Data Privacy Detective - How Data Is Regulated, Managed, Protected, Collected, Mined, Stolen, Defended And Transcended.

Many of us wonder how the internet knows so much about us. We are barraged with tailored ads as we use the internet. How does this happen? How does this affect the compliance risks of businesses and the data privacy of us all? Dan Frechtling, CEO of Boltive, explores the digital advertising ecosystem in Episode 115. Explore the sub-terrain of the internet, how it creates advertising revenue that is the business model of many tech firms, how unwanted ads and mal-advertising encroach, how it affects our personal privacy, and how regulation increasingly requires businesses to offer consumers the choice of refusing the sale or sharing of their information. Learn how businesses can minimize risk and avoid compliance violations and how consumers can make privacy choices within their control. For information about inadvertent data leakage, Visit Boltive at https://www.boltive.com/ to learn more about inadvertent data leakage. Visit https://www.linkedin.com/in/frechtling/ to connect with Dan. Time Stamps: 01:40

The Data Privacy Detective welcomes Frost Brown Todd attorneys Mike Nitardy and Yugo Nagashima to cover three important developments in the world of data privacy: -Updates to the California Privacy Rights Act (“CPRA”) – highlights of final regulations just issued -FTC settlement with GoodRX - the first enforcement of the Health Breach Notification Rule – its meaning for the healthcare industry and us -European Commission’s proposed “Data Act,” which could radically change the rules of data sharing and stimulate competition in tech sector Time stamps: 01:15 - California Privacy Rights Act amendments 07:58 - FTC settlement with GoodRX 11:55 - EU Data Act proposal

Business Email Compromise – it’s a major way that global thieves steal trillions of dollars. Bill Repasky, an attorney at Frost Brown Todd LLP, with years of experience in electronic payments and cyber-fraud defense, explains how attacks of this type occur, why they are growing, what can be done to prevent them, and what a business can do if attacked this way. Common types of Business Email Compromise attacks are what appear to be incoming customer payments, outgoing payments to suppliers of goods and services, and internal attacks (where a mal-actor takes over an employee’s email account at the business). While anti-phishing training is important, it is not enough. Businesses can minimize risk of loss by upgrading institutional defenses this podcast discusses. Tune in for a tune up on how businesses can deal with the rising global crime wave of Business Email Compromise. Time stamps: 00:46 - What is Business Email Compromise? 03:28 - What businesses are being targeted? 05:35 - What are the common threa

In this bonus episode, we bring you the Data Privacy Detective's guest appearance on the Privacy Week podcast's "The Privacy Panel Discussion" special.

Canada and the United States are each other’s major commercial partner. Many U.S. companies have Canadian customers and collect and process personal information about Canadians. They must therefore understand Canada’s and its provinces’ regulation of personal data privacy. The Canadian regulation of data privacy is very complex, with a maze of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws and regulations. In this conversation with Lyndsay Wasser, a Toronto-based attorney at the Canadian law firm McMillan LLP, the Data Privacy Detective asks what cross-border businesses should know about privacy and data security in Canada, as well as looming changes on the U.S.’s northern horizon. Time stamps: 01:05 - What is the general state of data privacy and security law and regulation within Canada? 02:33 - What does Quebec do differently? 03:18 - Do foreign companies need to consider individual provincial laws in addition to the federal laws? 05:27 - How is

“If it’s free, then you are the product.” We carry in our pockets devices that have powerful mechanisms for collecting our information–where we go, what we buy, and even how fast we move. Every time we scroll through social media on our phones, we are submitting extremely precise data about what we might be interested in… even down to how many seconds we slow down to look at an individual post. By using these products and services, we are in effect consenting to this data collection, which comes back to us in the form of targeted advertising. But is there an alternative? What can we do if we want to use these services but don’t want to give over so much of our personal information? Ryan Patersen’s company Unplugged is betting that there are many people willing to pay more for more privacy. The products and services Unplugged offers present a fascinating test case in how much people value their privacy, and Ryan joins the Data Privacy Detective podcast to tell us all about it. Learn more about Unplugged at

Tech giants like Google, Apple, and Facebook incur huge Euro fines from European Union data privacy authorities. This is a “stick” approach, perhaps more like a “club,” of forcing EU rules upon global companies, aiming to force tech giants to change data privacy policies and practices to GDPR’s strict demands. Enter the Netherlands - with a different way of achieving changes in privacy practices through a joint approach. A January 23, 2023 New York Times article by Natasha Singer highlighted the Dutch carrot and teamwork way of getting companies to embrace EU rules without first resort to financial penalties. This podcast considers how the Dutch treatment – an audit and negotiation approach – offers a successful means of boosting personal privacy through collaborative solutions. Tune in for a refreshing example of how data privacy authorities and technology giants can work together to achieve common personal data privacy goals. New York Times article - How the Netherlands Is Taming Big Tech (Jan 18, 2023) by

The Data Privacy Detective Joe Dehner will be appearing as part of the LinkedIn Live event, "Privacy Week Podcast Palooza." Tune in on Thursday, January 26 from 3:00 to 4:00 p.m. EST: https://www.linkedin.com/video/event/urn:li:ugcPost:7021476486180212738/

A Third Way Emerges - Light Touch India -soon to be the world’s most populous country, a fast growing economy with a highly sophisticated tech sector. It’s a country with a digital rupee in circulation and digital identity cards. Since independent India has forged an independent path between “east and west.” About a year ago, the Modi Government withdrew a bill based on Europe’s comprehensive privacy-centric approach to personal data privacy, GDPR. In November 2022, a very different bill was proposed by the Ministry of Electronics and Information Technology – the Digital Data Protection Act. What caused the change and where is India headed? In Episode 109, Stephen Mathias of the premier Indian law firm Kochhar & Co explains the new approach. Expected to be adopted by mid-2023 in a final form, it is very different from either the GDPR strict and privacy-centric approach or the U.S. model of sectoral and partial rules without an overarching federal code. India’s will use a “light touch” approach. It will leav

Identity management. Learn how an automated approach can defend against the rising tide of data hacks, thefts, ransomware attacks, and other assaults on private information. Kevin Dominik Korte, IT Innovation and Growth Strategist of Univention, explains how an automated approach to login and other steps we take to connect to the internet and intranets can reduce the ability of bad actors to succeed in their attacks on IT systems, large and small. Traditional identity management is more costly and risk prone than what can be designed into an automated IT system that includes privacy and security by design. Consider how digital identities can be managed to increase security and minimize data breach risk in Episode 108.

November 2022 saw the largest private data privacy settlement in U.S. history, a huge Irish fine of Meta, the UK’s forging an independent path from the EU, and South Dakota entering US/China foreign relations over TikTok. Tune in to Episode 107, as the Data Privacy Detective searches monthly for learning from privacy and security developments. As cybercrime grows and governments move from data breach punishment to requiring digital systems to embrace privacy-centric security, consider news from the U.S., EU, UK, Australia, India, and South Korea.

Decentralized identifiers or “DIDs”. Tune in for an exploration how blockchain and pseudonymization can systematically improve data security and increase users’ control over their digital identities. Our tour guide is Phillip Shoemaker, the Executive Director of identity.com, a non-profit that provides tools for developers to help organizations identify individuals without compromising their security or privacy. Through this approach, enterprises can de-couple personal identities from users, providing instead a separate digital identity for the user that is not linked to a phone number, address, Social Security number, or other means of identifying the user whose data is otherwise at risk. Learn what individuals can do to urge governments, regulators, and businesses to arm digital systems with defenses that prevent malicious actors to hack masses of personal data that are then used to steal and misuse identities and assets. As standards are being developed for software, IoT devices, and digital infrastructure

Breached!, published in 2022 by Oxford University Press, reveals how data security law fails because of undue focus on data breaches. It explores what can be done to improve data privacy and limit data theft. Author Daniel Solove, law professor at George Washington University Law School and head of a privacy and security training company serving hundreds of global organizations, explores how laws focus too much on data breach and punishment of companies that are themselves breach victims. This is counterproductive and aggravates rather than addresses the need for heightened data security. In this podcast, we turn our spyglass to data theft and insecurity and consider whether a holistic, systemic approach is better than a glaring focus on data breach. Emerging legal approaches to defective software and prevention of data theft can better stem the rising tide of cyber-crime and are essential to furthering privacy interests. Learn what you and public officials can do about this and how a different approach to pr

October 2022 highlights for data privacy: - Battle between the U.S. Federal Trade Commission and a data broker over whether the FTC has authority over its practices - U.S. Government orders federal agencies to push NIST Guideline compliance throughout the software supply chain - Survey reports 2d quarter jump in data breaches - France fines Clearview over facial recognition - A Dutch Court awards a fired employee damages from the employer’s webcam rules - EU acts to harmonize procedural laws to aid GDPR enforcement - Biden Administration issues Executive Order at third attempt at a safe harbor approach to allow data transfers between U.S. and EU - First conviction of a company security chief arising from data breach response - White House issues Blueprint for an AI Bill of Rights. Whew! A lot happening. Tune in for the meaning and implications of these events. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com

William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases. Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it.

Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources. Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function. The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private information through data broke

Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach. Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data breach response time and oth

Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening. When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe. 1. Instagram fined 405M Euros for GDPR violations. 2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising. 3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error. 4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of t

How a California statute works in practice In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires. Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in