Quora Data Breach: 100 Million Users Affected*:
- About 100 million users of Quora were affected by unauthorized access to one of its systems by a "malicious third party".
- Account information, including name, email address, encrypted password and data imported from linked networks when authorized by users may have been compromised.
- The company said it is logging out all Quora users who may have been affected to prevent further damage.
- The breach, discovered on Friday, did not affect question and answers that are written anonymously, the company said, adding that it has also notified law enforcement officials.
*Source: Economic Times, December 04, 2018
First GDPR Enforcement Action Didn’t Involve A Data Breach*:
- Compliance officers recently got their first look at an enforcement action under the EU General Data Protection Regulation — and in a somewhat surprising turn of events, the offense in question didn’t involve a data breach.
- Portugal’s national privacy regulator, the Comissão Nacional de Protecção de Dados (CNPD), fined a major hospital just outside Lisbon €400,000 for violating the GDPR.
- Apparently, this is the first monetary penalty imposed by a European privacy regulator since the GDPR went into effect last May.
- The offense? The hospital allowed too many staffers to have too much access to patient data.
- It was a failure of access control, which really is a failure of policy and procedure.
- For example, the CNPD found that 985 employees of the hospital had the access rights of a medical doctor — when the hospital had only 296 doctors on staff.
- A €400,000 fine is unwelcome, but usually not disastrous for a global corporation.
- Still, this case illustrates how a company can run afoul of the GDPR long before a breach happens: by ignoring how business processes and employees actually work within your organization.
*Source: JDSupra, December 05, 2018
Only 29% Of EU Organizations Are GDPR Compliant*:
- Six months after the deadline, only 29% of EU-based organizations have fully implemented the EU's General Data Protection Regulation (GDPR), leaving them susceptible to major penalties, according to a Thursday report from IT Governance.
- GDPR came into effect on May 25, 2018, and applies to all organizations that handle data from EU residents, regardless of the organization's location or where the data is processed.
- If an organization fails to comply with GDPR, the maximum penalty is a fine of 4% of its global annual revenue.
- Nearly 60% of the 210 firms surveyed across EU industries EU said they were aware of the changes to data subject access requests (DSARs), but only 29% said they had plans to adapt their processes to address those changes.
- If DSARs are managed incorrectly, data subjects, file complaints, and fines can be issued, the report noted.
- As part of GDPR compliance, organizations need to map their data and information flows to assess their privacy risks.
- Some 75% of respondents said they had conducted a data flow audit in some capacity, the report found.
- In terms of security, 61% of organizations said they implemented basic controls to address data security and breach management, according to the report.
- And though just 29% of respondents said they considered themselves compliant with GDPR, more than 50% said they had procedures in place to notify their supervisory authority and individuals should a breach occur.
*Source: Tech Republic, November 29, 2018
AOL Violated Children’s Privacy To Serve Online Ads*:
- Verizon-owned Oath has agreed to pay a $5 million penalty for violating a federal privacy law that prohibits online advertisers from tracking children without parental consent.
- The ad business run by Oath's AOL property deliberately ignored the Children's Online Privacy Protection Act (COPPA), state prosecutors in New York said on Tuesday.
- "AOL flagrantly violated the law — and children's privacy — and will now pay the largest-ever penalty under COPPA," New York Attorney General Barbara Underwood said in a statement.
- According to prosecutors, AOL's ad exchange knew it shouldn't be serving targeted ads on children-directed websites covered by the privacy law, but it did so anyways.
- As a result, AOL paved the way for online advertisers to use internet cookies to track children over the web and serve them targeted ads.
- The ads were served to websites such as children's gaming platform Roblox.com and the teen girl-focused site Sweetyhigh.com, according to The New York Times, which was first to report the settlement.
- “AOL conducted billions of auctions for ad space on hundreds of websites the company knew were directed to children under the age of 13," according to Underwood's office, which examined the company's ad practices from Oct.2015 to Feb.2017.”
- Documents obtained from AOL also show that at least one company account manager broke the privacy law to help increase advertising revenues.
- In response to the $5 million fine, an Oath spokesperson said: "We are pleased to see this matter resolved and remain wholly committed to protecting children's privacy online."
- According to New York prosecutors, Oath has agreed to establish a "COPPA compliance" program to keep the company in line with the privacy law when selling advertising space to clients.
- "AOL has also agreed to destroy all personal information collected from children that is in its possession," the New York attorney general's office said.
*Source: PC Mag, December 05, 2018
Microsoft And MasterCard Working On Universal Online Identification Standard*:
- Microsoft and MasterCard announced that they are teaming up to create a digital identity solution to help protect consumers across the shopping, investment and travel industries.
- Near everyone has the issue of managing their digital identities, including multiple passwords, two-factor authentication, and other hurdles proving themselves who they purport to be.
- Microsoft and MasterCard's solution is one of many working on this problem.
- The two companies haven't shared much in the way of details as of yet, but Microsoft and MasterCard both highlighted the benefits a digital identify solution would bring such as working instantaneously and securely.
- Their joint proposed solution allows individuals to more easily control their own identity data on whichever devices they use.
- Bringing access to a universally accepted digital identify — which is easier said than done — would unlock "new and enhanced experiences" Microsoft and Mastercard said in their joint statement.
- Banking processes would be sped up, shopping would due a more personalized experience, filing taxes digitally would be streamlined, and digital serves would be easier to access.
- The pair of companies teased additional details will be forthcoming in the near future.
- Apple is also working on their own digital identify solution, hoping one day to replace IDs or passports with your iPhone according to recent patent filings.
- It isn't clear at present how the two systems would work, or for that matter, how the state and federal identity systems would connect to either program.
*Source: Apple Insider, December 04, 2018
Facebook Fined €10 million By The ICA For Unfair Commercial Practices For Using Its Subscribers’ Data For Commercial Use*:
- On 29 November 2018 the Italian Competition Authority (ICA), closed the investigation opened last April for alleged violations of the Consumer Code by Facebook Ireland Ltd. and its parent company Facebook Inc -, imposing two fines for a total of 10 million euros
- The Authority established that Facebook, in violation of articles 21 and 22 of the Consumer Code misleads consumers into registering in the Facebook platform, while not adequately and immediately informing them during the creation of the account that the data they provide will be used for commercial purposes.
- More generally, Facebook emphasizes the free nature of the service but not the commercial objectives that underlie the provision of the social network service, thus inducing users into making a transactional decision that they would not have taken otherwise (i.e., to register in the social network and to continue using it).
- The information provided is in fact general and incomplete and does not adequately make a distinction between the use of data to personalize the service (in order to connect "consumer" users with each other) and the use of data to carry out advertising campaigns aimed at specific targets.
- The ICA also found that Facebook, in violation of Articles 24 and 25 of the Consumer Code, carries out an aggressive practice, as it exerts undue influence on registered consumers, who suffer, without express and prior consent and therefore unconsciously and automatically, the transmission of their data from Facebook to third-party websites/apps for commercial purposes, and vice versa.
- The undue influence is caused by the pre-selection by Facebook of the broadest consent to data sharing.
- When users decide to limit their consent, they are faced with significant restrictions on the use of the social network and third-party websites / apps, which induce users to maintain the pre-selected choice.
- More specifically, through the pre-selection of the "Active Platform" function Facebook pre-sets the ability of its users to access websites and external apps using their FB accounts, thus allowing the transmission of their data to the single websites / apps, without any express consent.
- Facebook then reiterates the opt-out pre-selection mechanism, with respect to data sharing, whenever users access third-party websites / apps, including games, using their Facebook accounts.
- In this case also, users can in fact only deselect the pre-setting operated by Facebook, without being able to make a free, informed choice.
- In consideration of the relevant effects of the practice on consumers, the ICA also requested Facebook to publish - pursuant to art. 27, paragraph 8, of the Consumer Code - an amending declaration on its website and App.
*Source: AGCM Press Release, December 07, 2018