I wonder what security checklist they used that did not include such basics?
Alibaba Executives Called In by China Authorities as It Investigates Historic Data Heist
Cybersecurity companies say Alibaba’s cloud platform that hosted Shanghai’s police database used outdated systems that didn’t offer ability to set a password
… Cybersecurity researchers said a dashboard for managing the database had been left open on the public internet without a password for more than a year, making it easy to pilfer and erase its contents.
Inevitable perhaps, fast unlikely.
Different Approaches to Data Privacy: Why EU-US Privacy Alignment in the Months To Come Is Inevitable
Even though it is hardly disputable that origins of modern data privacy, as well as computer technology, are to be found in the US, it is currently the EU with its GDPR that sets the global tone in terms of what is the generally accepted privacy standard, especially for multinational companies operating worldwide.
The reasons for this are many, but in brief the US still does not have a comprehensive, federal privacy law for the private sector. It is discussed for many years now, but there are no signs for anything definite just yet, even though substantial progress is being made in the recent months. Having said that, FTC enforcement against companies failing to protect personally identifiable information, as well as a plethora of state laws, most notably California Consumer Privacy Act, result in de facto privacy standard which in some ways meets or exceeds EU practices. One interesting example would be with the NIST standards and frameworks which, even though primarily intended for federal agencies, are widely adopted on a voluntary basis by private organizations and enable a very refined and mature ways to govern privacy and cybersecurity. Of course, there are still many areas where US privacy falls behind its UE counterpart.
… So why is the EU-US privacy alignment in the immediate future not only possible but de facto inevitable?
Change one little law, impact many others?
https://www.pogowasright.org/anonymization-v-de-identification-post-dobbs-rumblings-from-the-ftc/
Anonymization v. De-Identification, Post-Dobbs; Rumblings from the FTC
Christopher Escobedo Hart of Foley Hoag writes:
When is personal data “anonymized”? The answer to this question has largely been based on jurisdiction. If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes. (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.) Under the GDPR, the story has been much more complicated: merely “de-identified” data is not the same as “anonymous” data, and is still governed by the GDPR as “pseudonymous” data in many instances. The point, under the GDPR, is that if it’s still possible to combine or analyze that aggregated or de-identified data in such a way that allows for identification of an individual, then it cannot be truly anonymous.
But businesses should be aware that, post-Dobbs v. Jackson Women’s Health Org. (overturning Roe v. Wade), the U.S. might look more like Europe where the differences between anonymization and de-identification are concerned.
Read more at Security, Privacy and the Law
No comments:
Post a Comment