ICO News

NIST on differential privacy. Panasonic's data breach. Standing in privacy lawsuits. Clearview AI's provisional ICO fine. DNA Diagnostics Center discloses data breach. – The CyberWire

At a glance.

  • NIST on differential privacy.
  • Panasonic’s data breach.
  • Standing in privacy lawsuits.
  • Clearview AI’s provisional ICO fine.
  • DNA Diagnostics Center discloses data breach.

Weighing data results versus privacy risks.

NIST discusses the complexities of finding a utility metric to determine the validity of publicly, differentially private data or statistics. Because no two data sets are the same, and it’s futile to try to determine all the possible ways that data might be analyzed, metrics must be tailor-made for the data in question. Privacy researchers can begin by examining the summary stats of the anonymized data, then inquire what analyses the data users typically implement. Other approaches include measuring the distributional distance between the original and altered data, or relying on global utility metrics or discriminant-based algorithms.

Panasonic suffers a data breach.

Leading Japanese electronics company Panasonic has confirmed it’s investigating a recent data breach, but with few details available so far, it’s unclear exactly what data were exposed. TechCrunch explains that although an early press release stated the breach occurred in November, Panasonic spokesperson Dannea DeLisser has clarified that the breach was detected in November, but actually began in June. On multiple occasions during this time period, an intruder gained unauthorized access to a server containing data on technology, business partners, and employees, and Panasonic is currently investigating to determine whether any of the data were stolen. Security Week notes that approximately a year ago Panasonic India was hit by a ransomware attack that resulted in the hackers leaking 4GB of stolen data. 

Privacy lawsuits: what constitutes sufficient standing?

HealthITSecurity offers updates on several recent privacy lawsuits. A May ransomware attack on US medical institution UF Health Central Florida compromised the data of more than 700,000 individuals. The healthcare provider has requested the dismissal of a lawsuit in which a patient alleges that the attack was the result of UF Health’s negligence, asserting that the plaintiff has not demonstrated cognizable injury. In August, Indiana hospital Eskenazi Health suffered one of the largest healthcare ransomware attacks in history, compromising the data of over 1.5 million individuals, one of whom is filing a lawsuit alleging that the attack resulted in fraudulent charges on her credit card. Meanwhile, a patient was denied class-action status in a lawsuit against West Virginia University Health Systems for a 2016 breach in which a former employee admitted to accessing and stealing patient data. Class-action status was lifted because the court found the patient lacked sufficient standing.

As compromised individuals continue to file lawsuits against the organizations they feel are at fault for exposing their data, BLM asks if there is a limit to compensation in such data breach claims. In one recent case in which a school accidentally sent an email containing private student data to the wrong family, the plaintiff was denied compensation because the court determined the victim did not suffer sufficient distress. However, BLM asserts, similar cases have resulted in the court choosing not to strike out the claim, and it seems there’s no clear way of predicting which way the hammer will fall. That said, defendants are challenging such claims more and more, which could serve to deter plaintiffs from pursuing such claims in the future. 

Clearview AI hit with a provisional fine from UK ICO.

The UK Information Commissioner’s Office (ICO) has declared it is imposing a provisional fine of £17 million (almost $23 million) on tech company Clearview AI for its controversial facial recognition services. Earlier this year, Clearview was found to be scraping public images of UK citizens without the subjects’ consent, which led to a joint investigation by the ICO and the Office of the Australian Information Commissioner (OAIC). Though use of Clearview’s tech is no longer allowed in the UK, it was previously trialed by a number of UK law enforcement agencies. As TechCrunch explains, the ICO has also issued a provisional notice demanding Clearview cease processing UK citizens’ data and erase any data it already possesses. (Earlier this month, the OAIC already ordered Clearview to delete data after determining the company had broken Australian data laws.) A Clearview spokesperson responded, “The UK ICO Commissioner’s assertions are factually and legally incorrect. The company is considering an appeal and further action. Clearview AI provides publicly available information from the internet to law enforcement agencies. To be clear, Clearview AI does not do business in the UK, and does not have any UK customers at this time.” Clearview CEO Hoan Ton-That also expressed his disappointment that the ICO “has misinterpreted my technology and intentions,” stating that the company’s tech has helped UK authorities in fighting crime. 

Ilia Kolochenko, founder of ImmuniWeb, wrote to express his surprise that the fine was as low as it was:

“The 17 million fine is surprisingly small and lenient. Other companies, recently fined for data breaches, for example, were punished with much larger fines whereas much less personal data was stolen. Clearview AI has allegedly collected and processed over 10 billion individual photos without notice, let alone valid consent. The personal life and privacy of many UK and EU residents are jeopardized for commercial gain stemming from the unlawful processing of personal data.

“Furthermore, under GDPR, the highest penalty threshold for a data breach is 2% of infringer’s annual turnover, and 4% for violations like unlawful processing of personal data, making this specific decision of ICO incomprehensible for me. In some notorious cases, like BA, the fine was eventually reduced from hundreds of millions to a signifiable smaller amount, however, for different reasons unrelated to the gravity of the violation.

“Different reports show that there is no consistency between GDPR fines and enforcement priorities among European DPAs, while this decision also demonstrates that even one DPA, like ICO, may have broadly varying decisions that make GDPR enforcement unpredictable. The European Data Protection Board should probably bring more clarity and uniformity to the context by issuing additional guidelines on fines.”

DNA testing firm sustains a data breach.

The Ohio-based testing firm DNA Diagnostics Center, Inc. (“DDC”) has disclosed that it’s sustained a data breach. The data involved are relatively old, collected between 2004 and 2012, but they may include such personal information as Social Security numbers and paycard information. The data are also a corporate legacy: they were collected by a DNA testing firm DDC acquired in 2012.

Trevor Morgan, product manager at comforte AG, commented on what the incident says about the kind of information consumers readily share:

“The DDC data breach demonstrates the breadth of information we as consumers possess and willingly give up to vendors and service providers. While this incident—which reportedly affects over 2 million data subjects—compromised only financial, transactional, and account data, the organization maintains records containing PHI and other sensitive health information too (DNA testing, ancestry information), information that fortunately wasn’t compromised in the incident.

“As consumers, we must have assurances that the organizations which are collecting and processing our most sensitive personal information are handling and storing that data with the utmost care, using the most sophisticated data protection tools. That means more than just applying traditional perimeter-based controls. If your organization possesses such a wide array of sensitive information about your customers, you will want to investigate stronger protection and mitigation methods, such as data-centric security. By tokenizing sensitive data as soon as it enters your data ecosystem, you can keep it in a protected state while still working with the data in your business applications due to data format preservation. Even if threat actors get their hands on the data, it is meaningless and worthless to them, and no sensitive information will be compromised.

 “We need to make sure that businesses that control our sensitive personal information embed the inclination toward data privacy into their organizational DNA. “


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.