Data governance still matters
Whether you are improving your privacy posture or preparing your data for AI, investing in data governance is crucial.
Subscribe to FILED Newsletter
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- We’re a month out from amendments to the Australian Privacy Act, and the media industry is feeling uncertain and in the dark.
- OpenAI’s messaging system was hacked last year, raising fears foreign actors could do the same.
- New cause of inflation: ransomware.
But first: with the setbacks to United States privacy law and enforcement, a reminder that data governance—particularly data minimization—is still important, especially if you want to leverage AI.
If you only read one thing:
Data governance is only getting more relevant
The future of United States federal privacy law is once again uncertain, thanks to the last-minute removal of the American Privacy Rights Act (APRA) bill from a scheduled markup in late June, which came amidst concerns the civil rights portions of the bill had been weakened. While this isn’t the first time a federal privacy bill has hit issues (remember the ADPPA?), APRA had some early momentum, with a seemingly widespread desire among lawmakers to enact national legislation to replace the patchwork of state laws. Hopes were high that this would be the one that stuck.
In the wake of the removal, privacy professionals are no doubt wondering whether we will ever see a comprehensive federal privacy law, and their colleagues (and superiors) may be wondering whether investing in privacy measures like data governance is still a high priority.
More questions will be asked with the news of a Supreme Court decision to overturn the Chevron doctrine. This removal of the doctrine, which holds that courts should defer to federal agencies when interpreting parts of federal law not specified by Congress — has some worried it will make strengthening cybersecurity regulations more difficult.
But it would be a mistake to take these setbacks as a prompt to cut investment in data governance. In the United States as in elsewhere, privacy regulation is still on the march. This month, four US states – Florida, Oregon, Montana, Texas, and Rhode Island – have privacy laws going into effect, which makes a total of 19 US states with modern privacy laws enacted.
Meanwhile, we are roughly a month out from draft legislation to amend to the Australian Privacy Act being tabled. To respond to these regulations, an investment in data governance is critical, so you can understand what you have, where it is, manage access, and practice strong data minimization and remove the data you are required to (not to mention the ROT).
But if the law isn't sufficiently motivating, how about AI?
Hi, Robot
Yes, strong data governance is also essential if you are among the organizations either actively leveraging or considering using AI, particularly those leveraging Microsoft Copilot. According to Gartner, 55% of organizations have implemented or are implementing generative AI, with Copilot the obvious starting point given its simplified implementation. But it does come with risk.
While Microsoft Copilot offers “commercial data protection”, the US Congress has banned its use due to the risk of data leaking to non-approved services, and Gartner also urges caution. The risk with Copilot is that the service will supercharge any existing poor data security and data governance practices.
- Poor access configuration? An over-permissioned user can ask for the CEO’s salary, and an attacker can ask for much more.
- Poor data minimization practices? The customer data you should have removed is easily query-able by a sufficiently motivated threat actor. Meanwhile, your redundant, obsolete and trivial data will skew the training data, and give Copilot a skewed understanding of your company, product, or industry, lowering the quality of the output.
To implement good AI practices in your organization, you need to have good data. To achieve this, you need to invest in data governance to remove data you are not entitled to, and understand the rest, so you can manage permissions and ensure your data is locked down to just the people who need access.
Whether your use-case is Copilot or responding to a new privacy regulation, data governance is still worth investing in.
🕵️ Privacy & governance
As discussed above, we're a month out from the amendments to the Australian Privacy Act, and media organizations feel uncertain about what's to come for their industry.
A look at Big Tech’s efforts to influence data privacy.
🔐 Security
The Australian Signals Directorate published a lengthy advisory yesterday on APT40, a China-linked hacking group that repeatedly targets Australian networks, including government, and makes use of vulnerabilities in “widely used software”, including Log4j, Atlassian Confluence and Microsoft Exchange - “within hours or days of public release”, as well as using small-office/home-office devices as launchpads for further cyberattacks.
A hacker gained access to OpenAI's internal messaging systems last year, raising fears from some that foreign states could do the same. The company did not share news of the breach at the time because no customer or partner data had been accessed.
If your data is accessed by the Volcano Demon ransomware gang, don't call them — they'll call you.
Among the unexpected tidbits in this article about the unseen costs of ransomware: ransomware is driving inflation, as hacked companies tend to increase prices following a data breach.
A ransomware attack has crippled the operations of California-based Patelco Credit Union.
Roleplaying platform Roll20 experienced a serious security breach, though the seriousness is a bit undercut by all the puns in that report.
The latest from RecordPoint
📖 Read:
When managing large volumes of data, data minimization is crucial. But what about the data that needs to be retained? This article explores why data might need to be kept, the risks of over-retention, and steps for ensuring the data you do keep is secure.
🎧 Listen:
Debra Farber has made the cause of shifting privacy left her life’s mission. In addition to her work as a privacy consultant, she has spent three seasons and 60 episodes of her podcast, the aptly named Shifting Privacy Left, talking to everyone from privacy advocates to engineers about embedding privacy throughout organizations.
She joined Anthony and Kris to dive deep into the subject, its importance, its applicability to organizations large and small, and to share the most surprising things she's learned in her journey.
Raashee Gupta Erry, founder and CEO of Uplevel, uses her knowledge and experience to help marketing and advertising teams with balancing growth with respecting privacy and compliance. In this episode of FILED, with Anthony and Kris, she discusses how privacy is an area that requires company-wide awareness, along with nuanced approaches when it comes to various departments and functions.
📺 Watch (July 16, 12:30pm AEST)
While the fact of the OAIC’s proposed $21.5 trillion fine for Medibank’s 2022 data breach is well known, less discussed is the role that lax access controls, data hoarding, and a lack of MFA played in the breach.
During our webinar, Learning from the Medibank breach: why data minimization matters, we will dig into the case, the specific steps the insurer could have taken to prevent or mitigate the effects of the breach, and why the OAIC may have chosen to make an example of the company specifically. We will also cover other major healthcare data breaches, and discuss why health insurers have become popular targets of cybercriminals.
You'll leave with a clear understanding of the case and what your business needs to do to avoid a similar situation.
Register for the webinar via the link above and join us for the discussion!
