00;00;06;16 - 00;00;37;00
Speaker 1
Misuse of data privacy. Detective it's up to 2022. So welcome to National Cyber Security Awareness Month. And that's brought to you by the National Cyber Security Alliance and Cyber Security and Infrastructure Agency of the United States. So let's be aware and this is our monthly roundup, what happened last month in September of 2022. So you have 14 things to report in 15 minutes.

00;00;37;00 - 00;01;12;04
Speaker 1
So let's get on with it first. A record fine in the European Union by the Irish Privacy Commissioner, at least for Ireland, second biggest in EU history for a violation of GDP are the European Union's rules about data privacy. What happened? Well, first, it's against medicine. We used to call it Facebook, you know, and the Irish commissioner said didn't matter who was letting minors, people under 18 have their information revealed automatically without really knowing it.

00;01;12;16 - 00;01;41;00
Speaker 1
And an enormous fine €405 million. Now, euro used to be worth something today. It's about where it's what a U.S. dollar is from. Sure, all hands. But 400 million USD fine. It's nothing to sneeze at. And what was happening here is that under Betty's former protocols, anybody under 18 automatically had their account set up to private when they when they join Instagram.

00;01;41;05 - 00;02;06;05
Speaker 1
So only people they know can see what they post. And adults can message teams who don't follow them. Except that's what happened once matter of six to a year before the fine. So Matt is saying, well, we're in compliance, it's reviewing the decision. We'll see if getting paid €405 million to Ireland, not to mention other European countries, Google and Matter another five.

00;02;06;05 - 00;02;40;29
Speaker 1
Both were fined a total of $72 million by no, it wasn't the European Union. It was the Republic of Korea, South Korea's Privacy and Protection Commission. What happened there? Both companies were said to have been found to have tracked behavior on other sites and then use that data without the consumers knowing that without consumer approval. And then Google and Mirror used that data for advertising, of course, is an important part of their whole business plan.

00;02;41;00 - 00;03;20;19
Speaker 1
And companies and business model. Both companies voiced disagreement with the commissioner's findings and they made the largest ever fines levied by South Korea for privacy law violations. Internal Revenue Service. Are they going to be fined? What did that what happened? They inadvertently the IRS inadvertently exposed a batch of taxpayer information linked to nonprofits. Now nonprofits under 501c3, the charitable nonprofits have to post form 99 days that are public information about charities.

00;03;20;19 - 00;03;57;26
Speaker 1
When you file with the IRS, you include certain information about individuals. People and the IRS apparently leaked, inadvertently exposed a whole bunch of person information in releasing a broader form than the Form 990 that should have been released, apparently. Then the error was due to some non 51c3 some nonprofits that aren't deemed charitable nonprofits also being made available through bulk down through the IRS is own search portal for tax exempt entities.

00;03;57;26 - 00;04;26;01
Speaker 1
Well, I wonder if the U.S. government will find its own tax collecting agency. Don't hold your breath on them. That may have been for 120,000 individuals. A lot of people. Well, nothing compared to the 800 million records that were breached in the People's Republic of China. Second largest data leak. There was one 4 billion records from the Shanghai police database in June 2022.

00;04;26;20 - 00;04;58;13
Speaker 1
In both cases, the data were likely exposed inadvertently as a result of human error. This 800 million release was sent from a tech company called Sina Electronics, Beijing, based in Hangzhou on the east coast of China. And while to Westerners, this might seem unremarkable after all, China as a country, the government uses facial recognition broadly and routinely, and state surveillance is ubiquitous under Chinese law.

00;04;58;14 - 00;05;46;11
Speaker 1
But the sheer size of these databases is the breach is is staggering. And China wants to upgrade and tighten its cybersecurity laws. It announced in September that they're going to be amendments to its cybersecurity laws and significant fines for anything that relates to critical information infrastructure operators who use their products or services that haven't undergone security reviews. Now that a security review in China involves not just a review, but in fact an approval by Chinese regulators on how a company has complied with Chinese law and the new fines could be 5% of revenue or ten times their cost.

00;05;47;16 - 00;06;17;25
Speaker 1
So when China wants to get serious about a matter, it does. Now, this is an announcement by the cyberspace administration of China, and it has to do again with critical information infrastructure, but that's defined more broadly than it might appear to U.S. European listeners. Acronis announced that ransomware losses globally are expected to be over $30 billion by the end of 2023.

00;06;17;28 - 00;06;52;08
Speaker 1
In the first half of 2022, most of the ransomware incidents involved compromised credentials through cloud software exploitation and the use of nontraditional entry vectors that were found to be very much on the rise. Interesting survey by Acronis. And that's not all in this space. Lloyd's of London, the place you go if you're ever been to Lloyd's. It's a wonderful building that people used to gather for coffee and their brokers go around and get insurance through syndicates within the Lloyd's system.

00;06;52;25 - 00;07;31;15
Speaker 1
But there was a court ruling in 2022. That means a lot for those who buy ransomware insurance. The insurers there were hoping that cyber war exclusions would be used to help the insurers get off not having to pay money themselves for ransomware losses when there was a national actor involved. And there certainly have been a number of recent reports, most recently in September, reports of Iran cyber attacking in Albania, which was complained bitterly cyber war on the rise by nation states.

00;07;32;08 - 00;07;58;19
Speaker 1
But the result of this uprising, the court ruling in the United Kingdom is that in 2023, Lloyd's of London Ltd is not going to continue insurance coverage for nation state attacks. So you're going to see changes in wording in ransomware insurance. Quebec. Quebec made the news in September of 2022. It adopted a provincial statute and just paused for a minute.

00;07;58;19 - 00;08;33;03
Speaker 1
June is a would like the United States. Yes, it's a country, but it has these provinces, just like the United States has. And states and different laws come out to do different things than what national law may provide. Certainly in the data privacy area and Quebec's new Personal Information Privacy Act took effect on September 22nd, and it supplements federal legislation in Canada that wasn't contradicted, but introduces the term, quote, confidentiality incident close quote, differently than may be understood generally in the world.

00;08;33;24 - 00;09;05;20
Speaker 1
It also addresses biometric information. Now on that, just like in the United States, Illinois got under the act early about biometric information. Other states are looking at this area of the law, but it's been treated very separately from a lot of national laws about data privacy. And certainly you see that now in Canada, euro, active, prominent European commentator reports that the European Commission's about to introduce its proposal for a cyber resilience act.

00;09;05;28 - 00;09;35;15
Speaker 1
Now this gets into the details of cyber security on a technical side, but this one's aimed at consumer connected devices. So it will cover, quote, products with digital elements, close quote. And that's defined as, quote, any software or hardware product notice hardware, product. And it's remote data processing solutions, including software or hardware compliance to be placed on the market separately.

00;09;36;15 - 00;10;04;12
Speaker 1
So here you have this Internet of Things overlapping and merging with data infrastructure and European Commission is honored to deal with the very connections that take place between software and hardware. And it is important and I'm sure you've heard the joke now many software engineers doesn't take to change a light bulb. How many software engineers? Oh, the answer's none.

00;10;04;15 - 00;10;30;27
Speaker 1
It's a hardware problem. So this is the importance to law, as must. If you're going to solve a problem, solve it. Don't just confine it to software. Hardware to deal with the connections. And that's what the European Commission's proposal would be. Very interesting to look at the United Kingdom no longer part of the European Union, but inherent in the GDP approach to data privacy has brought into force.

00;10;30;27 - 00;11;08;21
Speaker 1
October one, 2022 The Telecommunications Security Act regulations are now in force. Now these are measures under the Act that will strengthen security, the security framework for 5G technology, as well as for fiber networks. And they set out very specific security requirements for providers. And a code of practice is provided that gives further technical detail. Well, so much for the hopes that the United Kingdom would revert to common law not to make their own regulations.

00;11;08;21 - 00;11;37;00
Speaker 1
They may not be European. Brexit has happened, but regulation there will be big talk in the news. Also in the UK, it allegedly violated UK privacy regulations. The Information Commissioner Office of the UK sent it, sent tick tock a notice of intent with a possible fine and £27 million. And again, the pound used to be worth a lot more than the US dollar.

00;11;37;00 - 00;12;02;04
Speaker 1
Now it's just about where it's a dollar as we consider this. But still that's a lot of money for Tik Tok. Maybe not so much, but it's a serious fine. And what's the problem here? Well, Tick Tock has 30 days to respond. We'll see what happens in October. They're accused of gathering private data from users under age 13 without their parents consent.

00;12;02;08 - 00;12;41;16
Speaker 1
We'll see what happens there. California just adopted. Speaking of minors be California age appropriate design code was signed on September 15th, 2022, was passed in late August. And it's going to implement some of the strictest privacy requirements for children in the United States, particularly with regard to social media. The law restricts the ability of apps to collect data on anybody 18 or younger, not 13 or 18 or younger, and requires them to implement their, quote, highest privacy standards, close quote, for children and teenagers.

00;12;41;21 - 00;13;12;08
Speaker 1
That's smelling like privacy by design, which you see in the European Union. Governor Newsom said, quote, We're taking aggressive action in California to protect the health and well-being of our kids. Close schools, well, wasn't very popular among some tech firms to criticize it for limiting democratic freedoms, even for children. And this claim, although the motives well intended, it is unconstitutional and it has risk unintended consequences.

00;13;13;13 - 00;13;47;13
Speaker 1
That's the comment of the Council for Not Choice, a trade association of technology and Internet based businesses. We'll see how it puts sort that one out. You all made the news in as experienced in data, breach of names, driver's licenses, state IDs, no credit card or financial information was compromised, they say, having to do with about five months of rental contracts and the great reward to those whose data was breached is a full year of free identity protection services.

00;13;47;18 - 00;14;25;12
Speaker 1
The remedy we see so often in the United States data breach cases. And speaking of data breaches and there was a teenager a cyberattack regained full access to Uber's systems after impersonating and IT professionals from Uber to gain VPN access. A demonstration of what I always remind all of us when I close the podcast. Now, apparently the hack did not expose confidential passenger data rumor, but it showed internal company information, administrative account credentials stored and clear and other lapses in cyber security practices.

00;14;25;26 - 00;14;59;06
Speaker 1
And finally, for September, Georgia sent a US senator, Jon Ossoff announced that the government is investigating media after the markup discovered the tech giant's pixel two gathered information on users private health records. And so there'll be an investigation into whether Facebook's parent company is collecting or storing patient personal data access through hospital websites. Medical data is thought to be a broker market more valuable than financial.

00;14;59;16 - 00;15;28;18
Speaker 1
Well, 14 things that have happened in September. And before we close, what's striking to me is this those 14 incidents have virtually nothing to do with how besieged people are, all of us. There's an onslaught of targeted ads, phishing phone calls, a fixation to having your phone available at all times, to having anyone call you any minute of the day.

00;15;28;18 - 00;15;56;23
Speaker 1
Telling social media, take up your life and then get pounded by unwanted approaches by all sorts of people that you've never heard of some power in their own decent business purposes, trying to get you interested in something others from villainous characters. One must ask what ever happened to the Do Not Call list? You remember that FCC rule about Don't Call Me on the phone.

00;15;57;11 - 00;16;26;17
Speaker 1
What happened to that? And where where is the focus today on privacy? Most of us want the great benefits of geolocation and other services that the Internet data sharing has brought us. Being able to post things about our families and share them with people we want to share them with, but where? Where can the lines be drawn to create a balance between a society we really want to be part of generally?

00;16;27;05 - 00;16;50;25
Speaker 1
And that that goes too far. We'll come back to that again and again. We will finish this report on what happened in September by reminding us all protect in your personal climate begins with you.