science, and Transportation voicing support for bills related to children’s privacy and online safety. The coalition explained how the proposals for the Kids Online Safety Act and the Children and Teens’ Online Privacy Protection Act will “significantly improve young people’s well-being” and prevent platforms from exploiting “developmental vulnerabilities and targeting them in unfair and harmful ways.”
US Credit Unions to be Required to Report Cyberattacks
The National Credit Union Administration may soon require federally insured credit unions to report hacking incidents. The new regulation would make it compulsory for credit unions to report substantial cyberattacks to the government within 72 hours. The regulation would also apply to credit unions’ third-party services, such as cloud computing providers. The NCUA deemed it necessary to include third parties because five vendors supply 87% of credit unions’ total technology assets.
US Senate Committee Advances Two Children’s Privacy Bills for Floor Votes
The U.S. Senate Committee on Commerce, Science and Transportation passed two children’s privacy bills during a markup session July 27. The bills, the Children and Teens Online Privacy Protection Act and the Kids Online Safety Act, will be put to a floor vote before the Senate.