2024 in privacy, security, and AI
A growing privacy law patchwork, increasing cybersecurity confusion, and lots of AI— everything that happened this year.
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Is Maryland set to become a privacy leader in the United States?
- A reminder that third-party access is a major risk for your data protection
- It’s spy vs. spy, with news that a Russian hackers controlled the computer systems of Pakistani cyberspies for two years.
But first: what happened this year?
If you only read one thing:
2024: the year AI loomed over everything
It’s December, which for the monthly column writers amongst us offers the mandatory requirement of recapping the year to try to make sense of it all.
Which may be tricky, as it has been a long year full of change. Just to pick one measure, this year more than 64 countries went to the polls, a record year for democracy. We’ve also seen growth in regulation, with the European Union’s AI Act, seven new US state privacy laws, and an amendment to the Australian Privacy Act passed this year (just last month, in the latter case).
And of course, AI. As well as the attention-grabbing moments, such as Google Search’s AI Overview feature telling us how many rocks we should eat, or Microsoft’s stop-start launch of Recall, a feature that helps you organize yourself by taking screengrabs of your screen, AI has been a silent presence in every privacy law passed or cybersecurity breach recorded. As the technology continues to evolve, organizations big and small are working out whether and where it fits into their product roadmap or service offerings, and how to govern it safely.
In the first newsletter of the year, we made some predictions for how the year may play out, so let’s review them against the major themes of the year.
In cybersecurity, confusion reigns
One of our predictions for 2024 was “a major breach impacts millions,” which even at the time felt a touch conservative. We probably should have bumped that up to hundreds of millions, even billions. But perhaps a better point is that for many hacks, we have no idea how many were affected. The National Public Data hack in August was initially hyped as including 2.9 billion records. After investigations from people like Have I Been Pwned’s Troy Hunt, who determined the number of victims at about 137 million, NPD eventually announced 1.3 million Americans had been impacted. But along the way, a second hacker posted a different copy of the database and another NPD data broker published the passwords to their own database. Confusing stuff. It’s no wonder the the Consumer Financial Protection Bureau (CFPB) is looking at new rules to regulate the data broker industry. Indeed, last week, a two-sentence notice on the NPD site announced the company had shut down, soon after filing for bankruptcy protection.
Even if we go back to this year’s first big hack, of Microsoft, we see confusion and sloppy procedures. In this case, a Russian state-sponsored actor (“Midnight Blizzard”, what a name) compromised a legacy, non-production test tenant account, using this to access corporate email accounts, including members of the executive team and cybersecurity, legal, and other functions. Legacy applications are a major risk, and it was chilling to see even a large technology company like Microsoft struggling with procedures.
The privacy patchwork grows
At the beginning of the year, we predicted more developments in US state-level privacy regulation, as well as Australia’s update of the Privacy Act, all of which came to pass. There are now 19 state privacy laws in the US, with more on the way for 2025. And at the end of November, the Australian government passed the first “tranche” of amendments to the Privacy Act, including a tort for serious invasions of privacy, a children’s online privacy code, and a requirement to be transparent about automated decision making. It’s unclear when the second tranche of changes may come through, though most likely following the next federal election next year.
We notably did not predict US federal privacy regulations, which briefly looked like a mistake with the introduction of a bipartisan privacy bill, the American Privacy Rights Act. In the end, the bill was stalled and now looks unlikely to pass in a newly Republican Senate.
As AI grows in sophistication, so do efforts to regulate it
Speaking of regulation, we expected some laws this year to begin to legislate AI, and we were not disappointed. The most high-profile of these, the EU’s AI Act, came into force in August, and aimed to set a global standard for regulating AI. The Act includes a risk-based classification of AI systems, mandatory transparency and accountability requirements, human oversight requirements, and robust governance and enforcement to back it up. The United States, Canada, the United Kingdom and Australia, among others, have their own laws to regulate the technology.
The importance of such regulations was underscored this year, with IBM’s annual Cost of a Data Breach Report revealing that the use of AI and automation in prevention workflows lowers breach costs by an average of US $2.2 million, and that only 24% of GenAI initiatives are being secured, which threatens to expose the data and models to breaches. According to Gartner, 55% of organizations have implemented or are implementing generative AI.
Organizations are clearly rushing to incorporate AI into their platforms, but they are not putting effort into AI governance, potentially undermining the effectiveness of the technology and increasing risk.
Time to reflect
That was 2024, a supremely busy year for privacy, cybersecurity, governance, and AI. A year so full of change that we had to add a weekly FILED edition just to keep up with it. You’re subscribed, right? (If not, click this link to sign up.)
Otherwise, we’ll see you next year, when we’ll use January to set up a fresh set of predictions for the new year.
🕵️ Privacy & governance
With an upcoming privacy law containing data minimization requirements, a strong prohibition on selling sensitive data, as well as an existing children’s privacy law containing strict rules on how businesses must manage their privacy settings, an argument that Maryland is set to become a privacy leader for the United States.
🔐 Security
A reminder that third-party access is a major risk for your data protection.
Russian hackers spent nearly two years secretly controlling the computer systems of Pakistani cyberspies, and gaining access to sensitive government networks across South Asia, according to research released by Lumen’s Black Lotus Labs.
SMS passwords are no longer secure enough to fight AI-driven fraud, Visa says.
The latest from RecordPoint
📖 Read:
Strong data governance is critical for growing organizations, especially in the face of evolving privacy law and increased cybersecurity threats. Learn how to set the foundations for effective data governance, so your organization can improve its compliance and security posture.
The City of Kitchener leveraged RecordPoint to manage physical records, following the announcement that their existing system would cease product support.
And a small plug – we were very proud to be one of the featured case studies in this Microsoft report highlighting Australia’s most promising opportunities in the new global AI economy. Take a look!
Any organization investing in GenAI needs to balance its productivity gains with the risk. To really reap the benefits of the technology, it must be trustworthy. Learn the elements of trustworthy AI and how to apply them in your organization.
Legacy application modernization is the process of reviewing and transforming outdated legacy systems within an organization to better meet business needs. Learn how to get started in this blog post.
🎧 Listen:
In the finale of FILED Season 2, Anthony and Kris take a walk down memory lane, reviewing their favorite clips and discussing themes and events from a busy year in privacy, cybersecurity, governance and records (and AI).
