When Is It Okay to Violate Someone’s Privacy?
Hello all, and happy Thursday!
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
August 15, 2024
Hello all, and happy Thursday!
Regular readers of this newsletter see plenty of headlines about 1) data breaches and 2) fines levied against violators of data privacy regulations. But I wanted to highlight a story this week that features both—because often, where you find the one, you find the other.
Advanced, a provider of IT and software services, was hacked back in August 2022. Notably, the UK’s National Health Services (NHS) was one of its clients, meaning that a lot of sensitive information wound up in the hackers’ hands. The Information Commissioner’s Office (ICO) stated that this data “included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.” Scary stuff!
At the time of the breach, medical professionals around the UK were forced to take patient care notes using pen and paper, transmit patient records manually to general practitioners, and essentially perform all of their duties without the benefit of a healthcare IT system.
Now, Advanced potentially faces a £6 million fine for failing to protect personal information. Specifically, the ICO found that the hackers gained access through a customer account that did not have multi-factor authentication implemented.
(It should be noted that this fine is provisional and that the ICO still has more investigating to do—but it seems unlikely that Advanced will be able to dodge this penalty.)
Too often, this is how organizations get penalized for noncompliance. Malicious actors take advantage of some chink in the armor, and the costs just don’t stop. You might pay for the hackers’ ransom, remediation efforts, PR campaigns, lost business, and more. Just when things seem like they’re finally winding down, a data protection authority comes along to rub salt in the wound and add a fine on top.
It’s a good reminder to invest in both robust cybersecurity and data privacy practices. Through security, you reduce the likelihood of a breach, and through privacy, you reduce its impact—after all, if you never need to handle sensitive personal information in the first place, you won’t have to worry about an attacker breaching your systems and getting their hands on it.
Best,
Arlo
Recently, nearly half a million Ohioans’ personal data was posted to the dark web for sale. Columbus Mayor Andrew Ginther held a press conference Tuesday morning claiming that the data was unusable, encrypted, or corrupted—however, cybersecurity experts have found that this is not the case. One local cybersecurity expert said he found names, addresses, birth dates, drivers’ license numbers, and Social Security numbers. Initially, the city said that the data of Columbus employees, including police and firefighters, had been exposed in the data breach.
In one of the largest data breaches in history, the personal information of nearly 3 billion individuals has been stolen from National Public Data, a background check and fraud prevention service provider. The breach, which came to light through a class action lawsuit filed in Florida, has sent shockwaves through the cybersecurity community and raised serious concerns about data privacy and protection.
Following a ransomware attack in August 2022, Advanced Computer Software Group was investigated by the UK Information Commissioner’s Office (ICO). The ICO found that hackers had gained access to Advanced’s systems via a customer account that did not have multi-factor authentication implemented. Now, the ICO has announced its provisional decision to fine Advanced £6.09 million over its failure to implement sufficient measures to protect personal information.
Although New York does not have a comprehensive data privacy law, businesses’ privacy-related practices and statements may be subject to New York’s consumer protection laws, which generally prohibit businesses from engaging in deceptive acts and practices. Accordingly, the New York Attorney General recently published guidance for website privacy controls, noting that “statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”
X (formerly Twitter) has suspended its much-criticized harvesting of European users' personal data to train its artificial intelligence program, said Ireland's Data Protection Commission (DPC). The DPC, which acts on behalf of the European Union, said in a statement that it "welcomes X's agreement to suspend its processing of the personal data contained in the public posts of X's EU/EEA users which it processed between 7 May 2024 and 1 August 2024, for the purpose of training its AI 'Grok'."
Read more
Certain SaaS providers (*cough cough* Osano) provide scores on third-party vendors to help businesses understand their privacy risk at a glance. But there’s more to it than just seeing Vendor X has a lower score than Vendor Y. We partnered with Venminder, the experts in third-party risk management, to explain how third-party privacy scores can unlock actionable insights into your vendors and the risk they introduce.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.