The biggest privacy and security news from 2023
Reflect on 2023’s key privacy and security moments.
Subscribe to FILED Newsletter
Hi there,
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- Continued rise of generative AI raises increased data privacy concerns.
- Increased concerns as US spy tech firm Palantir wins the contract to create a new data platform for the National Health Service.
But first, it’s time to reflect on this year’s key privacy and security moments.
If you only read one thing:
The year in privacy and security
Well, we did it: we made it through another year. Thank you for joining us for the first full calendar year of FILED. We’ve had a lot of fun sharing our perspective on the world of data privacy and data security.
This month, we had the very original idea to look back at the year in privacy and security.
As well as the editorials themselves, we included 144 links to privacy and security news (seriously, we counted!). That’s a lot of hyperlinks. But what did they add up to? Let’s examine the major themes of the year.
😥 Supply chain security remains a significant issue
We first wrote about supply chain security in July, after the MOVEit and Barracuda Networks attacks. These attacks, targeting a managed file transfer service and email security gateway devices, respectively, impacted thousands of organizations in various industries – the latest estimate for MOVEIt alone was 2620 organizations and more than 77 million individuals. These victims included government agencies like the United States Department of Energy and various healthcare organizations.
Since these attacks, Australia has seen another supply chain attack on Australian law firm HWL Ebsworth, impacting more than 65 government agencies and departments, including Home Affairs and Defence, major banks, insurers, and numerous Australian Securities Exchange-listed companies.
These attacks underscored that an organization’s security depends on its internal tools, team, and operational processes and those used by its entire supply chain.
After all this upheaval, you would hope businesses take supply chain security seriously. However, a report by the Australian Security and Investment Commission (ASIC) suggests firms are still struggling with this challenge, at least in Australia. According to the regulator, 69% of those surveyed had no or minimal ability to manage third-party or supply-chain risk.
This result is the symptom of a reactive approach to cybersecurity, one visible when you consider other themes in the year.
🔍 Governments and organizations are searching for a response to ransomware
Ransomware continues to be a popular hacking approach, leaving targeted organizations with the choice of paying up or seeing the sensitive information of their staff and customers made public. Organizations are unsure whether they should pay an attacker, with one survey saying that half of boards were uncertain of their policy. Some must develop it when (and it is when) an attack occurs. As we argued earlier in the year, robust data management practices – where you understand your data’s location and sensitivity and remove it when legally permitted – mean you can make informed decisions, not panicked ones.
Meanwhile, governments seem convinced that a payment ban will solve the issue. United States officials are working hard to secure agreement from almost 50 countries not to pay ransom demands to criminals. However, banning payments from government organizations may just shift the focus to other victims who are more likely to pay up.
Indeed, ransomware gangs are finding creative ways to apply pressure to their victims. Last month AlphV/Black Cat announced it had hacked financial software company MeridianLink and had already reported the company to the SEC for not informing the regulator of the incident within the required four days. While the rules they cited weren’t in effect at the time of the incident, they are now. Will the next victim be able to resist the pressure to pay?
🤖 The continued rise of generative AI raises data privacy concerns
We’re a little over a year from the release of ChatGPT, the large language model (LLM) that, together with the image generation app Dall-E (and both created by OpenAI), ushered in an era of increasingly sophisticated AI models. While their abilities are impressive, these models also raise various risks.
These models were trained on massive data sets (the “large” part of LLM) that include intellectual property and sensitive data. Users have also happily provided their personally identifiable information (PII) for free, entering sensitive or confidential data and never realizing that it is used to train the model. Researchers have demonstrated how trivially easy it is to extract that data.
The risk is such that US President Joseph Biden’s executive order on AI included a call for Congress to pass comprehensive privacy legislation and actions like providing support for the development of privacy-preserving techniques in AI systems and strengthening privacy guidance for federal agencies. Meanwhile, the European Union’s effort to regulate AI continues, though progress appears to be slow.
🛡️ Data privacy regulation continues its march
We covered this issue in depth last month. I won’t belabor the point again here, except to say that the growth in data privacy regulation is real, and if your organization has not assessed its response, you need to put this high on your priority list for 2024. In the last year, we’ve seen a boom in state-level data privacy regulation in the United States, with seven states enacting new laws, California’s California Consumer Privacy Act (CCPA) adding additional privacy protections, and a new law focused on data brokers.
In Australia, the federal government indicated its intention to overhaul the nation’s privacy laws in 2024, and several states began work on their privacy regulations. Similar progress continues around the globe.
Wherever your company is based, you must consider your response to General Data Protection Regulation (GDPR)-style privacy regulations. This response must include strong data management for your customers’ sensitive information.
Phew! That was the year in FILED for 2023.
We hope that you will have time over the break to reflect on these themes and what they may mean for your organization’s priorities in 2024. Aside from mulling over privacy and security, we hope you have a pleasant and restful holiday. We’ll see you again in the new year, with a look forward to what 2024 may bring in terms of privacy and security.
🕵️ Privacy and governance
There are growing fears from UK tech, medical and civil liberties groups as US spy tech firm Palantir wins the contract to create a new data platform for the National Health Service.
Meta’s choice to introduce an ad-free tier for its platforms created a “pay or consent” model, where users of the free, ad-supported tier are asked to consent to the processing of their data for personalized advertising. This is an interesting, complex move in the context of the GDPR, this piece argues.
🔐 Security
According to the Australian government’s Annual Cyber Threat Report 2022–23, published mid-November, one in five critical vulnerabilities was exploited within 48 hours.
The Australian Federal Government’s Cyber Security and Home Affairs Minister Clare O'Neil unveiled the country’s 2023-2030 Australian Cyber Security Strategy late last month. The strategy’s goal is to make Australia a world leader in cybersecurity. Ambitious!
- The sensitive personal and health information of 2.2 million patients of McClaren Healthcare was compromised during a cyberattack earlier this year.
- HR data was stolen from the British Library, one of world's largest public libraries, in a recent ransomware attack.
- China is a major backer of Australian cyber attacks, according to spy agencies.
📣 The latest from RecordPoint
Read:
A legacy EDRMS is no longer a fit-for-purpose solution for organizations that wish to limit risk and improve productivity. Learn why and how to move to a modern records solution.
Listen:
Freight Exchange founder and CEO Cate Hull takes us behind the scenes of ugly freight, explaining how her company leverages machine learning and other tools to overcome the challenges of working at the intersection of the digital and physical worlds in a field exposed to human error, fraud, and theft.
👉 Subscribe to the podcast so you get new episodes as soon as they land.