France, 21 January 2019 – The CNIL data protection authority’s restricted committee imposed a financial penalty of 50 million euros (around 57 million US Dollars) against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
Springfield, Illinois, 25 January 2019 – The Illinois Supreme Court, considering the case of Rosenbach vs. Six Flags Entertainment Corporation, made a significant ruling on the state’s Biometric Information Privacy Act. The case centers on a 14-year-old amusement park visitor whose fingerprints were allegedly taken without parental consent. Six Flags argued that it could not be held liable unless the plaintiff demonstrated a tangible injury. However, the court ruled that “an individual need not allege some actual injury or adverse effect, beyond the violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act”
In both these events, we see a continuation of the trend for increased protection for the rights of individuals around the collection, processing, and use of their personal data.
From an individual’s perspective, this is important in the digital age as bad actors improve their ability to exploit vulnerabilities in certain biometric technologies like fingerprint (2017 IEEE Research paper) and face recognition (2017 disclosure of a vulnerability allowing Windows face recognition to be spoofed with a photo), it suddenly becomes a lot more important to prevent bad actors from garnering collections of biometric data. After all, stealing biometrics is the password theft of tomorrow.
From a corporate perspective, this underscores the importance of having a robust, defensible data management policy in place together with the procedural and technical controls to enforce it. Lawmakers and courts worldwide are deciding that gentlemen’s agreements and self-policing are no longer enough, with more and more severe penalties (including jail time for executives) either in force (GDPR), coming soon (California Consumer Privacy Act) or in the legislative process (US Consumer Data Protection Act).
For those who might think the lawmakers are over-reacting, on January 17 – Techworld listed some of the world’s most notorious data breaches from 2011 till now.
- Know your data. Where does it come from? How is it collected/processed? Do you have consent for personal data?
- Make sure cyber risk is managed as part of your overall risk portfolio. With multimillion-dollar fines and prosecutions, cyber risk is not just a geek thing anymore.
- Put data protection policies in place, with effective and appropriate controls (technical and procedural!), then audit regularly to make sure the controls are still in place and working.
- Have an information retention plan, and make sure that only data necessary for the operation of the business or audit/reporting purposes is retained beyond its useful life. Do not forget to audit this as well.
Our third and final event was the 17 January publication by online security researcher Troy Hunt of a dataset comprising more than 772 million emails and 21 million passwords in a package of 12,000 files – the so-called ‘’Collection #1’’ It is only a matter of time before collections of biometric data start to surface as well.
Large data sets are now definitely out of the realm of the deep dark web, and available in the shallower pools where the script kiddies splash and play! This is the time, if ever there was one, to remind your families, friends, and colleagues to take simple steps to protect themselves.
- Use strong passwords.
- Do not reuse passwords across sites, and consider using a password manager from a reputable company.
- Use two-factor authentication wherever possible.
- Subscribe to a credit report alerting service (many banks and credit card companies now offer this service for free, as do third-party credit and risk information providers).
- Keep a watchful eye on your accounts (online services as well as financial accounts) for unusual activity. Even social media accounts can do you damage, with many employers now demanding access to accounts, although the morality and legality of intrusion at that level into an employee’s private life is a different question for a different day.