The IT Nerd

I use Google owned VirusTotal to examine suspicious files as part of investigations that I do for my corporate and sometimes home clients. It’s a very useful tool for me and others. But I suspect that some are rethinking that after it found to have leaked the data of 5600 customers:

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month.

The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses.

Emiliano Martines, the online malware scanning service’s head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

Furthermore, the leaked file was only accessible to VirusTotal partners and cybersecurity analysts with a Premium account with the platform.

Those using anonymous or free accounts cannot access the Premium platform and, consequently, cannot reach the leaked file.”On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators,” Martines said on Friday.

“We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

Well, that’s one hell of a screw up. Especially because of this:

German news outlets Der Spiegel and Der Standard were the first to report the incident on Monday.As they reported, the 313KB leaked file contained details concerning accounts associated with official U.S. entities, including the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). Additionally, the file included accounts linked to government agencies in Germany, the Netherlands, Taiwan, and the United Kingdom.”It is a list of 5600 names, including employees of the US intelligence service NSA and German intelligence services,” Der Spiegel said.

That’s pretty bad. And this makes it worse:

Information on dozens of employees at Bundesbank, Deutsche Bahn, Allianz, BMW, Mercedes-Benz, and Deutsche Telekom was also found in the leaked file.

I suspect that there’s going to be a lot of explaining that VirusTotal will have to do over the next few days to reassure those customers.

The USA has reached a deal with the European Union on how to better protect the privacy of data belonging to EU residents when their information flows to the U.S. This is important because Meta, Google and other tech companies have been in a legal limbo for several years:

The decision adopted by the European Commission is the final step in a yearslong process and resolves — at least for now — a dispute about American intelligence agencies’ ability to gain access to data about European Union residents. The debate pitted U.S. national security concerns against European privacy rights.

The accord, known as the E.U.-U.S. Data Privacy Framework, gives Europeans the ability to object when they believe their personal information has been collected improperly by American intelligence agencies. An independent review body made up of American judges, called the Data Protection Review Court, will be created to hear such appeals.

Didier Reynders, the European commissioner who helped negotiate the agreement with the U.S. attorney general, Merrick B. Garland, and Commerce Secretary Gina Raimondo, called it a “robust solution.” The deal sets out more clearly when intelligence agencies are able to retrieve personal information about people in the European Union and outlines how Europeans can appeal such collection, he said.

“It’s a real change,” Mr. Reynders said in an interview. “Protection is traveling with the data.”

Ani Chaudhuri, CEO, Dasera had this to say:

This EU-US Data Privacy Framework, the product of years of negotiation, attempts to balance national security and personal privacy. This feat is as complex as it is critical.

On the surface, it’s a commendable step. It provides a mechanism for EU residents to challenge perceived infringements on their data by US intelligence agencies and aims to ensure that protections are ‘traveling with the data.’ Yet, Max Schrems, a leading privacy activist, is already planning to sue, questioning the legality and practicality of the Framework. The situation underscores a fundamental question – is it possible to simultaneously maintain privacy and security in a data-driven world?

Firstly, let’s agree on this: data is the backbone of the modern economy. The absence of this agreement would have created a tumultuous environment for multinational businesses that rely heavily on data flows. However, this pact is a band-aid on a festering wound. It replaces the invalidated Privacy Shield but maintains many of its predecessor’s shortcomings.

Why? Because, at its core, the Framework assumes trust between EU citizens and American intelligence agencies. It assumes a complaint-based system backed by an independent review body would provide adequate redress. But let’s be real: how many Europeans would feel comfortable voicing their concerns, let alone feel confident that their complaint would be handled fairly and impartially? The primary question, as Schrems rightfully posits, is whether changes in US surveillance law can genuinely ensure Europeans’ privacy rights. I would argue that the answer is, as it stands, “no.”

The issues run deeper than policy alone. The EU-US Data Privacy Framework marks a step forward but doesn’t necessarily solve the problem. The elephant in the room remains the balance between privacy rights and national security concerns.

The current paradigm involves mass data collection, necessitating uncomfortable compromises on personal privacy for security. But should we not aspire for a system that allows us to achieve both? Technology, after all, is a great enabler.

I’m pretty sure that this isn’t going to make everybody happy. And by everybody I mean Meta. But this is a start to ensuring the privacy of users while using online services and products from tech companies.

Tomorrow marks the fifth anniversary of the European Union’s General Data Protection Regulation (GDPR). The European Union adopted this legislation in 2016. It was officially enforced on 25th May 2018 to govern the utilization of data companies in European and non-European regions that gather, store, and process data of European citizens.

There are many views on how effective GDPR has been. I personally think it’s been a good thing as it holds companies accountable for how they handle data. But I got a second view on this from Ani Chaudhuri, CEO, Dasera:

There is often an overlooked aspect of GDPR – the potential exploitation of its provisions for malicious ends. When we discuss GDPR, we typically focus on the empowerment it gives individuals over their personal data, yet GDPR’s ‘Right of Access’ can indeed have negative consequences for data privacy if misused.

However, I firmly believe that GDPR continues to be of net benefit to data subjects and data protection. Despite these potential pitfalls, the importance of a legal framework that protects individuals’ data rights and fosters transparency and accountability in data processing cannot be overstated.

As for measures taken by the EU since GDPR, the EU is generally known for its proactive stance on data privacy issues, and I anticipate they would take such issues seriously, working on improvements to address these gaps.

The crux of the problem is verifying the identity of individuals making data access requests. In this regard, automated data security and governance controls can offer a strong solution. By using sophisticated verification and monitoring systems that can detect abnormal patterns or suspicious requests, we can bolster the security of data access processes.

Lastly, let’s not forget that we’re still relatively early in the implementation of comprehensive data privacy laws. The GDPR is groundbreaking legislation, but it is also an evolving one. As we learn more about its strengths and weaknesses, we must continue to refine and improve it. It is vital to shed light on vulnerabilities that need to be addressed, ensuring that the GDPR remains a robust and effective tool for protecting personal data.

Where once enterprises could buy, sell, share, and store customer data with relative freedom, for the last 5 years every organization that operates under the GDPR has been subject to scrupulous regulatory compliance requirements. And we have seen companies like Amazon, Meta and Google fined for breaches and other issues. This is a very good thing as like I said earlier, these companies are being held accountable. That forces them to change the behaviours of said companies for the better.

UPDATE: Ted Miracco, CEO, Approov Mobile Security added this comment:

    “While no law is perfect, the GDPR regulation was one of the most ground-breaking, necessary, and extremely well crafted pieces of cross-border legislation in recent history. Protection of Personal Data is critical to a well-functioning and open society, and while GDPR didn’t stop the abuse of big technology companies, it made the consequences of their actions substantive and many, including Google and most recently Meta have been fined billions of dollars for their abusive handling of Personal Data. Even the definition of “Personal Data” per GDPR, was forward looking in that it cast a wide net, anticipating that tech companies would try bypass the definition to continue to harvest, export and profit by exploiting the data made available to them. The law was both clear and manageable and therefore it has become a framework for many data privacy laws around the world. If you ask if the law has been effective, I will give a resounding “yes”, and back it up by the data in a recent Cyber Threats Report^1. on the security of mobile applications, where European based fintech companies outperformed their US counterparts by a significant margin.”

Footnote:

1.  The Approov Mobile Threat Lab issued findings in March 2023 that analyzed the 200 most popular financial services apps in use in the USA, France, Germany and the UK. Using an automated approach, researchers were able to immediately extract and classify thousands of secrets from these apps, including API Keys for critical financial services. In addition, from these automated scans, it was possible to determine how well protected apps were against run-time threats such as 

– Extraction of API Keys and other Secrets
– Man-in-the-Middle (MitM) attacks
– Device manipulation or “Man-in-the-Device” attacks

Results: 28% of US apps exposed high value secrets; 28.5% of French apps exposed high value secrets; 24.5% of U.K. apps exposed high value secrets; and 19.5% of German apps exposed high value secrets. The full report is available upon request.

Data Privacy Day, also known in Europe as Data Protection Day, is globally recognized each year on January 28th. Some have now even extended this to a weeklong celebration. The event’s purpose is to raise awareness and promote privacy and data protection best practices. 

Executives from Datadobi, DH2i, Folio Photonics, Nexsan, Nyriad, Hammerspace, Fortra and Retrospect had this to say about this very timely and important topic: 

Carl D’Halluin, CTO, Datadobi: 

“A staggering amount of unstructured data has been and continues to be created. In response, a variety of innovative new tools and techniques have been developed so that IT professionals can better get their arms around it. Savvy IT professionals know that effective and efficient management of unstructured data is critical in order to maximize revenue potential, control costs, and minimize risk across today’s heterogeneous, hybrid-cloud environments. However, savvy IT professionals also know this can be easier said than done, without the right unstructured data management solution(s) in place. And, on Data Privacy Day we are reminded that data privacy is among the many business-critical objectives being faced by those trying to rein-in their unstructured data. 

The ideal unstructured data management platform is one that enables companies to assess, organize, and act on their data, regardless of the platform or cloud environment in which it is being stored. From the second it is installed, users should be able to garner insights into their unstructured data. From there, users should be able to quickly and easily organize the data in a way that makes sense and to enable them to achieve their highest priorities, whether it is controlling costs, CO2, or risk – or ensuring end-to-end data privacy.”

​​Don Boxley, CEO and Co-Founder, DH2i:

“The perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world. According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation. 

This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day – whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery, or package transport. 

Today, as organizations endeavor to protect data – their own as well as their customers’ – many still face the hurdle of trying to do so with outdated technology that was simply not designed for the way we work and live today. Most notably, many organizations are relying on virtual private networks (VPNs) for network access and security. Unfortunately, both external and internal bad actors are now exploiting VPN’s inherent vulnerabilities. However, there is light at the end of the tunnel. Forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while ensuring they adhere to internal governance and external regulations compliance mandates.”

Steve Santamaria, CEO, Folio Photonics: 

“It is no secret that data is at the center of everything you do. Whether you are a business, a nonprofit, an educational institution, a government agency, or the military, it is vital to your everyday operations. It is therefore critical that the appropriate person(s) in your organization have access to the data they need anytime, anywhere, and under any conditions. However, it is of the equal importance that you keep it from falling in the wrong hands. 

Therefore, when managing current and archival data, a top concern must be data security and durability, not just today but for decades upon decades into the future. The ideal data storage solution must offer encryption and WORM (write-once, read-many) capabilities. It must require little power and minimal climate control. It should be impervious to EMPs, salt water, high temps, and altitudes. And, all archive solutions must have 100+ years of media life and be infinitely backward compatible, while still delivering a competitive TCO. But most importantly, the data storage must have the ability to be air-gapped as this is truly the only way to prevent unauthorized digital access.”

Surya Varanasi, CTO, Nexsan: 

“Digital technology has revolutionized virtually every aspect of our lives. Work, education, shopping, entertainment, and travel are just a handful of the areas that have been transformed. Consequently, today, our data is like gravity – it’s everywhere. 

On Data Privacy Day, we are reminded of this fact, and the need to ensure our data’s safety and security. Fortunately, there are laws and regulations that help to take some of the burden off of our shoulders; such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA).

However, some of the responsibility remains on our shoulders as well as those of the data management professionals we rely upon. Today, it would be extremely challenging to find an organization (or an individual for that matter) that isn’t backing up their data. Unfortunately however, today that just isn’t enough. Cyber criminals have become increasingly aggressive and sophisticated, along with their ransomware and other malware. And now, the threat isn’t just that they will hold your data until payment, cyber criminals are now threatening to make personal and confidential data public, if not paid. It is therefore critical that cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. 

This can be accomplished with an advanced Unbreakable Backup solution, which creates an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about the protection and privacy of their data, and instead focus their expertise on activities that more directly impact the organization’s bottom-line objectives.”

Andrew Russell, Chief Revenue Officer, Nyriad: 

“Data Privacy Day serves as a great reminder of the value and power of data. In addition to your people, data is without question the most strategic asset of virtually any organization. Data and the ability to fully leverage, manage, store, share, and protect it, enables organizations to be successful across virtually every facet – from competitive advantage, to innovation, the employee experience, and customer satisfaction, to legal and regulations compliance competency. 

Consequently, savvy data management professionals recognize that while a storage solution that is able to deliver unprecedented performance, resiliency, and efficiency with a low total cost of ownership is priority number one to fully optimize data and intelligence for business success; they likewise need to ensure they have the ability to protect against, detect, and restore data and operations in the event of a successful cyber-attack in order to protect their data, for business survival.” 

Brian Dunagan, Vice President of Engineering, Retrospect: 

“Every organization, regardless of size, faces the real possibility that they could be the next victim of a cyberattack. That is because today’s ransomware, which is easier than ever for even the novice cybercriminal to obtain via ransomware as a service (RaaS), strikes repeatedly and randomly without even knowing whose system it is attacking. Ransomware now simply searches for that one crack, that one vulnerability, that will allow it entry to your network. Once inside it can lock-down, delete, and/or abscond with your data and demand payment should you wish to keep your data private and/or have it returned. 

As an IT professional, it is therefore critical that beyond protection, steps be taken to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. In order to ensure its benefit,, users must be able to tailor the backup solution’s anomaly detection to their business’s specific systems and workflows; with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.”

Molly Presley, SVP of Marketing at Hammerspace:  

“With global rules governing how data should be stored, used, and shared, combined with escalating data losses, explosive personal data growth, and customer expectations, addressing data privacy is now an obligatory business requirement. However, as organizations expand and navigate compliance and legal requirements in the rapidly evolving age of big data, AI/ML, and government regulations, the existing processes surrounding data privacy need to evolve to 1) automate processes and 2) scale to meet increasingly complex new challenges.   

Privacy and security concerns increasingly impact multiple vertical markets, including finance, government, healthcare and life sciences, telecommunications, IT, online retail, and others, as they quickly outgrow legacy data storage architectures. As a result, there is increasing pressure to develop and implement a data strategy and architecture for decentralized data that is more cohesive, making access to critical information simplified and secure.

To protect the organizations’ and individual users’ sensitive data, organizations must take the steps necessary to control how data is shared and eliminate the proliferation of data copies outside the controls of IT security systems. Accelerating IT modernization efforts while managing the ever-increasing volumes of data requires a data solution that simplifies, automates, and secures access to global data. Most importantly, to ensure data privacy and secure data collaboration, a data solution must be able to put data to use across multiple locations and to multiple users while simplifying IT Operations by automating data protection and data management to meet policies set by administrators.”

Jason Lohrey, CEO of Arcitecta:   

“In this information age, data is the critical element of transformation, serving as a foundation for strategic decision-making. Data Privacy Day reminds us that data influences everything we do, from building services, products, customer experiences, and employee relationships. With the acceleration of technology, we are more connected than ever before and using data to facilitate high-value achievements for businesses and consumers.  

But with new threats, it is now more imperative than ever to protect data from those who seek to gain an advantage by exploiting others. It is becoming increasingly easier to infiltrate systems around the world. Organizations need to increase the resilience of their data so that it remains continuously available, and IT leaders must shift their focus from successful backups to successful recoveries to ensure that valuable data doesn’t become compromised by landing in the wrong hands.”  

Nick Hogg, Director of Technical Training at Fortra:

“With the rise of remote working, sharing sensitive files is now taken for granted. Therefore, awareness days and weeks, like Data Privacy Week, are a great way to remind organizations and their stakeholders of the importance of storing and handling data properly.

It’s essential for organizations to re-evaluate their security awareness and compliance training programs to move away from the traditional once-a-year, ‘box-ticking’ exercises that have proven to be less effective. The goal is to deliver ongoing training that keeps data security and compliance concerns front and center in employees’ minds, allowing them to better identify phishing and ransomware risks, as well as reducing user error when handling sensitive data.

They will also need to use digital transformation and ongoing cloud migration initiatives to re-evaluate their existing data loss prevention and compliance policies. The goal is to ensure stronger protection of their sensitive data and meet compliance requirements, while replacing complex infrastructure and policies to reduce the management overhead and interruptions to legitimate business processes.”

Wade Barisoff, Director of Product, Data Protection at Fortra (on the recent introduction of new privacy laws in the states of California and Virginia):

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country.

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action.

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant. Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Brian Krebs has a mind blowing story on his website that you simply must read. It revolves around consumer credit reporting bureau Experian and an issue that Krebs found and reported to the company. Here’s the TL:DR of what happened from the story:

On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

The implication of this is staggering as this information could be used to launch all sorts of identity theft campaigns. Which is not only bad, but the worst case scenario possible. And the fact that only this week Experian told consumers is an absolute #fail.

Jack Nichelson, CISO of Inversion6 added this commentary:

The fact that Experian waited over seven weeks before notifying customers of the security risk is a serious concern. This delay in notification put customers at risk of identity theft and financial loss. By waiting so long to notify customers, Experian gave identity thieves ample time to access and potentially misuse customer information.

Furthermore, the fact that the security vulnerability persisted for nearly a month is also a cause for concern. This indicates that Experian’s security systems were not effectively detecting or addressing the issue in a timely manner.

This incident highlights the importance of prompt and transparent notification in the event of a security breach. Customers have a right to know if their personal and financial information has been compromised so they can take steps to protect themselves. Additionally, this incident raises questions about the effectiveness of Experian’s security systems and the company’s overall commitment to data privacy and security.

What needs to happen here is there needs to be an investigation from the appropriate government agencies as to the behaviour of Experian in this case. Because quite frankly this is unacceptable and needs to be addressed in the strictest possible way.

If you go to The Office Of The Maine Attorney General, and look at this data breach notification, you’ll quickly see the following:

Nissan North America has a data breach last June. Almost 18000 people were affected by this breach which was. caused by “Inadvertent disclosure, Insider wrongdoing” which means either someone on the inside screwed up or someone on the inside did something nefarious. The breach wasn’t discovered until the end of September, but Nissan North America didn’t let the public know until December.

That sounds pretty bad. But I will get back to that in a second.

Here’s what Nissan said:

The impacted third-party service provider provides software development services to Nissan. Nissan provided certain information to this service provider for processing during the testing of the software.

On June 21, 2022, Nissan received notice that certain data it provided for software testing had inadvertently been exposed by the third-party service provider. During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.

And here’s the information that is now out there:

The information that was potentially accessed or acquired during the time that it was temporarily available on a public repository included your name, date of birth, and NMAC account number. This information did not include your Social Security number or credit card information.

Again, that sounds pretty bad. And I have to admit that my initial reaction was to say “WTF? Six months to notify people?” But here’s an alternate view of this from Ani Chaudhuri, CEO, Dasera:

Though Nissan allegedly took six months to disclose the data breach to the affected parties, it is clear that they took the incident very seriously and moved quickly to contain the damage and protect the affected individuals. We should work to appreciate the transparency and honesty with which they communicated the incident to the public, as any form of a data breach is extremely hard on a company due to potential damage to reputation, revenue, culture, etc. 

One of the key takeaways from this incident is that data breaches can happen to any company, regardless of size or industry. It is important for companies not to be afraid to disclose data breaches publicly, as it raises awareness and helps other organizations learn from the incident. By being open and transparent, Nissan has set an example for other companies to follow.

Moving forward, companies like Nissan can prevent data breaches with a robust data governance and security strategy by providing a framework for managing and protecting sensitive information. Some ways data governance can help prevent data breaches include:

• Establishing clear policies and procedures for data management: Data governance policies and procedures can set standards for how data is collected, stored, and shared within the organization. By having clear guidelines in place, the organization can reduce the risk of accidental data breaches caused by employees not following proper protocols.

• Identifying sensitive data: Data governance can help identify sensitive data by classifying data based on its level of sensitivity, and then implementing appropriate controls to protect that data. By identifying sensitive data, Nissan can take the necessary steps to protect it from breaches.

• Implementing access controls: Data governance can help implement access controls to ensure that only authorized personnel have access to sensitive data. By implementing access controls, Nissan can ensure that vendor employees only have access to the data they need to perform their duties, reducing the risk of breaches caused by unauthorized access.

• Regularly monitoring and auditing data: Data governance can help implement regular monitoring and auditing of data to detect any anomalies or suspicious activities that could indicate a data breach. By regularly monitoring and auditing data, Nissan can detect a data breach early on and take action to contain the damage and protect the affected individuals.

• Conducting vendor risk assessment: Data governance can help implement a vendor risk assessment program that allows the organization to assess the security risk of their vendors and make sure that their vendors are meeting the company’s security standards. This can help Nissan to identify potential vulnerabilities and take steps to mitigate them before a data breach occurs.

Overall, a mature data governance and security strategy can help companies like Nissan prevent data breaches by providing a framework for managing and protecting sensitive information, and by identifying and mitigating risk.

While all of that is true, I do wish that the public knew of this sooner. Because the faster the public knows that something like this happens, the more able the public are able to take precautions from threat actors who would use this information for nefarious reasons.

From the start of the new year, we’ve seen the introduction of new privacy laws in California and Virginia. The new legislation in California brings changes to the existing 2018 California Consumer Privacy Act, and Virginia is currently the only other state to also bring in new privacy laws. But they won’t be the last. Connecticut’s and Utah’s privacy laws both come into effect later this year, with Colorado following in 2024. Thus it seems that the ball is starting to roll when it comes to ensuing that privacy is by default in the US. Though there appear to be a lot of variance as to how these laws are applied.

Wade Barisoff, Director of Product, Data Protection, at cybersecurity software and services provider Fortra had this comment:

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country. 

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action. 

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant.  Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Hopefully, there will be a move to have a consistent standard for privacy laws across the US as that benefits consumers and companies. Though I fear that such a move is years away which is bad for both parties.