In the spirit of New Year’s resolutions, one commitment is gaining attention: data privacy.
Every January 28, we observe Data Privacy Day. Established in 2007, it highlights the need to protect personal information.
As we step into 2024, the relevance of Data Privacy Day has never been more prominent: the trends show that the number of cyber threats will increase this year, so data privacy is a hot topic.
Is Data Privacy Day significant?
Data Privacy Day may not be as famous as Thanksgiving, yet it’s crucial. It focuses on the escalating and valid concerns over personal data security.
Data breaches are on the rise. Statistics for 2022 and 2023 reveal that 98% of organizations are linked to a vendor that suffered a data breach in the past two years. Also, in the first three quarters of 2023, one in four Americans had their health data exposed. So, discussing cyber safety is quite important, as education often plays a crucial role in preventing data breaches.
This day reminds us all, whether individuals or businesses, that we have to protect data. It’s about more than awareness; it’s about fostering better practices, vital in an age where anyone can fall victim to social engineering.
The origins of Data Privacy Day
On April 26, 2006, the Council of Europe established Data Protection Day to be celebrated annually on January 28. This date marks the opening for signature of the Council of Europe’s data protection convention, known as “Convention 108.” The day was set to encourage best practices in privacy and data protection.
Data Privacy Day’s impact is global, extending well beyond Europe. It unites governments, industry leaders, and privacy advocates.
Fundamental principles of privacy and data protection
The General Data Protection Regulation (GDPR), a significant regulatory framework established by the European Union, outlines several of these principles.
As GDPR is the most strict privacy framework in the world, let’s look at them to understand what we should aim for:
Lawfulness, fairness, and transparency. That’s how personal data must be processed.
Purpose limitation. Data should be collected for explicit purposes and not then processed in another manner.
Data minimization. Only data that is necessary for the purpose should be collected.
Accuracy. Personal data should be accurate and kept up to date.
Storage limitation. Personal data should be kept in a form that allows the identification of data subjects for no longer than necessary.
Integrity and confidentiality. Data should be processed in a way that ensures security.
Accountability. The data controller is responsible for and must be able to demonstrate compliance.
Even though GDPR is European, it’s relevant for US companies, too. If they offer goods or services to people in the EU or track their internet activities, they need to follow these rules. The fines for not doing so can be steep. We’ve got a handy GDPR compliance checklist for businesses curious about this.
10 best practices for ensuring data privacy
As Apple stated in one of their latest reports, “Organizations are only as secure as their ‘least secure link.'” Ensure your business’s safety and also request that your vendors follow some simple tips.
One fundamental practice is understanding and classifying the data one handles. This involves identifying which data is sensitive and requires more protection.
Regularly updating privacy policies and ensuring they are transparent and easy to understand is also crucial. This helps individuals know how their data is used and protected.
Strong, unique passwords are essential for securing accounts.
Two-factor authentication adds an extra layer of security, which is essential for sensitive accounts.
Regular software updates are also crucial. They often include security patches that protect against new vulnerabilities.
Organizations should conduct regular data audits. These audits help identify and address potential security gaps.
Employee training in data privacy is equally important. It ensures that everyone understands how to handle sensitive information correctly.
Encouraging a culture of privacy within an organization is also beneficial. This creates an environment where data protection is a shared responsibility.
Finally, it’s essential to have a response plan for data breaches. This plan should include steps to mitigate damage and notify affected parties.
Regular backups of essential data can prevent loss in a security breach.
How to participate in Data Privacy Day effectively
While a social media post with #DataPrivacyDay is a good start, 2024’s rising cyber threats call for more practical actions.
Here’s a simplified take on White & Case’s tips:
Data mapping. Sort out the data you have (like customer details) to ensure it’s handled correctly under the privacy laws of your region.
Privacy policy review. Regularly update your website’s privacy policy. It should clearly state how you use customer information, keeping up with current laws.
Adapt to new opt-out laws. In states like Utah, Florida, Oregon, Texas, and Montana, new laws in 2024 may require websites to honor user preferences about data usage. Make sure your site can do this if it’s relevant to you.
Data protection assessment. It’s like a health check for your data practices. Ensure your methods of handling sensitive information, like customer financial data, meet the latest legal standards.
AI tools review. If you use AI, treat it like a responsible employee. Check that it follows privacy rules and is transparent about data use. Include checks for fairness and safety in how the AI operates.
Now is the right time if you still need to introduce NordLayer solutions to protect your business. Contact our sales and choose the best option for your business.
Genetic data leak, 23andMe point to credential stuffing
Hackers are selling genetic data stolen from users of the company 23andMe. The company itself says they weren’t breached, although their users’ data was used by what seems to be a single threat actor stealing personal details and genetic data. This data was then published or advertised online. 23andMe suggested that the threat actor(s) gained unauthorized access with “recycled login credentials”, a technique known as credential stuffing.
The logic is simple: Keep trying stolen username/password combinations, and eventually, they’ll work on another site. An easy solution to credential stuffing attacks? You guessed it: Multi-factor authentication (MFA). While 23andMe has offered an MFA feature since 2019, it was not made mandatory for users. With genetic and personal data at stake and up to 7 million users affected by these recent breaches, it might be time for a change in policy.
The Bleach Breach: Clorox revenue and supply chain hit
Clorox, the household cleaning giant, predicts a more than 20% drop in quarterly sales due to a cyberattack (thought to be ransomware) that caused product shortages and operational disruptions. Manufacturing, often kept running by legacy systems and sprawling workforces, suffers more cyberattacks than any other industry.
The Clorox incident is being linked to the same group responsible for the MGM and Caesars Palace hacks, discussed in our previous episode, which occurred around the same time in August 2023. “Scattered Spider” is notorious for using social engineering methods to gain access to internal systems. The Clorox Company’s share price has dropped by over 7 percent in the last month.
Wearable AI: Trendy or just trending?
Tech companies are rushing to secure the lead in wearable AI products. Meta has collaborated with Ray-Ban on a pair of high-tech glasses, enabling wearers to live stream directly from the glasses to Facebook or Instagram and voice activate Meta AI, “an advanced conversational assistant”. Jony Ive, Apple’s legendary former design lead, and OpenAI are reportedly teaming up to design the “iPhone of AI”.
Rewind.ai unveiled a neck-worn pendant that records conversations to your smartphone and creates a searchable database of life moments. Humane, imagining “a world where you can take AI everywhere”, have developed a smart device that resembles a badge or lapel pin.
The common goal here seems to be for technology to rely less on screens, to fade from view, and become all but invisible.
Stay tuned for the next episode of Cyberview.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.