Frost Brown Todd Podcast

November 2022 saw the largest private data privacy settlement in U.S. history, a huge Irish fine of Meta, the UK’s forging an independent path from the EU, and South Dakota entering US/China foreign relations over TikTok. Tune in to Episode 107, as the Data Privacy Detective searches monthly for learning from privacy and security developments. As cybercrime grows and governments move from data breach punishment to requiring digital systems to embrace privacy-centric security, consider news from the U.S., EU, UK, Australia, India, and South Korea.

Decentralized identifiers or “DIDs”. Tune in for an exploration how blockchain and pseudonymization can systematically improve data security and increase users’ control over their digital identities. Our tour guide is Phillip Shoemaker, the Executive Director of identity.com, a non-profit that provides tools for developers to help organizations identify individuals without compromising their security or privacy. Through this approach, enterprises can de-couple personal identities from users, providing instead a separate digital identity for the user that is not linked to a phone number, address, Social Security number, or other means of identifying the user whose data is otherwise at risk. Learn what individuals can do to urge governments, regulators, and businesses to arm digital systems with defenses that prevent malicious actors to hack masses of personal data that are then used to steal and misuse identities and assets. As standards are being developed for software, IoT devices, and digital infrastructure, consider the role of DIDs as a best practice to be adopted broadly. If you have ideas for more interviews or stories, please email [email protected].

Breached!, published in 2022 by Oxford University Press, reveals how data security law fails because of undue focus on data breaches. It explores what can be done to improve data privacy and limit data theft. Author Daniel Solove, law professor at George Washington University Law School and head of a privacy and security training company serving hundreds of global organizations, explores how laws focus too much on data breach and punishment of companies that are themselves breach victims. This is counterproductive and aggravates rather than addresses the need for heightened data security. In this podcast, we turn our spyglass to data theft and insecurity and consider whether a holistic, systemic approach is better than a glaring focus on data breach. Emerging legal approaches to defective software and prevention of data theft can better stem the rising tide of cyber-crime and are essential to furthering privacy interests. Learn what you and public officials can do about this and how a different approach to prevention can better protect the privacy of data. As Breached! concludes, “If data security law is going to stand any chance in a world of artificial intelligence, smart devices, and social media, it must move beyond the breach.” Get ready for a new approach to protecting our privacy and achieving stronger data security. If you have ideas for more interviews or stories, please email [email protected]

October 2022 highlights for data privacy: - Battle between the U.S. Federal Trade Commission and a data broker over whether the FTC has authority over its practices - U.S. Government orders federal agencies to push NIST Guideline compliance throughout the software supply chain - Survey reports 2d quarter jump in data breaches - France fines Clearview over facial recognition - A Dutch Court awards a fired employee damages from the employer’s webcam rules - EU acts to harmonize procedural laws to aid GDPR enforcement - Biden Administration issues Executive Order at third attempt at a safe harbor approach to allow data transfers between U.S. and EU - First conviction of a company security chief arising from data breach response - White House issues Blueprint for an AI Bill of Rights. Whew! A lot happening. Tune in for the meaning and implications of these events. If you have ideas for more interviews or stories, please email [email protected]

William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases. Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it.

Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources. Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function. The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private information through data brokers. If not, data brokers may be almost entirely unregulated, able to do virtually anything they wish with personal information we did not knowingly authorize them to obtain and sell. You’ll learn what businesses can do amidst a chaotic and evolving global legal compliance and what individuals can do to protect their sensitive personal location information. If you have ideas for more interviews or stories, please email [email protected].

Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach. Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data breach response time and other non-political aspects of cross-border data, there is none, and not even a U.S. common approach. Tune in to understand what happens when a data breach occurs and what each of us can do to respond to it. If you have ideas for more interviews or stories, please email [email protected].

Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening. When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would avoid if they could. Otto-js co-founders Maggie Louie and Josh Summitt tell how this problem was discovered and share how risks can be mitigated. While legitimate enterprises have no interest in releasing PII to mal-actors, spell-jacking as such is currently unregulated or under-regulated. Learn how industry and regulators are addressing this issue – and what consumers can do about it to protect their own personal privacy. Helpful guides for developers and consumers are available on the otto-js website. If you have ideas for more interviews or stories, please email [email protected].

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe. 1. Instagram fined 405M Euros for GDPR violations. 2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising. 3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error. 4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error. 5. China hopes to tighten its cybersecurity laws with higher fines for some violations. If the amendments are approved, fines for critical information infrastructure operators who use products or services that have not undergone security reviews could be 5% of revenue or 10 times their cost. 5. According to Acronis, ransomware losses worldwide are expected to surpass $30 billion by the end of 2023. 6. Lloyd’s of London Ltd. has told insurers that nation-state attacks and related losses will be excluded from insurance coverage after 1Q 2023. A 2022 court ruling dashed insurers’ hopes that “cyber war” exclusions would let them avoid payment for such losses. 7. Québec’s personal information privacy act takes effect September 22, a provincial statute that supplements Canada’s federal legislation, including the term “confidentiality incidents” and addressing biometric information. 8. Euractiv reports that the EC will introduce its proposal for a Cyber Resilience Act this week. The Act will address cybersecurity issues with consumer-connected devices. 9. UK - The Telecommunications (Security) Act 2021 (Commencement) Regulations 2022 have been made. They bring the Telecommunications Security Act 2021 (TSA) into force from 1 October 2022. The Electronic Communications (Security Measures) Regulations 2022 under the TSA will come into force on the same date. 10. After TikTok allegedly violated U.K. privacy regulations, the Information Commissioner’s Office sent a notice of intent including a possible fine of £27 million. 11. California Governor Gavin Newsom has signed The California Age-Appropriate Design Code Act into law. The new legislation, signed by Newsom on September 15, 2022 and passed by the state congress in late August, will implement some of the strictest privacy requirements for children in the US, especially in relation to social media. 12. U-Haul International disclosed that it has experienced a data breach of names, drivers’ licenses/state IDs but indicated no credit card or financial information was compromised. 13. A teenage cyberattacker gained full access to Uber’s systems after impersonating an IT professional from the popular rideshare company to gain VPN access. 14. Congress is investigating Meta after The Markup discovered the tech giant’s Pixel tool gathered information on users’ private health records. If you have ideas for more interviews or stories, please email [email protected].

How a California statute works in practice In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires. Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.” Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates. If you have ideas for more interviews or stories, please email [email protected].

Get an update on lawsuits launched and settled in August 2022. Consider FBI warnings about DeFi platform and CISA declarations about protecting critical infrastructure. Learn of a draft bill circulating in California about an age-appropriate code for websites. A data broker is sued by the Federal Trade Commission for selling geolocation data that can be used to track who’s visiting a women’s reproductive health center, an addiction treatment facility, and everywhere else a smartphone travels. Tune in for this September 2022 update of what’s been happening in data privacy and cybersecurity. If you have ideas for more interviews or stories, please email [email protected].

Data privacy and the laws that protect our personal information mostly deal with digital data and data equipment like computers and smartphones. But the Internet of Things – IoT – is meeting data infrastructure (listen to Episode 90 about the Edge for more on that). Things we don’t think of as data collectors collect our personal information and share it with others, often without our notice or consent, and sometimes in ways we do not want. Is the law ready to deal with this? Daniel Murray, an intellectual property and technology transactions attorney at Frost Brown Todd LLC join the Detective in exploring the issues. With a mishmash of state and federal rules, the U.S. lacks a comprehensive data privacy code. International laws differ greatly, some granting control to individuals over their personal data and others giving central government authorities almost total control over personal data about residents. As IoT devices, including automobiles and home furnishings, watch and record us and our visitors, the challenges to protecting privacy proliferate, and existing rules may not apply. This podcast discusses the challenges to data privacy in the IoT world, issues including interoperability, inadvertent and unconsented collection, and other questions of modern life and the future of personal data privacy. If you have ideas for more interviews or stories, please email [email protected].

Data localization – we’ve devoted several episodes to what countries are doing to control and restrict data flows involving their residents. What happens when there’s a war (or “military operation” if you prefer) going on? Do recent actions by the Russian government reflect a growing trend toward a splinternet, treating data as though it were national cattle being locked within a corral? Or is this more a reaction to sanctions imposed by other nations, having little do with data? This podcast considers how data localization is on the rise in democracies like Indonesia, but India’s government shelved a draft national data law that would have increased control and domestication of data after pressure and objection from its broader society. With Yugo Nagashima, a Frost Brown Todd attorney focused on international and domestic data privacy and technology, we discuss expanding fines and Russia’s seizure of Google’s Russian subsidiary’s bank account, aiming to force U.S. and other non-Russian companies to agree to Russia’s controls over data as a condition of offering services to Russians. Will the internet achieve its dream of global information flows with reasonable privacy protections, or are we headed to a splinternet, where nations control and restrict what their residents can share and receive across borders? If you have ideas for more interviews or stories, please email [email protected].

Cryptography comes from the ancient Greek word “cryptos,” meaning “hidden” or “secret.” Encryption is a cybersecurity pillar, a key defense against invasion of our privacy. But it may be underappreciated in practice. Tune in to learn about the growing need for encryption technology to combat the rising tide of cyber-attacks. A recent report by the Port of Los Angeles to the FBI indicated that it suffers from over one million cyber-attacks per day. Dan Draper, CEO and Founder of CipherStash, explains from his home in Sydney, Australia the role of cryptography in protecting sensitive personal and other information. Dan’s company provides a data storage platform for sensitive data that uses searchable encryption technology to protect against attacks. Dan discusses how encryption protects personal data and how traditional databases are vulnerable to hacking and other risks. Learn why cryptography is becoming increasingly crucial in guarding data privacy and why Dan is optimistic about the use of encryption even as the age of quantum computing dawns. If you have ideas for more interviews or stories, please email [email protected].

5G is the buzzword for the new generation of mobile networking. It brings blazing speed to digital communication. With that comes concern about the impact on our privacy. 5G speeds up data sharing – the good, the bad, the annoying, the criminal. With the emergence of the Edge linking devices and data infrastructure (DPD podcast 90), 5G shares information in virtual real-time about your health, your highway speed, your browsing and entertainment, your choices in a grocery store, and your location. In equally instant time, this data will be shared by a growing number of companies and people watching and listening to us (known and unknown), who will turn the information into benefits for themselves and risks for your privacy. National security is also at stake. Criminal elements will exploit the benefits, along with governments foreign and domestic. Explore in this episode the intersection of 5G and personal information. What does 5G mean for data privacy and what can the U.S. Government do to address the national security risks? Our tour guide is Sohan Dasgupta, former Deputy General Counsel of the U.S. Department of Homeland Security and a leading data privacy expert, an attorney with Frost Brown Todd LLC’s Washington, D.C. office. If you have ideas for more interviews or stories, please email [email protected].

TikTok built a global platform sharing short videos of wild and wonderful doings of people, animals, and things. It is the first Chinese-owned company to create a global base of more than a billion users. What are the risks to personal data privacy from TikTok? How can regular users and influencers protect their personal privacy while using TikTok? How different are the TikTok risks from those of other social media companies that are not owned in part by the Chinese Government? Our guest is Ben Kunde, a Certified Fraud Examiner who leads the international investigations practice at Interfor. Starting with a tragic story about a 13-year-old girl who amassed a million fans that included a demented stalker, Ben discusses prudent privacy measures individuals can take to enjoy a platform’s offerings without needlessly sharing personal data. We also consider controls a country can take when a foreign-owned media giant creates risks to minors and others and what reasonable measures can apply in a world of global data and commerce. If you have ideas for more interviews or stories, please email [email protected].

With the reversal of Roe v. Wade by the U.S. Supreme Court, data privacy becomes a more important issue than ever. This podcast considers how highly personal, sensitive information about the period between conception and birth is shared and used, how prosecutors obtain and use digital evidence, how private parties obtain information about women considering their options. Learn how individuals can protect their digital healthcare data against unwanted future use by third parties. Consider how a person can safeguard thoughts, considerations, and decisions about intimate personal matters, including the consequences of pregnancy termination. In the uncertainty of what individual states will impose on women’s healthcare and decisions, understand what steps one can take to protect personal digital privacy. If you have ideas for more interviews or stories, please email [email protected].

Protecting and using personal information has focused on computer and software technology. With the Internet of Things (IoT), the Edge has arrived – the place where devices and traditional data infrastructure connect. Niranjan Maka takes us on a tour of the Edge and explains what it means to enterprises and individuals and the risks the Edge creates for us all. Niranjan heads SmartHub.ai, Enterprise IoT Platform | Smarthub.ai, an Edge company spun out from VMware, focused on bringing AI/ML powered management and monitoring to IoT/Edge devices. Our physical presence is replete with siloed millions of devices and sensors that collect, process, and share our personal information and enterprise data. As a veteran holding leadership positions at companies like RSA Security, Niranjan explains how we must become aware of the devices and sensors that are constantly with us and how the Edge changes how enterprises and individuals manage data and affect how our personal information is gathered and used. Tune in for an introduction to the Edge. Learn what enterprises and individuals can do about it, both to manage well in the IoT age and to protect our personal information. If you have ideas for more interviews or stories, please email [email protected].

What’s at stake as Congress considers a national data privacy law? The National Restaurant Association is the U.S.’ leading trade association for the restaurant and foodservice industry, representing thousands of members from the largest chain to solo providers. Brennan Duckett, its Director of Technology and Innovation Policy, discusses the key issues for the restaurant industry as Congress debates whether to adopt a national data privacy law. The “Three Corners Bill” recently introduced with bipartisan and bicameral support endorses substantial federal preemption of state law and a limited private right of action for substantial and individualized harm. How does a major industry see this proposal, and what are the changes needed before it is enacted? Our personal data is shared when we order, pay for, and receive a meal. Restaurants and food service companies can be both data controllers and data processors. They interact with other companies that are data processors and controllers. Tune in to this podcast to explore the issues the restaurant industry sees as important as Congress seeks a national approach to data privacy. These issues include private rights of action, loyalty programs, and harmonization of data privacy laws rather than the patchwork and confusing current state-by-state approach. If you have ideas for more interviews or stories, please email [email protected].

Through a new cybersecurity regulation, businesses in India will have six hours to report cyberattacks to the government, pursuant to a regulation that comes into force at the end of June 2022. On April 28, 2022, the Indian Computer Emergency Response Team – CERT – part of the Ministry of Electronics and Information Technology, announced regulations that include the world’s most time-sensitive deadline for reporting cyber incidents to the government. Stephen Mathias, head of the Technology Law Practice at the premier Indian law firm Kochhar & Co., presents the substance, challenges, and ambiguities of this pioneering effort. The regulation covers cyberattacks regardless of whether personal data is involved. In comparison to other global reporting requirements (such as GDPR’s 72-hour deadline for reporting breaches of personal data), the 6-hour deadline is daunting and perhaps unworkable. Wording covers attacks even if not successful, in effect requiring Indian businesses to report in real-time the stream of all cyber-attacks that occur daily. Global businesses rely on India’s strong tech industry for data processing. The regulation will challenge all Indian legal entities and any business with Indian connections to act quickly to assess the regulation’s impact before July 2022. Both civil and criminal enforcement can result from failing to report a broad array of cyber incidents. This podcast will help you understand the impact of the new Indian regulation and what it means to global business and data protection. If you have ideas for more interviews or stories, please email [email protected].

Japan is a major U.S. ally commercially and otherwise. What is the Japanese approach to personal data privacy, and how does it differ from the U.S.’s privacy culture? Erik Jacobs addresses the differences in how privacy is conceived and addressed in Japan in contrast to the complex U.S. system that has no overarching federal law about how our personal information is collected, stored, sold, and otherwise handled. Erik advised the White House Office of Science and Technology and coordinated policy at the U.S. Energy Department during the prior administration. Fluent in Japanese and English, Erik is now Policy Manager for the U.S. and Asia at Access Partnership, a leading global public policy firm dedicated to opening markets for technology. He discusses the Japanese attitude toward privacy policy and Japan’s 2022 Act on Protection of Personal Information (APPI), a comprehensive personal data privacy code that augments sectoral and other laws governing the flow of personal data. Tune in to learn Japan’s approach and what the U.S. can learn from how a leading Asian ally developed a national approach to data privacy protection. If you have ideas for more interviews or stories, please email [email protected].

Blockchain. Does it protect personal privacy? Is it a tool that can evade the law? How should we think about the relationship between blockchain technology and individual privacy? In this first of a series of podcast episodes about blockchain and privacy, we turn our spotlight on the first use of U.S. Government sanctions against a cryptocurrency mining company. On April 20, 2022, the U.S. sanctioned the Russian-Swiss Bitriver conglomerate, as part of its response to Russia’s 2022 invasion of Ukraine. Consider how blockchain and privacy interact and what it means for the future of this technology, the use of cryptocurrency, and the ongoing contest between government and personal privacy. If you have ideas for more interviews or stories, please email [email protected].

Japan’s Act on the Protection of Personal Information (APPI) becomes effective on April 1, 2022. The APPI strengthens the country’s comprehensive personal data privacy code and affects all businesses that collect or process personal information of Japanese residents. Yugo Nagashima of Frost Brown Todd LLC explores four key developments that affect global business: 1. “Person Related Information” – a new category of data – with consent required to transfer such data to a person related information handler. 2. Extra-Territorial Reach – Instead of an adequacy approach (like the EU), Japan requires a business that will handle Japanese personal information outside Japan to have the consent of those persons after a clear description of the data privacy laws of the foreign jurisdiction. 3. Data Breach Notification – A two-step notification process is mandatory for data breaches, with a low threshold of 1,000 persons triggering a mandatory notification. 4. Pseudonymous Information – Specific definition of pseudonymized data and exemption from data breach notification when pseudonymous data has been hacked. If you have ideas for more interviews or stories, please email [email protected].

The data protection laws of the European Union require many European and other companies holding or processing personal information of EU residents to appoint a Data Protection Officer – a DPO. This role creates a triangle of DPO duties – with responsibilities to the individuals whose personal information is at stake, to the company the DPO serves, and to the Data Protection Authorities who enforce GDPR. Marie Penot provides outsourced DPO services to companies in German, French, and English from her own German consultancy. We explore with her the working life of an outsourced DPO. Learn how companies benefit from the independent role of a DPO regarding EU residents’ personal data. Explore advantages and disadvantages of an outsourced DPO instead of one appointed internally. If you have ideas for more interviews or stories, please email [email protected].

Hacking – it gets a bad rap. For good reason. It’s associated with bad actors who infiltrate an IT system and steal organizational and personal information for criminal purposes. But hacking is simply an activity. Ethical hacking is a means for companies and people to test their data systems and avoid bad actors from getting into them. Ethical hacking is a tool to protect data by upgrading defenses. André Sollner is Global CFO of wizlynx group, a global ethical hacking and penetration testing provider. André holds numerous certifications over a 20+-year career in cybersecurity, including that of Certified Data Privacy Solutions Engineer. He is our tour guide for how a system assessment is conducted in five phases, from understanding and mapping an IT system and all points of entry, to a final assessment and report after the system is ethically attacked. This podcast episode will inform you about preventive system assessments that can fortify defenses against data theft, ransomware attacks, and other data disasters. We discuss the range of personal information commonly found in company databases and key weaknesses in IT systems. You will get top tips for both organizational and personal data privacy protection. If you have ideas for more interviews or stories, please email [email protected].

India is about to enact a far-reaching Data Privacy Law. Expected to be passed by April 2022 and in force as early as 1st quarter 2023, it represents a far-reaching comprehensive approach based on but extending beyond the model of European Union’s GDPR. It would govern not only personal information but how non-personal data is collected and processed across borders. The bill would force global companies that gather and use data of Indian residents – or that have personal data of non-Indian persons processed by India’s stellar offshoring/outsourcing industry – to reconsider existing privacy policies and procedures. By including non-personal data and introducing measures of data localization, India’s novel approach would represent perhaps the most onerous and strict national policy about data collection, storage, and use. Join this excursion to India, guided by Stephen Mathias, head of the Technology Law Practice at Kochhar & Co. (https://kochhar.com), one of India’s premier multi-city law firms. If you have ideas for more interviews or stories, please email [email protected].

Quantum computing – some view its emergence as heralding the end of data privacy. It threatens to penetrate encryption used in conventional computing to give hackers ready access to digital data. What will quantum computing mean for our privacy and the digital world? And what can we do to defend against its perils? Our guest is Ken Morris, CEO of KnectIQ, a company that provides beyond military grade identity, authentication, access, and data protection solutions for highly sensitive environments. KnectIQ: ZeroTrust based identity, access & data protection. Explore the meaning of quantum computing - its promise, timing, and limitations, as well as the defenses against attackers who will harness it to steal and misuse our data. Learn the two schools of thought about defenses to data theft when quantum computing empowers bad actors as never before. This podcast will force you to rethink cryptography as the sole defense against data loss. Learn how we can better protect data by dealing directly with the infrastructure of data storage and transfer and eliminating the fundamental problem. Tune in for an introduction to the coming age of quantum computing and how individuals, businesses and governments can protect personal and other data from misappropriation. If you have ideas for more interviews or stories, please email [email protected].

Backup – what does it have to do with protecting data privacy? And how does a backup service work? What should businesses and individuals know about backing up their digital data? On one hand, a backup of data provides a second target for data thieves. Not properly handled, backups can increase privacy risks. But without a backup of data, it can be lost and subject to exfiltration by thieves who steal or freeze the data held by businesses and government, the prime targets of ransomware criminals. This podcast explores the world of backup with W. Curtis Preston, sometimes referred to as Mr. Backup. Host of the podcast series “Restore It All,” author of books, veteran of the data backup business, and Chief Technical Evangelist for Druva (www.druva.com), our guest will take you on a tour of a business and service little understood but vital for protecting and recovering data in case of loss. Learn the meaning and importance in tech field lingo of “regular expressions” and “immutability.” Consider how backup services can inform businesses about protecting sensitive data better, beyond their role in resiliency and providing prompt access to data streams that are lost or stolen. And get tips about how individuals can consider the role of backup for their own personal data. If you have ideas for more interviews or stories, please email [email protected].

Taiwan occupies a unique geopolitical position – with a substantial population and robust economy, it lacks formal diplomatic recognition by most countries and is considered by the People’s Republic to be rightfully part of it. Taiwan has its own system and laws. How does it approach personal data flows beyond its borders? Taiwan has a comprehensive personal data privacy law with a GDPR-similar approach. It provides more flexibility than the EU in how Taiwanese personal information is collected and processed. There is no express extraterritorial reach to its law. But Taiwan businesses must comply with rules on handling data they collect and can be held criminally and civilly liable for exporting data that infringes Taiwan principles. There are statutory exceptions to the relatively free ability for cross-border sharing and processing of personal data. Taiwan’s financial regulator requires financial institutions to obtain consent for the export of personal financial data. Taiwan prohibits its telecommunications and broadcast companies from storing subscriber data in the People’s Republic of China. Taiwan uses sectoral exceptions to address particularly sensitive security concerns. This podcast episode explores the unique position of Taiwan on our continuing global tour with Yugo Nagashima about how data localization is practiced. If you have ideas for more interviews or stories, please email [email protected].

Turkey is the first 2022 stop on our global tour about data localization. What is Turkey’s approach to cross-border transfers of personal data about its citizens and residents? Turkey’s Law on Protection of Personal Data is comprehensive and like the European Union’s former Data Protection Directive, though it differs in some respects. Data localization is not part of this existing Turkish law. Instead, Turkey takes a sectoral approach to cross-border collection and processing of personal data of its residents. Turkish banks must collect and store Turkish customer data within Turkey. Data localizations requirements apply to payment and electronic money institutions, forcing companies like Paypal or Venmo to locate a payment system within Turkey and to comply with Turkish data privacy regulations. Social media providers must register with and report every six months to Turkish authorities about Turkish social media users. In August 2021, the Turkish Data Protection Authority (KVKK) proposed to amend Turkish law to permit cross-border data transfers if it issues an adequacy decision about another country. But unlike GDPR, the amendment would require the foreign country to be reciprocal in its data privacy laws, a unique approach that extends beyond adequacy. If adopted, the KVKK approach would encourage multinational companies to use Turkish-based servers and a Turkish subsidiary to have broad access to the Turkish market but would allow flexibility through binding corporate rules and notifying the Turkish authorities of a standard undertaking. Tune in to Episode 78 to learn how and why Turkey may be aligning with evolving European standards instead of more authoritarian and protectionist rules evident in China, Russia, and India. If you have ideas for more interviews or stories, please email [email protected].

The Data Privacy Detectives turns his data localization spotlight on the island nation of Singapore. With a per capita income of 64% higher than the United Kingdom’s and a free-market economy that depends on global trade and commerce, Singapore takes a very different approach from China, Russia, India, and other countries that strive to localize their residents’ personal information. Singapore’s Personal Data Protection Act (2012) provides a comprehensive set of rules protecting the personal information of its residents. Like GDPR in scope, it differs in its flexible approach to balancing privacy and national security protections. In 2020 Singapore’s Monetary Authority and the U.S. Treasury issued a joint statement opposing data localization requirements, calling them a risk to cybersecurity and economic growth. They called instead for data mobility in financial services as a spur to innovative services and economic growth and as a more effective approach to risk management and cross-border compliance. Singapore's broad privacy protection rules allow flexibility for businesses to comply, a model that U.S. regulators may wish to study as alternatives to data fencing or rigid regulation. In February 2021 Singapore’s Privacy Data Protection Commission published a guide of model clauses for processors to follow, regardless of where they are based and not requiring that a Singapore server be the data custodian. The island’s embrace of regional multinational compacts (Asia Pacific Cooperation Cross-Border Privacy Rules and Asia Pacific Economic Cooperation Privacy Recognition for Processors) offers a regional model different from China’s data nationalism. If you have ideas for more interviews or stories, please email [email protected].

Our prior podcast episodes detailed how China, Russia, and to a lesser extent India have created barriers to the free flow of personal information across borders. Data localization, sometimes called data nationalization, is the practice of governments to restrict or regulate closely how personal information of their citizens can be collected or shared outside a country. This podcast episode looks at how Australia, a free-market country, is handling personal data transfers. Australia has no broad data localization requirements. But it restricts the export of medical information about its residents. Electronic health records with personally identifiable information cannot be transferred or processed outside Australia. Australia’s Privacy Act, an early national data privacy law (1988), is comprehensive and different from GDPR. Collecting personal information is possible only if “reasonably necessary,” so does not require express consent. But Australia is protective of its citizens’ privacy interests. A 2021 order of Australia’s regulator against Clearview ordered it to cease collection of facial biometrics and destroy existing images of Australian citizens. Clearview argued with no success that the images were publicly available (and so did not constitute personally protected data) and that Clearview is a U.S. company with no establishment in Australia. If a free-market oriented country like Australia engages in data localization and the extraterritorial reach of its laws, what does this mean for the internet, global data business, and the privacy of people? Tune into this discussion in our fourth episode about data localization. If you have ideas for more interviews or stories, please email [email protected].

We turn to Russia in our data localization series. Russia’s 2015 personal data protection law requires “data operators” to collect and keep information about Russian residents within Russia. It forces them to keep personal data about its citizens on a Russian located server, which must at all times keep at least as much data as is kept on a company’s servers outside Russia. This law resulted in LinkedIn’s being blocked from the Russian internet in 2016 for failing to do this. In 2019 Russia expanded the authority of its regulator, Roskomnadzor, to levy fines instead of being limited to blocking for violations. While the fines are modest in amount, this lets regulators allow popular sites into Russia while insisting on data localization Russian style. In July 2021, Russia began requiring giant social media companies to establish a Russian presence to connect with Russian citizens. It’s believed that more than 600 foreign companies have registered with Russian authorities to participate in the Russian market and comply with Russian data laws. These include giants such as Microsoft, Apple, and Samsung. If they fail to comply with Russian law regarding the data of Russian citizens, they can face advertising bans or blocking of access. Russia’s approach lies between the stricter regimen of China and the globally open approach of the United States. Russia’s Government would argue that its laws are there to protect Russian citizens from data abuse by foreign companies. But tech protectionism and Russian sovereignty over its citizens’ internet use are also at work. Podcast Episode 75 asks what Russia’s data localization means for the original internet dream of communications and commerce across borders. Tune in for the conversation. If you have ideas for more interviews or stories, please email [email protected].

In this second podcast episode about data localization, we spotlight India. Since 1993 the world’s largest democracy has enacted data localization laws aiming to keep certain personal records within India or otherwise restrict data transfers of Indians’ personal data. When in 2017 the Indian Supreme Court found personal privacy to be a fundamental constitutional right, a Personal Data Protection Bill (PDPB) was promptly drafted. It has since been percolating towards adoption. The draft bill defines certain personal data as “critical” and so must be stored only within India. Other data is called “sensitive,” and may be processed outside of India with a copy kept within India. A third category of “regular” data could be transferred abroad, pursuant to data transfer rules. Unlike China, reviewed in the last podcast episode (episode 73,) India has a robust tech industry heavily involved in processing foreign data. India processes more personal data than any other country, so that parochial data laws would stand in stark contrast to this essential industry of India. Yet, Amazon, Facebook, Google and other global businesses dominate the Indian home markets, unlike their absence from China. Protectionist forces within India are calling for strict data controls, purportedly to protect the privacy of Indian residents while also favoring the interests of local tech and other firms. Indian businesses such as Reliance talk of “data colonization,” the idea that foreign companies control too much of the data of Indian residents and are plundering the wealth of India as measured by the data of its 1.3 billion people. Indian sources expect the PDPB to be enacted in the winter session of 2021-22. The enacted version will reveal whether India adopts a protectionist approach to data or embraces a more global approach to how personal data is collected and processed. This in turn will affect how other nations will respond. The outcome will affect how data privacy is enhanced or diminished as the rules governing data evolve country by country. If you have ideas for more interviews or stories, please email [email protected].

The internet and the worldwide web – the words envision a global communications system that transcends national borders. But the reality differs. Is it increasingly the splinternet? Is www really a series of webs that don’t connect globally? And how is our privacy affected by data fences and controls erected by nations? In this first of a series, we explore how China deals with personal information of its residents. China collects a vast array of personal information about its people – financial, judicial, commercial, societal, and governmental. These are the five pillars of China’s Social Credit System, which aims to reward loyal and trustworthy citizens and penalize others, based on information collected about Chinese residents. Individuals are white-listed or black-listed to be rewarded or penalized, based on personal data collected, analyzed, and applied by the Government to encourage a socially proper citizenry. China has an extensive and evolving set of laws, including recent changes to its Data Security Law, Cybersecurity Law, and the forthcoming Personal Information Protection Law, which aim to keep within China’s borders “personal information” and “important data.” This allows China to prevent transfers of these two types of data to other countries. But the definitions of “personal” and “important” data are left to a vast array of sectoral ministries and regulators and to other national, regional, and local organizations, which may issue categories or lists to define and apply these broad terms. By contrast, China is free to import personal information of non-Chinese residents. Take TikTok, for example. Over twenty million U.S. persons use TikTok, owned by a Chinese company. It is not clear whether the personal information TikTok collects is made available to the Chinese Government, pursuant to PRC laws and procedures. If Chinese companies and Government can collect personal information about U.S. citizens but U.S. companies and Government cannot collect and utilize personal information about Chinese citizens, this creates an imbalance of trade and business opportunities. Is this a path to a data trade war? And if our personal information can be shared beyond our country’s borders, will this change what data we post and share within our borders? This podcast explores how China affects personal privacy and the future of the internet. If you have ideas for more interviews or stories, please email [email protected].

Home is our private place. But in the digital age, how private are our homes? And what can we do to protect our privacy from home invaders? 66% of us rate our highest privacy concern as being viewed through cameras in our own homes, according to a safehome.org June 2021 survey. Explore in this podcast how home devices are watching, listening, collecting, and sharing our personal data and steps we can take to limit unwanted intrusions. Terry Rankhorn, a 22-year FBI veteran and founder of Rankhorn & Associates, conducts home and business sweeps to protect clients’ personal data and safety. Computers, televisions, smart thermostats, Alexa and Siri, even dog bowls collect and broadcast our personal data in unimagined ways, jeopardizing our privacy and security. Mr. Rankhorn explains the first step to increase home privacy is to know what devices we have and which ones collect and broadcast our data. We can delete devices we don’t need or want and use privacy setting choices and common-sense steps to limit sharing. We can adjust our smart thermostats when away for an extended time, to prevent hackers from knowing from thermostat data when our homes are vacant and so are ripe burglary targets. We can protect our personal data from devices we literally live with. This podcast episode offers practical advice about how to do that. If you have ideas for more interviews or stories, please email [email protected].

Kentucky is perhaps the first state to adopt a comprehensive anti-doxing statute that creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. In this podcast episode, Justin Fowles, an attorney in Frost Brown Todd LLC's Louisville, Kentucky office, shares key insights on what the new law contains and could mean for individuals' and businesses' online behavior. What is doxxing – or is it doxing? This word entered the Merriam-Webster Dictionary in the 21st century. It defines “dox” as a verb – “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.” Today it connotes cyberbullying or troll harassment by posting personal information about a targeted person or organization, urging others to take action intended to shame or expose the target. Doxxing has had tragic ends. Doxed individuals have had surprise visits by SWAT teams breaking down doors to targets’ homes based on the doxer’s false message that a kidnapping or domestic violence was occurring there. Death and more commonly emotional stress arise from doxing attacks. A federal anti-stalking statute includes the language “interactive computer service or electronic communication service” within it. If a person uses such services with intent to kill, harass or otherwise target persons in specific ways that puts them in reasonable fear, causes substantial emotional distress, or otherwise causes them to suffer specified harm, a doxer can be criminally prosecuted. But federal prosecutions are rare, and no U.S. statute was designed specifically to combat doxing. Enter the states. Kentucky's anti-doxing statute creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. Effective June 29, 2021, the Kentucky statute was passed by a Republic legislature with Democratic support and signed by a Democratic governor. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. The spread of PII must be such that a reasonable person would be in fear of physical injury to the targeted person or an immediate family or household member. Intent is measured by what would cause a reasonable person to be in fear of physical injury personally or to a family or household member, rather than requiring express proof of the doxer’s actual intent. Organizations should consider how best to avoid being either a doxing victim or a doxing perpetrator. Organizations could face civil and criminal challenges under Kentucky’s statute as to their use of personal information if communicated within the scope of the statute’s reach. Businesses and other organizations should review the personal information they hold and how it is shared or communicated, to avoid being charged with a doxing tort or prosecution. Organizations can likewise review defenses to being doxxed. The anti-doxing statute could suggest responses and provide recourse to unfair personal attacks on company personnel. If you have ideas for more interviews or stories, please email [email protected].

Mike Potter’s cat bounced on his keyboard years ago. His hard drive cratered, and he lost his data. But he turned this disaster from feline treachery into a career and a company. Backing up data is an essential part of data privacy and retention for businesses as well as for people. Why is this, how does it work, and what’s the impact on how we keep and protect our data? Mike Potter is CEO of Rewind, an Ottawa, Canada based company that backs up, restores, and copies to its cloud critical information businesses store in their SaaS (Software as a Service) applications. Apps sit atop a user’s platform. Not unlike cats, they can cause problems. Ransomware attacks, employee mistakes, and many other forces can cause a business to lose essential data even when the platform itself is running well. Having a readily available backup copy can allow a business to continue its customer connections, its bookkeeping, and other essential functions without material disruption. That’s the business of Rewind. Many Rewind customers are retail and other small to midsized businesses that use Shopify, QuickBooks, and other platforms for customer interface and keeping other essential data. While major platforms have good cybersecurity protection, none is immune from a hack attack. But beyond that, a business using a SaaS platform may not realize that its own account remains vulnerable to data loss. When a data loss occurs, the affected business must decide whether this constitutes a data breach, and if so, whether data breach regulations require immediate and usually expensive remedies. A backup copy can help determine the cause of a data loss, whether from bad actors or accident. It’s a starting point to discern what went wrong and how a repeat can be avoided. It may lessen the impact of a ransomware attack if the data held hostage is available to the business anyway without paying a ransom to recoup the data. When engaging a backup copy provider, a business should consider whether the provider has ample privacy protection for its business. A shaky backup vendor would represent a second vector for hack attacks. A business should vet companies that provide such services. Effective ones will offer services that include keeping data on servers within jurisdictions that have data localization requirements, having funds to afford first-rate cybersecurity protections, offering a 24/7 hotline, and providing excellent customer support. Tips from Mike Potter to businesses on how to keep essential data private and secure when using SaaS platforms: 1. Make sure to use a password manager. 2. Use two-factor authentication. 3. Vet third-party apps before installing them about their strength and capabilities. 4. When you add teammates, make sure they receive the minimum level of permission needed. 5. Have a backup available. If you have ideas for more interviews or stories, please email [email protected].

Ransomware. It’s in the headlines. It’s digital organized crime across borders. When an organization’s IT system freezes with its data locked by a ransomware gang, what happens? Ransom is demanded, and ransom often gets paid. But how does this work? In this podcast episode, Bill Repasky, attorney with Frost Brown Todd LLC, shares key insights on the process of negotiating with ransomware criminals. They want payment in cryptocurrency. Victims want their data and systems restored. This becomes a business transaction. But not a typical one. Ransomware strikes in 2021 involve highly sophisticated criminal syndicates. To them it’s about the money. When they strike a target and freeze the organization’s ability to operate an IT system, they reveal their digital identity and dictate how to send a ransom payment. The target may be willing to pay – but should do so only after negotiations to ensure that the payment will accomplish two essential objectives – (1) providing a decryption key to unlock the encrypted data and restore the IT system’s operation; and (2) ensuring that the data has not been taken (exfiltrated) by the criminals, or if it has, to have it returned with no copies kept by the criminals. The victim organization should check before making payment to be certain it does not violate U.S. sanctions laws by paying a group or person listed on the OFAC list. See Specially Designated Nationals And Blocked Persons List (SDN) Human Readable Lists | U.S. Department of the Treasury. Successful conclusion of a ransomware attack requires expertise, patience, and insight. Learn how it’s done, pitfalls to avoid, lessons from past victims. If you have ideas for more interviews or stories, please email [email protected].

Ransomware attacks, data breaches, digital theft – on the rise. Who are the cyber-criminals? Can they be traced? And what can a company do to minimize risk and respond to an incident? Joining us for a tour of the dark side of the digital age is Bill Corbitt, Vice President of Digital Forensics and Incident Response at Intersec Worldwide. www.intersecworldwide.com, a US-based team of former federal cybersecurity experts who have worked on some of the world’s largest security breaches. The firm was named a 2021 top Digital Forensics & Incident Response firm by Enterprise Security Magazine. Bill’s team has addressed serious incidents for many Fortune 100 companies. In this podcast episode he shares insights into dealing with ransomware attacks, data theft, and the aftermath. Ransomware attacks are conducted by sophisticated criminal enterprises, usually operating from data havens where government seldom prosecutes them for attacks abroad. They probe for vulnerabilities and find attack vectors into a company’s IT system, freeze digital operations, then post a ransom demand before releasing their grip that can paralyze the victim’s business. Modern digital forensic techniques can generally identify the attackers. The quicker an attacked business engages a forensic expert, the more likely it is that the perpetrator can be identified. Ransomware attackers increasingly have two waves of ransom demand – the first to unlock the system, the second to promise not to release exfiltrated data to the world. Every ransomware attack should be viewed as a data breach, though it is possible for a forensics expert to determine if data has been taken rather than only temporarily encrypted. Cybercrime, like all crime, will not disappear. If there is money to be made, criminals will seek it. Minimizing risk is essential. Businesses should constantly upgrade their entire IT systems, eliminating weak points and discarding outdated elements. Those with access to company computers and systems need training and discipline to view company property and data with care. If you have ideas for more interviews or stories, please email [email protected].

Europe finds UK data privacy system adequate, for now. On June 28, 2021, the Europe Union granted two adequacy decisions to the United Kingdom for personal privacy purposes. 1. Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation 2. Decision on the adequate protection of personal data by the United Kingdom - Law Enforcement Directive This assures, for now, that data flows between the EU and UK can continue without restrictions. But for the first time, the EU’s decisions were not permanent and will last only four years. What’s going on? Because of Brexit, the UK and the EU reached a transition agreement at the end of 2020. This included six months for the UK and EU to reach an agreement about data privacy flows. The deadline approached, and the EU decision was made just in time (the UK had already issued its own adequacy decision regarding data going to the EU). Had it not been made, one estimate was that UK businesses would face immediate compliance costs of about 1.6 billion pounds, aside from other costs. So, UK businesses can rest easy – for a time. According to Kim Walker, a leading UK privacy attorney at the firm of Shakespeare Martineau (Kim Walker | Shakespeare Martineau (shma.co.uk), 11% of global data flows through the UK, and 70% of UK data flows through the EU. Why the last-minute timing and why the unusual temporary grant of an adequacy decision? The answer lies in the same surveillance issues that restrict data flows between the EU and the United States. Without a comprehensive and protective federal personal data privacy law, the United States is unlikely to receive an adequacy decision from the EU indefinitely. The EU is particularly skeptical of mass surveillance by U.S. authorities. The British mass surveillance system is not that different from the American approach to how and when public authorities can access private personal information. The EU is concerned that by granting adequacy to the UK, this could create a back door for the UK to grant unrestricted data flow to the United States, thus undermining Europe’s basic GDPR approach to restricting data flows that may disrupt the protections of personal privacy at the heart of GDPR. If you have ideas for more interviews or stories, please email [email protected].

This is a true story of a phone scam of May 2021. The Data Privacy Detective got a call on the home landline. This scam will succeed in stealing money from countless Americans. It’s targeted particularly at older people who dearly love their television, especially during pandemic times. You can see the tricks and traps in this scam. Of course, the best defense is not to answer such calls at all, but then how can one know that a local number is not an old friend or acquaintance calling for a good reason. If you get a call like this, write down the details. Share them with the fraud hotline of the company being impersonated. Notify the FBI and the Federal Trade Commission if you have the time. This builds a file on these entities. Though it’s unlikely that law enforcement will be able to shut down the criminal syndicates and others active in this fund-raising activity, it will build the awareness that our privacy is attacked through such intrusions. Without greater regulation and defense against such increasing scams, there’s a risk that our communications systems become so riddled with such problems, that we’ll all retreat into a hole to avoid them. One definition of privacy is the right to be left alone. Anyone with a phone will find that hard to achieve. You can, however, work with your phone service provider to block calls in various ways. Check with your provider what restrictions you can put into place to limit calls from James Michael and Ralph Smith. Remember – protecting your personal privacy begins with you. If you have ideas for more interviews or stories, please email [email protected].

This podcast episode explores ransomware from preventive, legal, and communications angles. While there’s no 100% effective vaccination against a ransomware attack, there are steps enterprises and each of us can take to beware, prepare, and take care. Ransomware. It’s the modern equivalent of kidnapping – except people aren’t grabbed and held hostage. Instead, an enterprise has its computer and information system locked by a criminal. Data gets encrypted and unusable until and unless the organization pays a ransom to the thief, who is known only by a digital address and often demands untraceable payment in cryptocurrency. Ransomware is a type of malware – software installed in a system by an outside party for bad purposes. Unlike malware focused on stealing data, ransomware aims to extract a ransom payment in exchange for decrypting and restoring the victim’s data. From a criminal’s perspective, ransomware is a simpler, less expensive way to get money than malware that aims to export (or exfiltrate) and resell data. It can be an “in and out” operation, not requiring search, download, categorization, and reselling of purloined data. Despite this, because data has great value, Blackfog estimates that 70% of ransomware attacks include data exfiltration, so that the attacks not only temporarily freeze data usage but result in a release of personal and business data to third parties as secondary damage. Ransomware theft is rising. Security sector experts report a 7-times increase in ransomware attacks between 2019 and 2020, with the average ransom demand increasing more than 3 times the prior year’s figure. Blackfog predicts cybersecurity theft will approach $6 trillion for 2021. CrowdStrike’s comprehensive summary of 2020 and early 2021 reports a four-fold increase in interactive intrusions in the past two years, with 149 criminal syndicate followed as tracked actors on its list of named adversaries. Ransomware is organized crime on a massive and global scale. For units of government, businesses, and non-profits (like universities and hospitals), ransomware can strike like a rogue wave at sea. But it’s often an attack more like a time bomb, lying in wait until the criminal gang is ready to demand its ransom at a time of its choosing. And when this happens, it can immobilize the organization’s ability to operate. Immediate action is required. How do we get our data back? Do we pay the ransom? If we do, will we get the data back? Even then, how do we know it’s safe? How can we prevent this from happening again? If it does, how do we deal with the immediate issues, recoup the data, and ensure it’s clean and usable? If you have ideas for more interviews or stories, please email [email protected].

Janus was the Roman god of doors, gates, and transitions. He needed two faces to look in both directions - life and death, past and future. Internet browsers allow us to access and gaze across the internet, but at the same time, they are watching us, recording what we do while browsing. True, browsers do not charge us for their services – browsing is free. But as it is said, when a product is free, we become the product – or more specifically, our data becomes the product. In this podcast episode Jeff Bermant, the founder and CEO of the browser Cocoon, joins us to explore how browsers and privacy intersect. Cocoon was founded for the purpose of providing a more privacy-secure experience than any other browser by creating a cocoon around the browsing individual. We discuss how users have data privacy choices – which browsers to consider, how to adjust privacy settings, and what add-ons are available for browsing. When it comes to data privacy, protecting your personal data begins with you. If you have ideas for more interviews or stories, please email [email protected].

Facial recognition. It’s a hot topic. Targeting, misidentification, and doxing - the dangers are real. So are the benefits – finding criminals and solving crimes, searching for relatives and old friends, researching history, conducting social research, sharing with friends over a lifetime. Kashmir Hill’s penetrating cover article in the March 21, 2021 New York Times Magazine, “Your Face is Not Your Own,” details how our photos are scraped and used by companies far beyond what we imagine. Our images are available from public sources such as driver’s licenses. Many arise from our choice– through Facebook and Instagram postings, directories, newspaper and other media sources. As the TV series Cheers’ theme song sang, “Sometimes you want to go where everybody knows your name.” But now it’s not just the neighborhood pub. It’s the internet, where everybody knows your name, and everybody can find your face. What to do? That’s where scrubbing comes in. Scrubbing is the effort to erase, stop, or minimize the spread of a digital posting. Scrubbing is a challenge. It can be expensive. Certain scrubbing services charge annual fees of $100 a year or more per person. In this episode we discuss what options are available to you, what governments are experimenting with to find a balanced solution, and if there is any hope to truly erase your face from digital history. If you have ideas for more interviews or stories, please email [email protected].

On February 16, 2021 TikTok was sued in Europe for abusing consumer rights. Millions of Europeans use TikTok to post, share and watch videos 3 to 60 seconds long, ranging from dogs in pink tutus to Shaq dancing. The European Consumer Organization BEUC is an authorized entity in the EU to file complaints against businesses. Its press release, BEUC files complaint against TikTok for multiple EU consumer law breaches | www.beuc.eu, claims that TikTok engages in a “massive scale” of consumer abuse, including unfair and deceptive practices, terms of use that hurt consumers, failure to protect minors from harmful content and embedded advertising, and misleading use of personal data. By contrast, the U.S. President on August 14, 2020 issued an executive order to kick TikTok out of operation in the States unless it sold its American operations to a U.S. buyer. The Executive Order was based on TikTok’s Chinese ownership, which the prior U.S. Administration claimed was a threat to U.S. national security because the owner ByteDance was accessing personal data of U.S. persons that could be provided to PRC authorities. EO-on-TikTok-8-14-20.pdf (treasury.gov) TikTok successfully sued in several courts to block immediate enforcement of the Executive Order, a matter on appeal in the federal courts. On February 10, 2021, the Wall Street Journal reported that the Biden Administration decided that it would review the matter but was unlikely to pursue a forced sale to American companies. TikTok Sale to Oracle, Walmart Is Shelved as Biden Reviews Security - WSJ. What’s the future of TikTok as a Chinese-owned business that allows people to post, share and watch videos globally? And what does it mean for the world where business and human connections flow across borders? The Data Privacy Detective explores these puzzles in this podcast. If you have ideas for more interviews or stories, please email [email protected].

Data theft set new records in 2020. The major causes are not failures of equipment, software, or services. In an estimated 85% of cybercrime, the cause is us. We make careless mistakes as though we were inviting villains into our homes. We let thieves into our IT systems by accident. We get phished. You get a message on your computer. It may seem to be from a friend, a trusted source, a reliable company, even your boss. It might seek an urgent response about something. How do you avoid dealing with the emailed message without letting a villain into your computer, and so into your personal or business’ IT systems? How do you prevent making a mistake that gives a cybercriminal the chance to freeze and hold your personal or your company’s IT system for ransom or to hack personal and proprietary information? Here are seven top tips to avoid being the reason you or your business is the victim of data theft. Check emailed messages for seven red flags before acting: 1. Bad spelling 2. Bad grammar 3. Nonsense in the subject line 4. Incorrect domain name in images and links (hover over a link without clicking to reveal this) 5. Pressure tactics to scare you into acting fast 6. Unexpected message 7. Unexpected attachments or links in the message

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured? Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / [email protected] . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use. Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk. Cyber insurance pricing is competitive. It depends on a company’s responses to questionnaires that can be 20 pages in length and interviews with CIO’s and others. Underwriters assess the strength and scope of an applicant’s cyber protection program before quoting a premium. A solid cyber policy will generally cover direct costs resulting from a data breach or incident. These include attorney fees and other costs of defense, resolution of private and public claims, expenses to recover purloined data, business interruption (subject to defined caps and other details), and similar out-of-pocket losses suffered from a cyber-attack. Policies generally cover global losses, including direct losses suffered in the European Union under GDPR. Coverage typically does not extend to more indirect losses, such as damage to reputation, costs to improve a system after an attack, or potential future lost profits as distinguished from business interruption loss. The more indirect or difficult to measure a loss is, the less likely it will be insured. Deductibles, caps and other limits, and unusual types of risks should be carefully reviewed before finalizing an insurance purchase. Top tips for businesses considering cyber insurance: -Have a top-to-bottom training program to help every individual avoid phishing and other incidents that lead to data breaches, ransomware attacks and other losses. -Have a data response plan in place before it’s needed, ready to activate immediately when required. -Think holistically. Preventing data attacks is not just a hardware problem. Review regularly measures to upgrade data protection, protect personal and proprietary data, and limit losses from data risks.

Taiwan is one of the “Four Asian Tiger” economies. Its companies hold 66% of the world’s semiconductor market. It consistently tops the USPTO per-capita list of patent files, and its population of about 25 million enjoys what is considered the world’s fastest internet connection. It is becoming a major player in data. Considered part of China by the PRC which refers to it as the “Taiwan Authority,” Taiwan declares itself to be the Republic of China. Despite geopolitical issues, robust business flows between the two. Taiwan is a leading investor in the PRC. Commerce between the two seems unimpeded by political differences. With rising tensions between the U.S. and PRC, alongside changes in Hong Kong that threaten the “one country two systems” approach, how should global business consider Taiwan? Is it a bridge for east-west data-related commerce? John Eastwood leads of the Taiwan firm Eiger Law’s Greater China Practice. John EASTWOOD - Eiger. In this podcast John explains how Taiwan is becoming a major Asian data, financial and regional headquarter center for North American and European businesses, growing to rival Singapore and Hong Kong. Personal privacy protection is highly valued and regulated by Taiwan law that differs significantly from the PRC’s data localization regimen. Taiwan generally blocks flows of personal information from Taiwan to the PRC, and so can be viewed as a safe haven for western businesses that collect and process personal and company data in Asia. Unlike the PRC, Taiwan does not require data to be shared at will with government authorities. Taiwan’s Personal Data Protection Act (PDPA) adopts entirely neither the U.S. nor the GDPR model, though it embraces most of the key principles of the GDPR. Taiwan’s Personal Data Protection Rules - Taiwan Business TOPICS (amcham.com.tw). More flexible and consent-based than the EU’s regulation but comprehensive unlike the U.S. sectoral approach, Taiwan in recent years has broadened the protection of personal data while aiming to be attractive to multinational business seeking an east Asian data hub. Taiwan is pursuing an “adequacy decision” with the EU while addressing numerous concepts differently from the GDPR’s provisions. If you have ideas for more interviews or stories, please email [email protected].

Data privacy is about balancing individual concerns and community needs. Without assurance that private information will be responsibly shared and used, people may not share accurate information or be willing to provide data at all. But to get student aid, applications must reveal sensitive family financial information. To gauge student success, performance details must be documented and shared with others. Sociological research requires that a database be accurate and credible. How can a community design its IT system to reassure individuals about privacy but obtain and share data responsibly and create data platforms and visualizations to meet collective needs and aspirations? This challenge is common to any community, whether it’s a city, a business, a university or other type of collective. In this podcast Lee Norris, Vice Provost for Enterprise Data Architecture of the University of North Carolina Greensboro, discusses how a community that gathers data of 25,000 people at its core and about 100,000 data subjects overall, designs and operates its data system. Through a combination of communication and technology, its data architecture stems from privacy by design. This approach advances essential ethical, research, institutional and other objectives, beyond compliance with federal and other laws that regulate particular types of data, such as student information (FERPA) and medical information (HIPAA). UNCG’s design starts with an understanding of individuals’ concerns and circumstances. By communicating clearly to data subjects (people) what data is needed, what data need not be shared, and what and how data will be handled and safeguarded within UNCG, the data system is created to encourage appropriate but limited data sharing. This is data minimization and privacy by design thinking. By building a culture of trust, UNCG has not found that its constituents are reluctant to share needed information. This in turn increases the accuracy and reliability of databases that UNCG staff create from data pools for a variety of purposes, ranging from assessing individual and collective student success to compiling research databases. If you have ideas for more interviews or stories, please email [email protected].