Data Privacy Detective - How Data Is Regulated, Managed, Protected, Collected, Mined, Stolen, Defended And Transcended.

The Data Privacy Detectives turns his data localization spotlight on the island nation of Singapore. With a per capita income of 64% higher than the United Kingdom’s and a free-market economy that depends on global trade and commerce, Singapore takes a very different approach from China, Russia, India, and other countries that strive to localize their residents’ personal information. Singapore’s Personal Data Protection Act (2012) provides a comprehensive set of rules protecting the personal information of its residents. Like GDPR in scope, it differs in its flexible approach to balancing privacy and national security protections. In 2020 Singapore’s Monetary Authority and the U.S. Treasury issued a joint statement opposing data localization requirements, calling them a risk to cybersecurity and economic growth. They called instead for data mobility in financial services as a spur to innovative services and economic growth and as a more effective approach to risk management and cross-border compliance. Sin

Our prior podcast episodes detailed how China, Russia, and to a lesser extent India have created barriers to the free flow of personal information across borders. Data localization, sometimes called data nationalization, is the practice of governments to restrict or regulate closely how personal information of their citizens can be collected or shared outside a country. This podcast episode looks at how Australia, a free-market country, is handling personal data transfers. Australia has no broad data localization requirements. But it restricts the export of medical information about its residents. Electronic health records with personally identifiable information cannot be transferred or processed outside Australia. Australia’s Privacy Act, an early national data privacy law (1988), is comprehensive and different from GDPR. Collecting personal information is possible only if “reasonably necessary,” so does not require express consent. But Australia is protective of its citizens’ privacy interests. A 2021

We turn to Russia in our data localization series. Russia’s 2015 personal data protection law requires “data operators” to collect and keep information about Russian residents within Russia. It forces them to keep personal data about its citizens on a Russian located server, which must at all times keep at least as much data as is kept on a company’s servers outside Russia. This law resulted in LinkedIn’s being blocked from the Russian internet in 2016 for failing to do this. In 2019 Russia expanded the authority of its regulator, Roskomnadzor, to levy fines instead of being limited to blocking for violations. While the fines are modest in amount, this lets regulators allow popular sites into Russia while insisting on data localization Russian style. In July 2021, Russia began requiring giant social media companies to establish a Russian presence to connect with Russian citizens. It’s believed that more than 600 foreign companies have registered with Russian authorities to participate in the Russian market

In this second podcast episode about data localization, we spotlight India. Since 1993 the world’s largest democracy has enacted data localization laws aiming to keep certain personal records within India or otherwise restrict data transfers of Indians’ personal data. When in 2017 the Indian Supreme Court found personal privacy to be a fundamental constitutional right, a Personal Data Protection Bill (PDPB) was promptly drafted. It has since been percolating towards adoption. The draft bill defines certain personal data as “critical” and so must be stored only within India. Other data is called “sensitive,” and may be processed outside of India with a copy kept within India. A third category of “regular” data could be transferred abroad, pursuant to data transfer rules. Unlike China, reviewed in the last podcast episode (episode 73,) India has a robust tech industry heavily involved in processing foreign data. India processes more personal data than any other country, so that parochial data laws would stand

The internet and the worldwide web – the words envision a global communications system that transcends national borders. But the reality differs. Is it increasingly the splinternet? Is www really a series of webs that don’t connect globally? And how is our privacy affected by data fences and controls erected by nations? In this first of a series, we explore how China deals with personal information of its residents. China collects a vast array of personal information about its people – financial, judicial, commercial, societal, and governmental. These are the five pillars of China’s Social Credit System, which aims to reward loyal and trustworthy citizens and penalize others, based on information collected about Chinese residents. Individuals are white-listed or black-listed to be rewarded or penalized, based on personal data collected, analyzed, and applied by the Government to encourage a socially proper citizenry. China has an extensive and evolving set of laws, including recent changes to its Data Secur

Home is our private place. But in the digital age, how private are our homes? And what can we do to protect our privacy from home invaders? 66% of us rate our highest privacy concern as being viewed through cameras in our own homes, according to a safehome.org June 2021 survey. Explore in this podcast how home devices are watching, listening, collecting, and sharing our personal data and steps we can take to limit unwanted intrusions. Terry Rankhorn, a 22-year FBI veteran and founder of Rankhorn & Associates, conducts home and business sweeps to protect clients’ personal data and safety. Computers, televisions, smart thermostats, Alexa and Siri, even dog bowls collect and broadcast our personal data in unimagined ways, jeopardizing our privacy and security. Mr. Rankhorn explains the first step to increase home privacy is to know what devices we have and which ones collect and broadcast our data. We can delete devices we don’t need or want and use privacy setting choices and common-sense steps to limit sharin

Kentucky is perhaps the first state to adopt a comprehensive anti-doxing statute that creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member. In this podcast episode, Justin Fowles, an attorney in Frost Brown Todd LLC's Louisville, Kentucky office, shares key insights on what the new law contains and could mean for individuals' and businesses' online behavior. What is doxxing – or is it doxing? This word entered the Merriam-Webster Dictionary in the 21st century. It defines “dox” as a verb – “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.” Today it connotes cyberbullying or troll harassment by posting personal information about a targeted person or org

Mike Potter’s cat bounced on his keyboard years ago. His hard drive cratered, and he lost his data. But he turned this disaster from feline treachery into a career and a company. Backing up data is an essential part of data privacy and retention for businesses as well as for people. Why is this, how does it work, and what’s the impact on how we keep and protect our data? Mike Potter is CEO of Rewind, an Ottawa, Canada based company that backs up, restores, and copies to its cloud critical information businesses store in their SaaS (Software as a Service) applications. Apps sit atop a user’s platform. Not unlike cats, they can cause problems. Ransomware attacks, employee mistakes, and many other forces can cause a business to lose essential data even when the platform itself is running well. Having a readily available backup copy can allow a business to continue its customer connections, its bookkeeping, and other essential functions without material disruption. That’s the business of Rewind. Many Rewind cu

Ransomware. It’s in the headlines. It’s digital organized crime across borders. When an organization’s IT system freezes with its data locked by a ransomware gang, what happens? Ransom is demanded, and ransom often gets paid. But how does this work? In this podcast episode, Bill Repasky, attorney with Frost Brown Todd LLC, shares key insights on the process of negotiating with ransomware criminals. They want payment in cryptocurrency. Victims want their data and systems restored. This becomes a business transaction. But not a typical one. Ransomware strikes in 2021 involve highly sophisticated criminal syndicates. To them it’s about the money. When they strike a target and freeze the organization’s ability to operate an IT system, they reveal their digital identity and dictate how to send a ransom payment. The target may be willing to pay – but should do so only after negotiations to ensure that the payment will accomplish two essential objectives – (1) providing a decryption key to unlock the encrypted da

Ransomware attacks, data breaches, digital theft – on the rise. Who are the cyber-criminals? Can they be traced? And what can a company do to minimize risk and respond to an incident? Joining us for a tour of the dark side of the digital age is Bill Corbitt, Vice President of Digital Forensics and Incident Response at Intersec Worldwide. www.intersecworldwide.com, a US-based team of former federal cybersecurity experts who have worked on some of the world’s largest security breaches. The firm was named a 2021 top Digital Forensics & Incident Response firm by Enterprise Security Magazine. Bill’s team has addressed serious incidents for many Fortune 100 companies. In this podcast episode he shares insights into dealing with ransomware attacks, data theft, and the aftermath. Ransomware attacks are conducted by sophisticated criminal enterprises, usually operating from data havens where government seldom prosecutes them for attacks abroad. They probe for vulnerabilities and find attack vectors into a company’s

Europe finds UK data privacy system adequate, for now. On June 28, 2021, the Europe Union granted two adequacy decisions to the United Kingdom for personal privacy purposes. 1. Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation 2. Decision on the adequate protection of personal data by the United Kingdom - Law Enforcement Directive This assures, for now, that data flows between the EU and UK can continue without restrictions. But for the first time, the EU’s decisions were not permanent and will last only four years. What’s going on? Because of Brexit, the UK and the EU reached a transition agreement at the end of 2020. This included six months for the UK and EU to reach an agreement about data privacy flows. The deadline approached, and the EU decision was made just in time (the UK had already issued its own adequacy decision regarding data going to the EU). Had it not been made, one estimate was that UK businesses would face immediate compli

This is a true story of a phone scam of May 2021. The Data Privacy Detective got a call on the home landline. This scam will succeed in stealing money from countless Americans. It’s targeted particularly at older people who dearly love their television, especially during pandemic times. You can see the tricks and traps in this scam. Of course, the best defense is not to answer such calls at all, but then how can one know that a local number is not an old friend or acquaintance calling for a good reason. If you get a call like this, write down the details. Share them with the fraud hotline of the company being impersonated. Notify the FBI and the Federal Trade Commission if you have the time. This builds a file on these entities. Though it’s unlikely that law enforcement will be able to shut down the criminal syndicates and others active in this fund-raising activity, it will build the awareness that our privacy is attacked through such intrusions. Without greater regulation and defense against such increas

This podcast episode explores ransomware from preventive, legal, and communications angles. While there’s no 100% effective vaccination against a ransomware attack, there are steps enterprises and each of us can take to beware, prepare, and take care. Ransomware. It’s the modern equivalent of kidnapping – except people aren’t grabbed and held hostage. Instead, an enterprise has its computer and information system locked by a criminal. Data gets encrypted and unusable until and unless the organization pays a ransom to the thief, who is known only by a digital address and often demands untraceable payment in cryptocurrency. Ransomware is a type of malware – software installed in a system by an outside party for bad purposes. Unlike malware focused on stealing data, ransomware aims to extract a ransom payment in exchange for decrypting and restoring the victim’s data. From a criminal’s perspective, ransomware is a simpler, less expensive way to get money than malware that aims to export (or exfiltrate) and re

Janus was the Roman god of doors, gates, and transitions. He needed two faces to look in both directions - life and death, past and future. Internet browsers allow us to access and gaze across the internet, but at the same time, they are watching us, recording what we do while browsing. True, browsers do not charge us for their services – browsing is free. But as it is said, when a product is free, we become the product – or more specifically, our data becomes the product. In this podcast episode Jeff Bermant, the founder and CEO of the browser Cocoon, joins us to explore how browsers and privacy intersect. Cocoon was founded for the purpose of providing a more privacy-secure experience than any other browser by creating a cocoon around the browsing individual. We discuss how users have data privacy choices – which browsers to consider, how to adjust privacy settings, and what add-ons are available for browsing. When it comes to data privacy, protecting your personal data begins with you. If you have ide

Facial recognition. It’s a hot topic. Targeting, misidentification, and doxing - the dangers are real. So are the benefits – finding criminals and solving crimes, searching for relatives and old friends, researching history, conducting social research, sharing with friends over a lifetime. Kashmir Hill’s penetrating cover article in the March 21, 2021 New York Times Magazine, “Your Face is Not Your Own,” details how our photos are scraped and used by companies far beyond what we imagine. Our images are available from public sources such as driver’s licenses. Many arise from our choice– through Facebook and Instagram postings, directories, newspaper and other media sources. As the TV series Cheers’ theme song sang, “Sometimes you want to go where everybody knows your name.” But now it’s not just the neighborhood pub. It’s the internet, where everybody knows your name, and everybody can find your face. What to do? That’s where scrubbing comes in. Scrubbing is the effort to erase, stop, or minimize the spr

On February 16, 2021 TikTok was sued in Europe for abusing consumer rights. Millions of Europeans use TikTok to post, share and watch videos 3 to 60 seconds long, ranging from dogs in pink tutus to Shaq dancing. The European Consumer Organization BEUC is an authorized entity in the EU to file complaints against businesses. Its press release, BEUC files complaint against TikTok for multiple EU consumer law breaches | www.beuc.eu, claims that TikTok engages in a “massive scale” of consumer abuse, including unfair and deceptive practices, terms of use that hurt consumers, failure to protect minors from harmful content and embedded advertising, and misleading use of personal data. By contrast, the U.S. President on August 14, 2020 issued an executive order to kick TikTok out of operation in the States unless it sold its American operations to a U.S. buyer. The Executive Order was based on TikTok’s Chinese ownership, which the prior U.S. Administration claimed was a threat to U.S. national security because the o

Data theft set new records in 2020. The major causes are not failures of equipment, software, or services. In an estimated 85% of cybercrime, the cause is us. We make careless mistakes as though we were inviting villains into our homes. We let thieves into our IT systems by accident. We get phished. You get a message on your computer. It may seem to be from a friend, a trusted source, a reliable company, even your boss. It might seek an urgent response about something. How do you avoid dealing with the emailed message without letting a villain into your computer, and so into your personal or business’ IT systems? How do you prevent making a mistake that gives a cybercriminal the chance to freeze and hold your personal or your company’s IT system for ransom or to hack personal and proprietary information? Here are seven top tips to avoid being the reason you or your business is the victim of data theft. Check emailed messages for seven red flags before acting: 1. Bad spelling 2. Bad grammar 3. Nonsense in th

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured? Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / Sean.McGee@usi.com . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use. Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk. Cyber insurance pricing is competitive. It depends

Taiwan is one of the “Four Asian Tiger” economies. Its companies hold 66% of the world’s semiconductor market. It consistently tops the USPTO per-capita list of patent files, and its population of about 25 million enjoys what is considered the world’s fastest internet connection. It is becoming a major player in data. Considered part of China by the PRC which refers to it as the “Taiwan Authority,” Taiwan declares itself to be the Republic of China. Despite geopolitical issues, robust business flows between the two. Taiwan is a leading investor in the PRC. Commerce between the two seems unimpeded by political differences. With rising tensions between the U.S. and PRC, alongside changes in Hong Kong that threaten the “one country two systems” approach, how should global business consider Taiwan? Is it a bridge for east-west data-related commerce? John Eastwood leads of the Taiwan firm Eiger Law’s Greater China Practice. John EASTWOOD - Eiger. In this podcast John explains how Taiwan is becoming a major Asian

Data privacy is about balancing individual concerns and community needs. Without assurance that private information will be responsibly shared and used, people may not share accurate information or be willing to provide data at all. But to get student aid, applications must reveal sensitive family financial information. To gauge student success, performance details must be documented and shared with others. Sociological research requires that a database be accurate and credible. How can a community design its IT system to reassure individuals about privacy but obtain and share data responsibly and create data platforms and visualizations to meet collective needs and aspirations? This challenge is common to any community, whether it’s a city, a business, a university or other type of collective. In this podcast Lee Norris, Vice Provost for Enterprise Data Architecture of the University of North Carolina Greensboro, discusses how a community that gathers data of 25,000 people at its core and about 100,000 dat