October 18, 2024
Issue 35 — Latest in privacy & security
In today's email…
- California protects brainwave privacy
- Five new state consumer privacy laws go live in 2025
- Privacy lessons from a $250,000 HIPAA ransomware fine
- Facial recognition provider, Clearview AI, fined
- Upcoming privacy events
Let's dive in!
Latest in Privacy and Security
Brain waves are now protected under the California Consumer Protection Act (CCPA). Data collected from the nervous system will now have the same protections as other personal information, such as financial records, geolocation, and biometric data. California is the second state to explicitly protect neural data, after Colorado. Read more
Comprehensive consumer privacy laws go into effect in Delaware, Iowa, Nebraska, and New Hampshire on January 1, 2025, with New Jersey following suit on January 15. While the laws provide similar consumer protections and enforcement mechanisms, the rules for which businesses are covered vary from state to state. Find out if if your organization is covered, and how to prepare for the law.
Regulations / Fines
- The Department of Health and Human Services announced a $250,000 HIPAA settlement for a Washington healthcare provider that fell victim to a major ransomware attack. HHS made recommendations for HIPAA compliance, but it’s great advice for anyone dealing with sensitive information:
- Make Ransomware and hacking a priority: Major breaches using ransomware have grown by 264% in just six years.
- Vet your vendors: Make sure vendor contracts spell out breach and security incident obligations
- Conduct risk analysis and risk management: Review the risks whenever you add new tech, features, or business processes.
- Watch, audit, and learn: Record system activity and conduct regular reviews to spot risky or suspicious activity, and learn from incidents.
- Keep your team prepared: Use good security practices like multi-factor authentication and encryption, backed up with regular training to make sure your workers stay on top of their privacy and security obligations.
- The Dutch DPA fined US-based facial recognition company, Clearview AI more than $33 million for storing facial recognition data on Dutch citizens. The DPA also banned use of the software in the Netherlands..Clearview violated the GDPR by scraping Internet photos and creating biometric profiles without informing the subjects or receiving consent. Read more
Upcoming Events
- IAPP Europe Data Protection Congress | Nov 18, 2024 | Brussels, Belgium
- FutureCon Phoenix | October 30, 2024 | Phoenix, AZ and Online
- FutureCon Nashville | November 14, 2024 | Nashville, TN and Online
- IAPP ANZ Summit 2024 | November 26-29 | Melbourne, Australia
- IAB State Privacy Law Summit | Nov 19, 2024 | New York City, NY
Planning for Q1 2025?
Let us help you design your privacy and security program.