Hello all, and happy Thursday!
The theme of the week, apparently, is vendor risk.
Multiple stories this week center on third parties being handed data they maybe ought not to have.
In the UK, children’s safety provisions of the Online Safety Act went into effect on July 25th. As a result, multiple websites that host potentially harmful content (e.g., Reddit, Discord) now need to verify users’ identities. Unfortunately, that means multiple third-party services will now have access to payment information, account information, selfies, ID cards, and the like to estimate users’ age.
With the lack of standardization and the number of different providers out there, it’s a matter of when, not if, there’s a serious breach.
Not to be outdone, the Trump administration has launched a new initiative to ensure Big Tech companies can get their hands on Americans’ health data, ostensibly to facilitate healthcare providers’ access to health records.
“Will these tech companies be subject to HIPAA?” you ask. Don’t worry about it! Why are you being such a wet blanket about this?
Eventually, data minimization practices will be seen as the norm and not the exception—but it does seem like it’s going to take a while.
Best,
Arlo
Blog: What Is the Processing of Personal Data?
Data privacy laws define “processing” so broadly, many people don’t realize their daily work involves processing personal data. We define the term in plain English and provide common examples of personal data processing in our blog.
Blog: Optimizing Privacy Operations: Making Compliance Less of a Fire Drill
Achieving compliance is one thing; doing so efficiently, repeatedly, and at scale is another. Focusing on privacy operations is your key to making compliance feel less like an emergency and more like a standardized practice.
Blog: Data Privacy Strategy: The Ultimate Guide
Not sure what a data privacy strategy is, or how to start building one at your organization? Start here with our blog.
A vishing scheme tricked an employee into giving hackers access to a third-party database, exposing user profile data from Cisco. Cisco maintains that no “organizational customers' confidential or proprietary information, or any passwords or other types of sensitive information” were compromised.
A new law requires sites offering adult/harmful content to verify age—mostly via third-party systems handling ID, selfies, or payment data. Critics say non-standard tools and inconsistent deletion policies may actually weaken privacy.
The European Commission’s AI Office has revealed which general-purpose AI models developers have committed to the EU’s AI code of practice. Notable U.S. Big Tech companies that signed are Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI. Elon Musk’s xAI has signed onto one of the three chapters of the code. Meta was the most significant holdout. The company earlier announced it would not sign the code.
A new initiative led by CMS and tech providers aims to unify patient data access across platforms. Privacy experts warn this movement may expose sensitive health records outside the strict confines of HIPAA.
Major European healthcare provider AMEOS Group has confirmed suffering a cyberattack in which it lost sensitive patient, employee, and partner information. In a short announcement recently published on its website, the company said that despite “extensive” security measures, it was unable to prevent “brief” access to its IT systems.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!