Data privacy is the footprint of our existence. It is our persona beyond ourselves, with traces of us scattered from birth certificates, Social Security numbers, shopping patterns, credit card histories, photographs, mugshots and health records. In a digital world, where memory is converted to 0’s and 1’s, then instantly transformed into a reproduction even in 3D, personal data is an urgent personal and collective subject. Those who wish to live anonymous lives must take extraordinary measures to succeed in that improbable quest, while those who hope for friendship or fame through the spread of their personal data must learn how to prevent theft of their identity and bank account. If you have ideas for interviews or stories, please email [email protected]. The internet in its blooming evolution makes personal data big business – for government, the private sector and denizens of the dark alike. The Data Privacy Detective explores how governments balance the interests of personal privacy with competing needs for public security, public health and other communal goods. It scans the globe for champions, villains, protectors and invaders of personal privacy and for the tools and technology used by individuals, business and government in the great competition between personal privacy and societal good order. We’ll discuss how to guard our privacy by safeguarding the personal data we want to protect. We’ll aim to limit the access others can gain to your sensitive personal data while enjoying the convenience and power of smartphones, Facebook, Google, EBay, PayPal and thousands of devices and sites. We’ll explore how sinister forces seek to penetrate defenses to access data you don’t want them to have. We’ll discover how companies providing us services and devices collect, use and try to exploit or safeguard our personal data. And we’ll keep up to date on how governments regulate personal data, including how they themselves create, use and disclose it in an effort to advance public goals in ways that vary dramatically from country to country. For the public good and personal privacy can be at odds. On one hand, governments try to deter terrorist incidents, theft, fraud and other criminal activity by accessing personal data, by collecting and analyzing health data to prevent and control disease and in other ways most people readily accept. On the other hand, many governments view personal privacy as a fundamental human right, with government as guardian of each citizen’s right to privacy. How authorities regulate data privacy is an ongoing balance of public and individual interests. We’ll report statutes, regulations, international agreements and court decisions that determine the balance in favor of one or more of the competing interests. And we’ll explore innovative efforts to transcend government control through blockchain and other technology. In audio posts of 5 to 10 minutes each, you’ll get tips on how to protect your privacy, updates on government efforts to protect or invade personal data, and news of technological developments that shape the speed-of-bit world in which our personal data resides. The laws governing legal advertising in some states require the following statements in any publication of this kind: "THIS IS AN ADVERTISEMENT."
Episode 150 — Nine Million Medical Records Leaked - How can victims find out what happened?
Perry Johnson & Associates (PJ&A) provides medical transcription services to healthcare organizations. Its website states that it offers “secure HIT solutions,” using “multiple U.S. based, secure data centers for documentation storage and disaster recovery.” But in November 2023, PJ&A began informing about nine million people by individually sent letters that “between March 27, 2023 and May 2, 2023, PJ&A learned that an unauthorized party gained access” to its network and “acquired copies of certain files from PJ&A systems.”
A November 2023 TechRadar report summarizes the background:
“A total of 8.95 million individuals are affected, with the stolen data including full names, birth dates, postal addresses, medical records, and hospital account numbers. Furthermore, the hackers took admission diagnoses, as well as dates and times of service. In some cases, the hackers also stole Social Security Numbers (SSN), insurance and clinical information from medical transcription files, and names
30/11/2023 • 12 minutes 57 seconds
Episode 149 - Privacy & blockchain: an open source approach to privacy by design
Blockchain technology. Can it be a solution to privacy risks inherent in traditional IT? How is it different from cryptocurrency? What can it do to allow both individuals and organizations to limit and protect personal information exchanged in daily life?
Explore these questions in Episode 149, with Zenobia Godschalk, head of communications for Swirlds Labs (https://swirldslabs.com). Take a brisk tour of an open-source approach that applies blockchain technology to our evolving web. Learn about Hedera – an open source, leaderless proof-of-stake network. Consider how an individual need not share a lot of personal information when a transaction requires only proof of one thing – such as whether the individual is an adult or whether a person actually is a bank account holder.
Listen for top tips to organizations and individuals about how open-source blockchain technology can minimize risks to personal information and identity theft. Hear how public ledgers for decentralized economies ar
22/11/2023 • 22 minutes 41 seconds
Episode 148 — Post-Quantum Data Privacy: Learnings from a Pioneer
Post-Quantum Data Privacy – what is it? What does it mean for organizations and individuals? That is this episode’s focus. Tune in to learn how one company offers privacy-protect ive messaging and cryptocurrency services in the age of Web 3.0 and quantum computing. JB Benjamin, the founder of UK-based Kryotech Ltd. (Kryotech Group), provides a tour of Vox Messenger and Vox Wallet. These services employ privacy-centric technology. Explore how our personal information is collected, used, and shared often without our knowledge or approval. Consider how technology beyond passwords is essential to deter unwanted use of our personal information and to minimize rising theft of our financial resources and even our identities.
Quantum computing means an exponentially increased power that can be used to break through lengthy passwords and otherwise hack and misuse data, both personal and organizational. Defenses are also evolving. Post-quantum privacy entails use of double-ratchet encryption, m
16/11/2023 • 23 minutes 47 seconds
Episode 147 — How small and mid-sized organizations can afford privacy by design
How small and mid-sized organizations can afford privacy by design: Making data privacy and security affordable and scalable
Tech giants have vast budgets for cybersecurity and data privacy. But most organizations are small or mid-sized enterprises (SMEs) and can’t afford expensive in-house talent, hardware, and software to combat data piracy or prevent data breaches. How do startups, SMEs, and MSPs create a privacy responsible foundation as they start and grow? How can they make privacy part of their offering to customers? How can they maintain first-class cybersecurity and data privacy as they scale and grow on an affordable budget?
Darren Gallop, co-founder and CEO of Carbide (Company | Carbide (carbidesecure.com), provides advice on these and other topics in this Episode. With an overview of how secure personal information is today, Darren explains the benefits of starting with a secure privacy-centric foundation on an outsourced basis, then adding essential tools as an organizatio
09/11/2023 • 20 minutes 46 seconds
Episode 146 — October Data Privacy Highlights
October 2023 was a busy month for data privacy. Join our monthly podcast of three major developments in the world of personal information and technology. Our picks are these:
1. On October 30, President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (AI). Noteworthy to Data Privacy was his call for Congress to pass bipartisan data privacy legislation, especially for children, which would be a significant step towards a federal data privacy law. In addition to national security and other features, the EO prioritizes federal support for accelerating privacy-preserving techniques, strengthening privacy-preserving research and technologies, evaluating how agencies collect and use commercially available information, and developing guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques. Explore what the Executive can do in the absence of Congressional action on data privacy. FACT SHEET: President Biden Issue
02/11/2023 • 22 minutes 23 seconds
Episode 145 — Malevolent Data Attacks – How To Be Safer Together
Malevolent attacks on data are rising. Misuse of data is an increasingly sophisticated criminal industry. How to defend? Philippe Humeau, a founder and the CEO of CrowdSec (CrowdSec - The open-source & collaborative security suite) is our guest. He explains how an open-source approach to editing a collaborative security stack for identifying and sharing malicious IP addresses across a community of users can be a powerful force for good in protecting data against mal-actors.
This episode explores how malevolent data attacks occur and are expanding, how malicious IP addresses can be identified and shared, and how building a community defense can make the internet a safer place for everyone. Learn how open source can improve defenses, how multilayer firewalls function, how VPN’s are addressed in the defense of data. Receive top tips for organizations and individuals on how to protect personal and organizational data.
Time stamps:
03:08 - Malevolent Data Actors
08:03 - Can an open source
26/10/2023 • 15 minutes 28 seconds
Episode 144 — External Data Privacy
External data privacy – what is it? How do current threats to personal data privacy require defenses beyond stronger hardware and software?
Harry Maugans, CEO of Privacy Bee - https://privacybee.com - explains how external data privacy requires us all to think beyond protections provided by organizations to which we belong. Data brokers, AI database collectors, and cybercriminals all seek access to PII (personally identifiable information), which can be used for good and bad purposes and can result in physical and financial risks to individuals. Steps can be taken to safeguard personal information, even of famous individuals who don’t want certain types of information made public or misused about them.
Tune in to Episode 144 to enrich your understanding of privacy-centric thinking and take practical steps in protecting personal data privacy.
Time Stamps:
00:55 — What does 'external data privacy' mean?
08:55 — How do cybercriminals exploit systemic weakness?
11:25 — How does a well-kno
19/10/2023 • 15 minutes 44 seconds
Episode 143 – Mobility and Privacy: How Our Privacy is at Stake While in a Car
Today’s vehicles have cameras looking inside and outside and communicate information about us to third parties as we drive. This supports continuous product improvement by automakers. But it also raises important privacy concerns.
Yevgeny Khessin, Founder and CTO, and Andy Chatham, Co-Founder, of DIMO (https://dimo.zone) take us on a tour of how our privacy is at risk while we are mobile. Episode 143 considers these questions:
How do individuals and vehicles get connected while mobile?
What privacy concerns does the modern vehicle raise?
Who owns our data while mobile?
How can privacy concerns be addressed by privacy-centric automakers?
What can automakers and each of us do to safeguard privacy while mobile?
Time Stamps:
01:28 — In what ways do people share data with their vehicles?
04:00 — What are the privacy concerns?
06:27 — What does DIMO do?
11:12 — Top tips for producers of mobile/vehicle products
15:05 — Top tips for individuals who want to safeguard their privacy
12/10/2023 • 18 minutes 18 seconds
Episode 142 — September 2023 Data Privacy News
Amazon Store challenges the European Union over whether it is a VLOP. What’s that, you ask? Find out and discover how an EU Court issued an early split decision under the EU’s Digital Services Act. America’s first state, Delaware becomes the 12th state to adopt a comprehensive data privacy code. Google agrees to pay $93 million, strengthen its privacy policies, and be more transparent about location tracking, to settle California claims.
Explore the deeper meaning of these September 2023 data privacy developments. Yugo Nagashima, Brion St. Amour, and Joe Dehner, members of Frost Brown Todd LLP’s Data Privacy and Cyber Security Team, discuss what these events mean for organizations and individuals. Join the dialogue!
Time stamps:
00:33 — Delaware adopts data privacy code
05:20 — Google agrees to pay $93 million
10:48 — EU Court issues split decision under EU’s Digital Services Act
05/10/2023 • 23 minutes 58 seconds
Episode 141 — A.I. and Personal Data Privacy
Artificial intelligence – AI. Headline news, Senators gathering with gurus to figure out what to do, lawsuits, chatbots that offer to be our virtual concierge but then make up stuff in their responses. What’s at stake for our privacy? And what does it mean for us as individuals? Not for us as unwitting data providers or as recipients of communications from machines that can spew misinformation, but as human beings?
Tune in to Episode 141 for a brisk walk down the yellow brick road of AI. Check out what’s behind the wizard’s curtain as AI aims to improve our lives and even to organize them. Consider the front end – is our personal information ours, or is it free for the taking? And the back end – how can a Chatbot affect us when we seek its benefits and cause suffering when it misadventures?
Time stamps:
00:29 — How is data being used to train AI?
09:20 — What can AI providers do to safeguard consumer privacy?
11:56 — What can we do to safeguard our privacy when working with AI?
28/09/2023 • 14 minutes 38 seconds
Episode 140 — DeFi And Privacy
Decentralized Finance – DeFi – is with us and spreading. Tune in to Episode 140 to understand DeFi - how blockchain technology works and what privacy concerns are at stake. Consider a technology that increases the protection of organizational and individual private information when financial transactions are conducted through DeFi instead of traditional buyer-seller information technology.
Anish Mohammed, Co-Founder, CTO, and Chief Scientist of Panther Protocol, explains how DeFi works and the privacy considerations about its use. He discusses with the Detective the ways in which DeFi can be conducted in a way to protect financial data and trading strategies of DeFi participants, as well as how we as individuals can better guard our own identities and wealth.
01:07 — What is DeFi?
06:13 — Panther Protocol
09:49 — Advice for businesses
10:52 — Advice for individuals
21/09/2023 • 13 minutes 13 seconds
Episode 139 — Biometrics & Privacy
Tech giants have invented eyeglasses that can tell us the name of a person we encounter. An image of the person is sent to an AI database. Within seconds, the glasses name the individual we are seeing. Retinal scans, fingerprints, photos posted on Facebook, Fitbit data about heart rate – all represent biometric information about us that is digitized and sent into the data stream.
Imagine how useful such eyeglasses will be to visually impaired persons. The convenience and security of biometric data in making purchases or getting through airline security – undeniable. But also imagine how an authoritarian government or mal-actor can use biometric information teamed with AI to follow and target us. Is privacy dead? Has biometric AI gone too far?
Tune in to Episode 139 for a tour of these profound issues. What are biometrics and how do biometric data get turned into products and services for good and ill? What laws and regulations protect and restrict biometric use? Who owns an individua
14/09/2023 • 15 minutes 51 seconds
Episode 138 — Data Privacy News From August 2023: India’s new Act, Biometrics, and the CFPB
August 2023 was a news-filled month for data privacy. Tune in for a review of top developments:
Biometrics – how Illinois deals with ClearviewAI’s use of facial recognition data and how a new lawsuit challenges Amazon’s and Starbucks’ use of biometric payment systems in New York City
CFPB – how the U.S. Consumer Financial Protection Bureau has declared its intent to regulate data brokers
India – how its newly adopted Digital Personal Data Protection Act charts an independent course to protecting personal digital data privacy of Indian residents.
Brion St. Amour and Yugo Nagashima of Frost Brown Todd LLP’s Data Security and Privacy Team join the Detective on a tour about the meaning of these developments.
Time stamps:
00:10 — Biometrics
06:33 — CFPB
11:48 — India
07/09/2023 • 19 minutes 32 seconds
Episode 137 — Foreign Intelligence & Data Privacy - FBI Access to FISA Databases
The U.S. Government collects data globally about persons and organizations. In doing so, it collects vast amounts of data about U.S. persons “incidental” to collecting foreign intel for national security purposes. Since the Carter Administration when the Foreign Intelligence Surveillance Act (FISA) became law, this has raised conflicts between the personal privacy of U.S. and foreign persons and the Government’s interest in national security and crime prevention. The FBI has accessed FISA databases millions of times through U.S. person queries without a warrant – creating front-page news and raising major concerns from the left and right of politics.
Tune in to understand what is at stake, as Congress considers by December 31, 2023 whether and how to extend FISA. Learn about FISA, the reach of Section 702, how it operates in practice, and how the privacy issues involved affect data flows and commerce between the United States and Europe and the privacy of persons domestic and foreign.
24/08/2023 • 22 minutes 58 seconds
Episode 136 — India's Newly Adopted Digital Personal Data Protection
The world’s most populous country adopted a comprehensive data privacy code in August 2023 – the Digital Personal Data Protection Act. Join this episode for a tour of the law’s main features. A departure from the EU’s GDPR approach and from prior draft bills of the Government, India took a unique approach to protecting digital personal information of its residents. Instead of data localization, it chose to encourage global data flows under relatively flexible standards while requiring reasonable safeguards to prevent data breach.
The law will come into force on a rolling basis in coming months. Stephen Mathias, Bangalore office partner-in-charge and Co-Chair of the Technology Law practice of Kochhar & Co., one of India’s premier large law firms, explains the Act’s main features. Learn the basic approach taken, not only to comply if your organization may be subject to its reach but also to consider how a vast country with highly skilled tech professionals chose to regulate personal data
17/08/2023 • 18 minutes 27 seconds
Episode 135 — Generative AI And Data Privacy - Risks And Regulation
Generative AI – ChatGPT for example. Have you considered how generative AI collects our personal information to provide its benefits in ways that can do us wrong? What can we do about the risks? How should legislators and regulators balance AI’s benefits with our rights to personal privacy?
Rita Garry, a Chicago attorney with the firm of Howard & Howard Attorneys, PLLC, provides data privacy and cybersecurity services with a view to the specifics of each client. Tune in to learn what Generative AI is, how it affects individual privacy, what the recently announced White House five principles for AI regulation are, and what organizations and individuals can do about generative AI.
Time stamps:
05:35 — White House’s AI Bill of Rights
14:00 — Advice on how we can decide how AI uses our data
10/08/2023 • 16 minutes 23 seconds
Episode 134 — Data Privacy News From July 2023: Three major developments
July 2023 was hot – record setting global temperatures. Likewise in the data privacy world. Tune in for an exploration of three top topics in data privacy by Frost Brown Todd’s Yugo Nagashima and Brian St. Amour with the Data Privacy Detective.
Illinois – major Supreme Court decision from the first state to adopt a biometric data privacy law – raising the stakes for businesses in using biometrics in the workplace.
U.S./EU – a third attempt to facilitate personal data flows between the European Union and the United States is deemed “adequate” by the EU – will it work despite two prior failures? What’s the new option for U.S. businesses?
The United Kingdom’s draft Online Safety Bill and Apple’s threat to leave the UK – what’s behind this battle between freedom and law & order in social media? Why is Apple threatening to leave the UK market rather than submit to new proposed rules that would require it to give the UK government a backdoor entry to end-to-end pro-privacy encryption?
Time
03/08/2023 • 26 minutes 39 seconds
Episode 133 — Removing Sensitive Personal Information from the Web
Our personal data is collected, sold, shared, used, and misused in ways most of us cannot imagine. Data brokers that buy and sell our personal information (“PI”) do it behind the scenes and almost always without our knowledge or consent. Data brokers are largely unregulated. What can be done about perils that have led to murder, theft, and other mayhem through easy access to PI?
Tom Daly, CEO of MePrism, takes us on a tour of the consumer privacy landscape. A consumer data privacy company, MePrism programmatically removes people’s sensitive information from the internet. Explore what can be done to protect individuals from swatting, doxxing, and other misuse of their personal information, early state and federal steps towards regulating data sales and sharing, and measures that organizations and individuals can take to prevent mal-actors from gaining ready access to our PI.
27/07/2023 • 24 minutes 51 seconds
Episode 132 — Protecting Our Digital Information: A Blockchain Approach
Who owns our personal data? As technology advances in Web 3.0, traditional software and claims of third parties over what they can do with our personal data are under challenge. Join Chris Were, co-founder and chief architect of the Australian company Verida, to consider how blockchain thinking can allow us to achieve self-sovereign identity. Explore in Episode 132 what this means and how we can take better control of our digital presence.
Understand the meaning of self-sovereign identity, how it aims to secure sensitive information about ourselves and to put us in control of how our digital footprints are used and shared with others. Learn the role of zero-knowledge credentials and how a crypto wallet holding our personal information functions. Explore how digital assistants we engage could help us control our personal information as AI scrapes, stores, employs, and adapts our data in ways we may not approve.
13/07/2023 • 15 minutes 21 seconds
Episode 131 — Top Data Privacy Developments in June 2023: Oregon, California, and TikTok
Oregon, California, and TikTok top the list of data privacy developments of June 2023. Tune in for how Oregon’s new data privacy statute blends the best of California and other state statutes for a comprehensive code and adds a unique twist about who can enforce it. Learn how a California court extended the effective date of a California agency’s regulations drafted to implement the Golden State’s pioneering California Consumer Privacy Act. Consider a whistleblower’s sworn testimony that contradicts TikTok’s long-held position that it does not and will not share personal data of TikTok users with the Chinese Government, despite Chinese law intended to require such reporting on demand.
In concise analysis that digs beneath the deadlines, Yugo Nagashima and Brion St. Amour, attorneys on the Data Security and Privacy Team of Frost Brown Todd LLP, share their insights with that of the Data Privacy Detective. Join our podcasts on the first Thursday of each month to probe three top developm
06/07/2023 • 17 minutes 22 seconds
Episode 130 — Privacy In The US Workplace
Employers and employees – how much privacy is there in the workplace? Episode 130 explores this question in the United States. What’s an employee’s reasonable expectation of privacy while working? How do federal and state laws limit employer surveillance of employee activity? What limits are there to an employer’s monitoring of employee use of company time and property?
Employees use company-provided computers, phones, and other property for a variety of personal purposes, often injecting personal information through a company’s IT system. What should employers and employees do about this? And what about departing and former employees – to what extent can or should an employer monitor a departing employee’s data streams or keep a former employee’s personal information?
Annee Duprey, a partner in the Labor & Employment Group of Frost Brown Todd LLP in its Columbus office, and Seth Granda, a senior associate in the firm’s Nashville, Tennessee office, tour this complicated and challengin
29/06/2023 • 23 minutes 36 seconds
Episode 129 - Privacy After Death... Is There Any?
What happens to our personal information after death? What can we or society do about whether any privacy exists for dead people?
Episode 129 considers post-death privacy. Data privacy laws are largely for and about the living and give scant attention to the dead. But a few extend to protect data privacy after death, regarding medical information and dignitary interests of decedents and families. It’s not quite a free-for-all.
Consider how estate plans generally ignore a person’s digital data but could be written to address this important interest. Learn how laws could be crafted to protect the reputational and other interests of deceased persons. Hear how technology can be used to create a digital avatar and project a person’s immortal presence for interactive conversations with great grandchildren and beyond. Think how you might wish to preserve your private information beyond your lifetime.
22/06/2023 • 17 minutes 28 seconds
Episode 128 - Medical Information And Privacy
Our personal medical information is sensitive. It becomes digital data shared beyond the medical professional who requests and needs it to provide care. Learn how our medical information is shared and used in ways that create privacy risks many of us do not wish to assume, how tech companies profit from its use, how federal and state law provide rules about medical privacy, and what companies and individuals can do about the subject.
Our guest Jay Barnes is an attorney with the firm of Simmons Hanly Conroy, which represents consumers and local governments in mass tort and class actions. Jay shares insight into how tech companies collect and use personal medical information to generate profits through customized advertising we may or may not wish to receive. He explores how the underlying principle should be that of giving each person the freedom to choose whether individual medical data can be shared with and used by third parties. Tune in for a segment about what businesses should do
16/06/2023 • 19 minutes 58 seconds
Episode 127 — May 2023 Data Privacy News: Biggest fine in GDPR history and 2 U.S. States adopt codes
Get the latest on data privacy news from May 2023.
Meta is fined about $1.3 billion for transferring European personal data to the States. But what’s underneath this record fine? What does it mean for how personal data rules are enforced in the EU? Are EU standard contractual clauses no longer a safe harbor for trans-Atlantic business?
Washington adopts a data privacy law for health data. Will this be copied by other states as part of the ebb and flow since Roe v. Wade’s overturning?
Texas adopts a comprehensive data privacy code. How does it differ from other states with personal data privacy statutes? What does it portend as this mega-state becomes the tenth state to adopt an overall approach to personal data privacy?
Tune in to Episode 127 to join the conversation.
Time stamps:
00:14 — Meta fined by Ireland
09:10 — Washington State’s new data privacy law
15:00 — Texas’s new data privacy code
01/06/2023 • 21 minutes 21 seconds
Episode 126 - Bail And Data Privacy
Bail decisions are critical in the lives of arrested persons. They come without judgment of guilt or innocence but can mean the deprivation of freedom for individuals as they await trial. But they can also have crushing unintended consequences for persons who become the victims of persons released without bail or on insufficient bail.
Episode 126 takes no position on the headline debates about bail reform. Instead, Ken W. Good takes us on a tour of the privacy issues involved with bail. A thirty-plus-year attorney, Ken is on the board of directors of the Professional Bondsmen of Texas, the voice of the bail industry in that state. What information does a magistrate or judge obtain when deciding on bail? What personal information about the accused individual is available, and does this data become available to the public? Is setting bail an open court matter? Is AI entering the courtroom through algorithms that make risk assessments about accused persons? Tune in to consider this critic
25/05/2023 • 17 minutes 38 seconds
Episode 125 — Identify Orchestration: Are Passwords Obsolete?
Identity orchestration. Explore its meaning. Discover in Episode 125 how identity orchestration can protect data privacy and data security. Founder and CEO of Strata Identity [https://www.strata.io/], Eric Olden explores with us the change under way from passwords and multi-factor authentication to a radically different approach to safeguarding and verifying identities in a world of distributed data. Learn what a blue checkmark will mean within LinkedIn as one example.
Consider how a system of passwords and identity exposure sprinkled among hundreds of applications and sources exposes individuals and organizations to hacking and theft risk at the weakest link. Can technology protect us from ourselves? Learn what OIDC (OpenID Connect) means and how it relates to the ongoing struggle between mal-actors and the rest of us.
Time stamps:
01:12 — What is Identity Orchestration?
04:12 — What is Project Indigo?
07:01 — OIDC - OpenID Connect Protocol
15:25 — Challenges for privacy as technolog
18/05/2023 • 18 minutes 33 seconds
Episode 124 — Data Privacy & the Automobile: Your car is watching, recording, and sharing your data
The modern automobile – a marvel of technology and transportation. It collects enormous amounts of data about us. This information is used for continuous improvement in design and safety and for our convenience. But it also creates risks to personal privacy. Episode 124 provides a tour of what automakers, suppliers, and users can do to create fair controls over how the automobile monitors, records, and shares personal information.
Standard setting includes the Alliance for Automotive Innovation, in its Consumer Privacy Protection Principles. NIST (the National Institute for Standards and Technology) issued 2023 revisions to its Cyber-Security Framework. In the absence of national law or regulation about automotive privacy, these standards are a baseline for acceptable use of automotive generated personal data. Tune in to consider what automotive businesses and private individuals can do to safeguard personal privacy while allowing continuing technological and safety progress. Matt Scha
11/05/2023 • 18 minutes 33 seconds
Episode 123 — April & Data Privacy - 3 States, AI, and Utah’s parental consent for social media law
What do Indiana, Tennessee, and Montana have in common? They adopted comprehensive data privacy laws in April 2023. Explore the similarities and differences and a unique Tennessee provision about national standards. Is a pattern emerging for how the U.S. regulates personal data?
Consider the privacy implications of Artificial Intelligence. Global leaders are racing to understand and decide how to regulate AI. G7 leadership met in Japan on April 29 to consider a joint approach to the dark side of AI. And hear how a request to Google’s Bard resulted in both a text and a refusal to generate a deep fake.
Utah enacts the first state law giving parents control over minors’ use of social media. Whose privacy is paramount before a person reaches age 18? How does Utah’s law address the rights of parents and children in a world of social media with its far-reaching impact on us all?
Time stamps:
00:40 — What do Indiana, Tennessee, and Montana have in common?
02:50 — Tennessee adopts NIST priv
04/05/2023 • 16 minutes
Episode 122 - Shaping A Compliant And Privacy - Centric Data Privacy Policy
How can an organization comply with a wide diversity of privacy laws being adopted and changed across the globe? How does an organization create a compliant and privacy-responsible policy to assure its customers that their privacy will be protected?
Join Rachael Ormiston, Head of Privacy at Osano, as we explore these questions. Osano offers a “No Fines, No Penalties Pledge” to its customers. The World's Most Trusted Data Privacy Software Platform | Osano (https://www.osano.com/). Consider how and why it does this and seeks to offer real-time compliance in an evolving world of data privacy regulation. Hear the trends of data regulation and learn whether there is hope for harmonization across borders for how our personal information is regulated and protected.
Time stamps:
01:28 — What does Osano do?
03:06 — What are the essential elements of a successful privacy policy for a mid-sized organization?
05:55 — How do you aim to create a privacy policy that is compliant with current and futu
27/04/2023 • 15 minutes 18 seconds
Episode 121 - The Battle For Data Privacy: What Does A Mid-Sized Organization Do?
Join Duane Laflotte and Patrick Hynds of Pulsar Security as the Data Privacy Detective asks these essential questions about cyber-crime and data privacy:
How hard is it to break into a website or organization’s IT system?
What are top tips for mid-sized organizations to defeat data attacks?
What’s the future for people seeking a cybersecurity career?
Pulsar Security offers institutions cyber-protection through software and services to prevent data leaks and losses at reasonable cost. Offensive Network Security | Enterprise Security Software | Pulsar Security. Tune in for insights into countering the growing tide of data and identity theft
Time stamps:
02:15 — How hard is it for a bad actor to infiltrate a company's website or IT system?
03:37 — How much safer is HTTPS?
05:50 — What are the top ways a mid-sized business can protect itself from cybercriminals?
07:10 — Why is it important to know which data is flowing through your organization?
09:55 — How often should you
20/04/2023 • 18 minutes 35 seconds
Episode 120 - AI And Data Privacy - Opening The Black Box
Artificial Intelligence and data privacy. Explore their relationship in this episode. It’s a subject little addressed by law or regulators and largely invisible to the public. AI depends on amassing a huge amount of personal information, collected and processed largely without consent or awareness of individuals whose personal information is being used. Once collected by AI businesses, personal data can leak to bad actors. And the services that are AI-driven can result in misapplications and mistaken projections, causing untoward harm to individuals.
Vinay Kumar, CEO and Founder of Arya.ai, opens for us the black box of AI. We consider how ML Observability tools such as AryaXAI can make AI understandable to all stakeholders, including those whose personal data is used to train AI models and create AI-powered services in finance and other fields.
Time stamps:
01:08 — What do AI and data privacy have to do with each other?
04:28 — What is ML Observability tool?
13/04/2023 • 14 minutes 52 seconds
Episode 119 – News Digest: Data Privacy Developments — ChatGPT, Iowa, Spyware, and TikTok
What do ChatGPT, Iowa, TikTok, and Spyware have in common? They all made data privacy news in March 2023.
Italy’s Data Protection Authority blocked ChatGPT internet use on privacy grounds, the first western government to do so. Iowa became the sixth U.S. state to adopt a comprehensive personal data protection code. President Biden issued an Executive Order against federal use of social media containing spyware, without expressly naming TikTok or China as the targets.
Join the Data Privacy Detective’s conversation with Mike Nitardy and Yugo Nagashima, attorneys with the Data Privacy Team of Frost Brown Todd LLP. Explore the meaning of these developments for data privacy and its place in the world of technology and of us all.
Time stamps:
00:43 — ChatGPT in Italy
06:54 — Iowa develops a comprehensive personal data protection code
12:00 — Executive order against federal use of social media containing spyware
06/04/2023 • 17 minutes 24 seconds
Episode 118 - Africa – Cybercrime and Data Privacy: A Report from South Africa
Prominent South African data privacy attorney Ahmore Burger-Smidt described 2022 as a year of “bloodbath” for personal data privacy in a recent report from her firm Werksmans. The firm manages the Lex Africa Legal Alliance, with members in over twenty-five African countries.
Cybercrime is extensive and growing in Africa, similar to trends evident in the rest of the world.
Cybercriminals employ increasingly sophisticated phishing attacks and business email compromise schemes and have expanded with cryptocurrency attacks and direct entry into data storage and other technology to steal personal data and identities.
African countries have responded through governmental and private sector efforts. South Africa’s Protection of Personal Information Act (POPIA) is about two years in force, with its implementation encouragingly steadfast. Click on Episode 118 for an African view of how the battle between cybercrime and civil society is unfolding.
Time stamps:
01:33 — What cyber crime / da
30/03/2023 • 18 minutes 43 seconds
Episode 117 - GDPR: The First Five Years — Its Influence and Operations
The European Union’s GDPR (General Data Protection Regulation) became effective in May 2018. It declared a thorough and far-reaching set of rules for data privacy and became the global leader in how personal data privacy can be regulated and enhanced. What have almost five years shown? Is it successful? Entrenched? A model others follow? And how does it work in practice in 2023?
Episode 117 considers how GDPR has become an embedded fabric for how personal information flows – or fails to flow – across borders. While an adopted framework within the EU and affecting global business without regard to borders, GDPR has not been copied everywhere. It varies both from the data localization approach of some countries and from the freer market approach of the United States and other countries.
Tune in for what’s happening in early 2023 with GDPR and how it has worked in practice.
Time Stamps:
01:28 — GDPR Fines
03:36 — United Kingdom privacy regime
04:43 — 2023 examples of laws influenced by GD
23/03/2023 • 12 minutes 43 seconds
Episode 116 - Do Not Sell or Share My Personal Information: How easy is it to exercise this right?
Government regulation is moving towards giving consumers the right to stop companies from selling or share their personal information. How easy do companies make it for consumers to make this request—and then have it mean something? This episode contrasts two companies that take very different approaches to the question.
One company makes its money through advertising, and to do that it needs to collect and share personal information of those who use its browser and other offerings. Another was fined by the California Attorney General for failing to give its visitors a choice. It now posts a clear and simple way for consumers to stop it from selling or sharing their personal information to others.
Consider in Episode 116 how websites can provide consumers the right to protect their privacy and what consumers can do about it when companies make it difficult or impossible to stop them from selling or sharing their personal data.
Time stamps:
00:30 — Sephora’s privacy policy
07:57 — G
16/03/2023 • 18 minutes 40 seconds
Episode 115 - The Digital Advertising Ecosystem: Privacy and Compliance Challenges
Many of us wonder how the internet knows so much about us. We are barraged with tailored ads as we use the internet. How does this happen? How does this affect the compliance risks of businesses and the data privacy of us all?
Dan Frechtling, CEO of Boltive, explores the digital advertising ecosystem in Episode 115. Explore the sub-terrain of the internet, how it creates advertising revenue that is the business model of many tech firms, how unwanted ads and mal-advertising encroach, how it affects our personal privacy, and how regulation increasingly requires businesses to offer consumers the choice of refusing the sale or sharing of their information. Learn how businesses can minimize risk and avoid compliance violations and how consumers can make privacy choices within their control.
For information about inadvertent data leakage, Visit Boltive at https://www.boltive.com/ to learn more about inadvertent data leakage. Visit https://www.linkedin.com/in/frechtling/ to connect with Dan
09/03/2023 • 15 minutes 47 seconds
Episode 114 - News Digest: CA Privacy Rights Act, FTC settlement w/ GoodRX, and proposed EU Data Act
The Data Privacy Detective welcomes Frost Brown Todd attorneys Mike Nitardy and Yugo Nagashima to cover three important developments in the world of data privacy:
-Updates to the California Privacy Rights Act (“CPRA”) – highlights of final regulations just issued
-FTC settlement with GoodRX - the first enforcement of the Health Breach Notification Rule – its meaning for the healthcare industry and us
-European Commission’s proposed “Data Act,” which could radically change the rules of data sharing and stimulate competition in tech sector
Time stamps:
01:15 - California Privacy Rights Act amendments
07:58 - FTC settlement with GoodRX
11:55 - EU Data Act proposal
02/03/2023 • 17 minutes 58 seconds
Episode 113 - Business Email Compromise Attacks: What Can Be Done?
Business Email Compromise – it’s a major way that global thieves steal trillions of dollars. Bill Repasky, an attorney at Frost Brown Todd LLP, with years of experience in electronic payments and cyber-fraud defense, explains how attacks of this type occur, why they are growing, what can be done to prevent them, and what a business can do if attacked this way.
Common types of Business Email Compromise attacks are what appear to be incoming customer payments, outgoing payments to suppliers of goods and services, and internal attacks (where a mal-actor takes over an employee’s email account at the business). While anti-phishing training is important, it is not enough. Businesses can minimize risk of loss by upgrading institutional defenses this podcast discusses. Tune in for a tune up on how businesses can deal with the rising global crime wave of Business Email Compromise.
Time stamps:
00:46 - What is Business Email Compromise?
03:28 - What businesses are being targeted?
05:35 - W
16/02/2023 • 20 minutes 27 seconds
Bonus Episode - Data Privacy Detective on Privacy Please Podcast Panel Discussion
In this bonus episode, we bring you the Data Privacy Detective's guest appearance on the Privacy Week podcast's "The Privacy Panel Discussion" special.
14/02/2023 • 48 minutes 1 second
Episode 112 - Data Privacy and Canada
Canada and the United States are each other’s major commercial partner. Many U.S. companies have Canadian customers and collect and process personal information about Canadians. They must therefore understand Canada’s and its provinces’ regulation of personal data privacy. The Canadian regulation of data privacy is very complex, with a maze of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws and regulations.
In this conversation with Lyndsay Wasser, a Toronto-based attorney at the Canadian law firm McMillan LLP, the Data Privacy Detective asks what cross-border businesses should know about privacy and data security in Canada, as well as looming changes on the U.S.’s northern horizon.
Time stamps:
01:05 - What is the general state of data privacy and security law and regulation within Canada?
02:33 - What does Quebec do differently?
03:18 - Do foreign companies need to consider individual provincial laws in addition to the feder
09/02/2023 • 15 minutes 24 seconds
Episode 111 - What Is Your Privacy Worth?
“If it’s free, then you are the product.” We carry in our pockets devices that have powerful mechanisms for collecting our information–where we go, what we buy, and even how fast we move. Every time we scroll through social media on our phones, we are submitting extremely precise data about what we might be interested in… even down to how many seconds we slow down to look at an individual post. By using these products and services, we are in effect consenting to this data collection, which comes back to us in the form of targeted advertising.
But is there an alternative? What can we do if we want to use these services but don’t want to give over so much of our personal information? Ryan Patersen’s company Unplugged is betting that there are many people willing to pay more for more privacy. The products and services Unplugged offers present a fascinating test case in how much people value their privacy, and Ryan joins the Data Privacy Detective podcast to tell us all about it.
Learn
02/02/2023 • 17 minutes 4 seconds
Episode 110 - Dutch Treatment: The Netherlands & Tech Giants
Tech giants like Google, Apple, and Facebook incur huge Euro fines from European Union data privacy authorities. This is a “stick” approach, perhaps more like a “club,” of forcing EU rules upon global companies, aiming to force tech giants to change data privacy policies and practices to GDPR’s strict demands.
Enter the Netherlands - with a different way of achieving changes in privacy practices through a joint approach. A January 23, 2023 New York Times article by Natasha Singer highlighted the Dutch carrot and teamwork way of getting companies to embrace EU rules without first resort to financial penalties. This podcast considers how the Dutch treatment – an audit and negotiation approach – offers a successful means of boosting personal privacy through collaborative solutions. Tune in for a refreshing example of how data privacy authorities and technology giants can work together to achieve common personal data privacy goals.
New York Times article - How the Netherlands Is Taming Big
26/01/2023 • 10 minutes 58 seconds
Quick Announcement: Data Privacy Detective on Privacy Week Podcast Palooza (Thursday, Jan 26)
The Data Privacy Detective Joe Dehner will be appearing as part of the LinkedIn Live event, "Privacy Week Podcast Palooza."
Tune in on Thursday, January 26 from 3:00 to 4:00 p.m. EST: https://www.linkedin.com/video/event/urn:li:ugcPost:7021476486180212738/
24/01/2023 • 1 minute 22 seconds
Episode 109 - India and Digital Data Protection
A Third Way Emerges - Light Touch
India -soon to be the world’s most populous country, a fast growing economy with a highly sophisticated tech sector. It’s a country with a digital rupee in circulation and digital identity cards. Since independent India has forged an independent path between “east and west.”
About a year ago, the Modi Government withdrew a bill based on Europe’s comprehensive privacy-centric approach to personal data privacy, GDPR. In November 2022, a very different bill was proposed by the Ministry of Electronics and Information Technology – the Digital Data Protection Act. What caused the change and where is India headed?
In Episode 109, Stephen Mathias of the premier Indian law firm Kochhar & Co explains the new approach. Expected to be adopted by mid-2023 in a final form, it is very different from either the GDPR strict and privacy-centric approach or the U.S. model of sectoral and partial rules without an overarching federal code. India’s will use a “light touch
13/01/2023 • 19 minutes 46 seconds
Episode 108 - Identity Management
Identity management. Learn how an automated approach can defend against the rising tide of data hacks, thefts, ransomware attacks, and other assaults on private information. Kevin Dominik Korte, IT Innovation and Growth Strategist of Univention, explains how an automated approach to login and other steps we take to connect to the internet and intranets can reduce the ability of bad actors to succeed in their attacks on IT systems, large and small.
Traditional identity management is more costly and risk prone than what can be designed into an automated IT system that includes privacy and security by design. Consider how digital identities can be managed to increase security and minimize data breach risk in Episode 108.
10/01/2023 • 23 minutes 29 seconds
Episode 107 - The Meaning of the Headlines
November 2022 saw the largest private data privacy settlement in U.S. history, a huge Irish fine of Meta, the UK’s forging an independent path from the EU, and South Dakota entering US/China foreign relations over TikTok.
Tune in to Episode 107, as the Data Privacy Detective searches monthly for learning from privacy and security developments. As cybercrime grows and governments move from data breach punishment to requiring digital systems to embrace privacy-centric security, consider news from the U.S., EU, UK, Australia, India, and South Korea.
03/01/2023 • 15 minutes 32 seconds
Episode 106 - Decentralized Identifiers (DIDs) and Data Privacy
Decentralized identifiers or “DIDs”. Tune in for an exploration how blockchain and pseudonymization can systematically improve data security and increase users’ control over their digital identities.
Our tour guide is Phillip Shoemaker, the Executive Director of identity.com, a non-profit that provides tools for developers to help organizations identify individuals without compromising their security or privacy. Through this approach, enterprises can de-couple personal identities from users, providing instead a separate digital identity for the user that is not linked to a phone number, address, Social Security number, or other means of identifying the user whose data is otherwise at risk.
Learn what individuals can do to urge governments, regulators, and businesses to arm digital systems with defenses that prevent malicious actors to hack masses of personal data that are then used to steal and misuse identities and assets. As standards are being developed for software, IoT devices, an
06/12/2022 • 19 minutes 5 seconds
Episode 105 - Breached!
Breached!, published in 2022 by Oxford University Press, reveals how data security law fails because of undue focus on data breaches. It explores what can be done to improve data privacy and limit data theft. Author Daniel Solove, law professor at George Washington University Law School and head of a privacy and security training company serving hundreds of global organizations, explores how laws focus too much on data breach and punishment of companies that are themselves breach victims. This is counterproductive and aggravates rather than addresses the need for heightened data security.
In this podcast, we turn our spyglass to data theft and insecurity and consider whether a holistic, systemic approach is better than a glaring focus on data breach. Emerging legal approaches to defective software and prevention of data theft can better stem the rising tide of cyber-crime and are essential to furthering privacy interests. Learn what you and public officials can do about this and how a
29/11/2022 • 23 minutes 30 seconds
Episode 104 - October 2022 Data Privacy News
October 2022 highlights for data privacy:
- Battle between the U.S. Federal Trade Commission and a data broker over whether the FTC has authority over its practices
- U.S. Government orders federal agencies to push NIST Guideline compliance throughout the software supply chain
- Survey reports 2d quarter jump in data breaches
- France fines Clearview over facial recognition
- A Dutch Court awards a fired employee damages from the employer’s webcam rules
- EU acts to harmonize procedural laws to aid GDPR enforcement
- Biden Administration issues Executive Order at third attempt at a safe harbor approach to allow data transfers between U.S. and EU
- First conviction of a company security chief arising from data breach response
- White House issues Blueprint for an AI Bill of Rights.
Whew! A lot happening. Tune in for the meaning and implications of these events.
If you have ideas for more interviews or stories, please email [email protected]
23/11/2022 • 14 minutes 11 seconds
Episode 103 - The Future of Data Management
William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases.
Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it.
10/11/2022 • 25 minutes 24 seconds
Episode 102 - Data Brokers and Our Private Location Information
Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources.
Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function.
The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private inform
08/11/2022 • 24 minutes 12 seconds
Episode 101 - Data Breaches - The impact on consumers and company personnel
Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach.
Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data brea
28/10/2022 • 20 minutes 56 seconds
Episode 100 - Spell-Jacking: Addressing a threat to personal data privacy
Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening.
When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expr
17/10/2022 • 22 minutes 21 seconds
Episode 99 - National Cybersecurity Awareness Month
Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe.
1. Instagram fined 405M Euros for GDPR violations.
2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising.
3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error.
4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million record
05/10/2022 • 16 minutes 55 seconds
Episode 98 - “Do not sell my personal information”
How a California statute works in practice
In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires.
Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights
04/10/2022 • 14 minutes 52 seconds
Episode 97 - Data Privacy Happenings in August 2022
Get an update on lawsuits launched and settled in August 2022. Consider FBI warnings about DeFi platform and CISA declarations about protecting critical infrastructure. Learn of a draft bill circulating in California about an age-appropriate code for websites. A data broker is sued by the Federal Trade Commission for selling geolocation data that can be used to track who’s visiting a women’s reproductive health center, an addiction treatment facility, and everywhere else a smartphone travels.
Tune in for this September 2022 update of what’s been happening in data privacy and cybersecurity.
If you have ideas for more interviews or stories, please email [email protected].
08/09/2022 • 11 minutes 8 seconds
Episode 96 - We Are Being Watched, Recorded, and Targeted by “Things”
Data privacy and the laws that protect our personal information mostly deal with digital data and data equipment like computers and smartphones. But the Internet of Things – IoT – is meeting data infrastructure (listen to Episode 90 about the Edge for more on that). Things we don’t think of as data collectors collect our personal information and share it with others, often without our notice or consent, and sometimes in ways we do not want.
Is the law ready to deal with this? Daniel Murray, an intellectual property and technology transactions attorney at Frost Brown Todd LLC join the Detective in exploring the issues. With a mishmash of state and federal rules, the U.S. lacks a comprehensive data privacy code. International laws differ greatly, some granting control to individuals over their personal data and others giving central government authorities almost total control over personal data about residents.
As IoT devices, including automobiles and home furnishings, watch and rec
30/08/2022 • 18 minutes 33 seconds
Episode 95 - Russia Ratchets Control of the Russian Internet
Data localization – we’ve devoted several episodes to what countries are doing to control and restrict data flows involving their residents. What happens when there’s a war (or “military operation” if you prefer) going on? Do recent actions by the Russian government reflect a growing trend toward a splinternet, treating data as though it were national cattle being locked within a corral? Or is this more a reaction to sanctions imposed by other nations, having little do with data?
This podcast considers how data localization is on the rise in democracies like Indonesia, but India’s government shelved a draft national data law that would have increased control and domestication of data after pressure and objection from its broader society. With Yugo Nagashima, a Frost Brown Todd attorney focused on international and domestic data privacy and technology, we discuss expanding fines and Russia’s seizure of Google’s Russian subsidiary’s bank account, aiming to force U.S. and other non-Russ
19/08/2022 • 17 minutes 50 seconds
Episode 94 - Cryptography and Data Privacy
Cryptography comes from the ancient Greek word “cryptos,” meaning “hidden” or “secret.” Encryption is a cybersecurity pillar, a key defense against invasion of our privacy. But it may be underappreciated in practice. Tune in to learn about the growing need for encryption technology to combat the rising tide of cyber-attacks. A recent report by the Port of Los Angeles to the FBI indicated that it suffers from over one million cyber-attacks per day.
Dan Draper, CEO and Founder of CipherStash, explains from his home in Sydney, Australia the role of cryptography in protecting sensitive personal and other information. Dan’s company provides a data storage platform for sensitive data that uses searchable encryption technology to protect against attacks. Dan discusses how encryption protects personal data and how traditional databases are vulnerable to hacking and other risks. Learn why cryptography is becoming increasingly crucial in guarding data privacy and why Dan is optimistic about th
01/08/2022 • 17 minutes 4 seconds
Episode 93 - 5G and Data Privacy
5G is the buzzword for the new generation of mobile networking. It brings blazing speed to digital communication. With that comes concern about the impact on our privacy.
5G speeds up data sharing – the good, the bad, the annoying, the criminal. With the emergence of the Edge linking devices and data infrastructure (DPD podcast 90), 5G shares information in virtual real-time about your health, your highway speed, your browsing and entertainment, your choices in a grocery store, and your location. In equally instant time, this data will be shared by a growing number of companies and people watching and listening to us (known and unknown), who will turn the information into benefits for themselves and risks for your privacy. National security is also at stake. Criminal elements will exploit the benefits, along with governments foreign and domestic.
Explore in this episode the intersection of 5G and personal information. What does 5G mean for data privacy and what can the U.S. Governmen
29/07/2022 • 24 minutes 13 seconds
Episode 92 - TikTok and Data Privacy
TikTok built a global platform sharing short videos of wild and wonderful doings of people, animals, and things. It is the first Chinese-owned company to create a global base of more than a billion users. What are the risks to personal data privacy from TikTok? How can regular users and influencers protect their personal privacy while using TikTok? How different are the TikTok risks from those of other social media companies that are not owned in part by the Chinese Government?
Our guest is Ben Kunde, a Certified Fraud Examiner who leads the international investigations practice at Interfor. Starting with a tragic story about a 13-year-old girl who amassed a million fans that included a demented stalker, Ben discusses prudent privacy measures individuals can take to enjoy a platform’s offerings without needlessly sharing personal data. We also consider controls a country can take when a foreign-owned media giant creates risks to minors and others and what reasonable measures can apply
17/07/2022 • 21 minutes 47 seconds
Episode 91 - Data Privacy and Abortion
With the reversal of Roe v. Wade by the U.S. Supreme Court, data privacy becomes a more important issue than ever. This podcast considers how highly personal, sensitive information about the period between conception and birth is shared and used, how prosecutors obtain and use digital evidence, how private parties obtain information about women considering their options.
Learn how individuals can protect their digital healthcare data against unwanted future use by third parties. Consider how a person can safeguard thoughts, considerations, and decisions about intimate personal matters, including the consequences of pregnancy termination. In the uncertainty of what individual states will impose on women’s healthcare and decisions, understand what steps one can take to protect personal digital privacy.
If you have ideas for more interviews or stories, please email [email protected].
06/07/2022 • 17 minutes 42 seconds
Episode 90 - The Edge and Personal Data Privacy
Protecting and using personal information has focused on computer and software technology. With the Internet of Things (IoT), the Edge has arrived – the place where devices and traditional data infrastructure connect. Niranjan Maka takes us on a tour of the Edge and explains what it means to enterprises and individuals and the risks the Edge creates for us all.
Niranjan heads SmartHub.ai, Enterprise IoT Platform | Smarthub.ai, an Edge company spun out from VMware, focused on bringing AI/ML powered management and monitoring to IoT/Edge devices. Our physical presence is replete with siloed millions of devices and sensors that collect, process, and share our personal information and enterprise data. As a veteran holding leadership positions at companies like RSA Security, Niranjan explains how we must become aware of the devices and sensors that are constantly with us and how the Edge changes how enterprises and individuals manage data and affect how our personal information is gathered
14/06/2022 • 26 minutes 51 seconds
Episode 89 - Restaurants and Personal Data Privacy
What’s at stake as Congress considers a national data privacy law? The National Restaurant Association is the U.S.’ leading trade association for the restaurant and foodservice industry, representing thousands of members from the largest chain to solo providers. Brennan Duckett, its Director of Technology and Innovation Policy, discusses the key issues for the restaurant industry as Congress debates whether to adopt a national data privacy law. The “Three Corners Bill” recently introduced with bipartisan and bicameral support endorses substantial federal preemption of state law and a limited private right of action for substantial and individualized harm. How does a major industry see this proposal, and what are the changes needed before it is enacted?
Our personal data is shared when we order, pay for, and receive a meal. Restaurants and food service companies can be both data controllers and data processors. They interact with other companies that are data processors and controllers
10/06/2022 • 26 minutes 5 seconds
Episode 88 - India’s Six-Hour Deadline to Report Cyberattacks to Government
Through a new cybersecurity regulation, businesses in India will have six hours to report cyberattacks to the government, pursuant to a regulation that comes into force at the end of June 2022. On April 28, 2022, the Indian Computer Emergency Response Team – CERT – part of the Ministry of Electronics and Information Technology, announced regulations that include the world’s most time-sensitive deadline for reporting cyber incidents to the government.
Stephen Mathias, head of the Technology Law Practice at the premier Indian law firm Kochhar & Co., presents the substance, challenges, and ambiguities of this pioneering effort. The regulation covers cyberattacks regardless of whether personal data is involved. In comparison to other global reporting requirements (such as GDPR’s 72-hour deadline for reporting breaches of personal data), the 6-hour deadline is daunting and perhaps unworkable. Wording covers attacks even if not successful, in effect requiring Indian businesses to report in
22/05/2022 • 15 minutes 43 seconds
Episode 87 - Japan’s Data Privacy Approach
Japan is a major U.S. ally commercially and otherwise. What is the Japanese approach to personal data privacy, and how does it differ from the U.S.’s privacy culture?
Erik Jacobs addresses the differences in how privacy is conceived and addressed in Japan in contrast to the complex U.S. system that has no overarching federal law about how our personal information is collected, stored, sold, and otherwise handled. Erik advised the White House Office of Science and Technology and coordinated policy at the U.S. Energy Department during the prior administration. Fluent in Japanese and English, Erik is now Policy Manager for the U.S. and Asia at Access Partnership, a leading global public policy firm dedicated to opening markets for technology. He discusses the Japanese attitude toward privacy policy and Japan’s 2022 Act on Protection of Personal Information (APPI), a comprehensive personal data privacy code that augments sectoral and other laws governing the flow of personal data.
Tune i
16/05/2022 • 16 minutes 59 seconds
Episode 86 - Blockchain and Privacy - The First Imposition of U.S. Sanctions
Blockchain. Does it protect personal privacy? Is it a tool that can evade the law? How should we think about the relationship between blockchain technology and individual privacy?
In this first of a series of podcast episodes about blockchain and privacy, we turn our spotlight on the first use of U.S. Government sanctions against a cryptocurrency mining company. On April 20, 2022, the U.S. sanctioned the Russian-Swiss Bitriver conglomerate, as part of its response to Russia’s 2022 invasion of Ukraine.
Consider how blockchain and privacy interact and what it means for the future of this technology, the use of cryptocurrency, and the ongoing contest between government and personal privacy.
If you have ideas for more interviews or stories, please email [email protected].
25/04/2022 • 11 minutes 49 seconds
Episode 85 - Japan’s New Data Privacy Act, 4 Key Developments
Japan’s Act on the Protection of Personal Information (APPI) becomes effective on April 1, 2022. The APPI strengthens the country’s comprehensive personal data privacy code and affects all businesses that collect or process personal information of Japanese residents.
Yugo Nagashima of Frost Brown Todd LLC explores four key developments that affect global business:
1. “Person Related Information” – a new category of data – with consent required to transfer such data to a person related information handler.
2. Extra-Territorial Reach – Instead of an adequacy approach (like the EU), Japan requires a business that will handle Japanese personal information outside Japan to have the consent of those persons after a clear description of the data privacy laws of the foreign jurisdiction.
3. Data Breach Notification – A two-step notification process is mandatory for data breaches, with a low threshold of 1,000 persons triggering a mandatory notification.
4. Pseudonymous Information – Speci
31/03/2022 • 17 minutes 3 seconds
Episode 84 - The Role of EU Data Protection Officers
The data protection laws of the European Union require many European and other companies holding or processing personal information of EU residents to appoint a Data Protection Officer – a DPO. This role creates a triangle of DPO duties – with responsibilities to the individuals whose personal information is at stake, to the company the DPO serves, and to the Data Protection Authorities who enforce GDPR.
Marie Penot provides outsourced DPO services to companies in German, French, and English from her own German consultancy. We explore with her the working life of an outsourced DPO. Learn how companies benefit from the independent role of a DPO regarding EU residents’ personal data. Explore advantages and disadvantages of an outsourced DPO instead of one appointed internally.
If you have ideas for more interviews or stories, please email [email protected].
21/03/2022 • 19 minutes 17 seconds
Episode 83 - Ethical Hacking and Data System Assessments
Hacking – it gets a bad rap. For good reason. It’s associated with bad actors who infiltrate an IT system and steal organizational and personal information for criminal purposes. But hacking is simply an activity. Ethical hacking is a means for companies and people to test their data systems and avoid bad actors from getting into them. Ethical hacking is a tool to protect data by upgrading defenses.
André Sollner is Global CFO of wizlynx group, a global ethical hacking and penetration testing provider. André holds numerous certifications over a 20+-year career in cybersecurity, including that of Certified Data Privacy Solutions Engineer. He is our tour guide for how a system assessment is conducted in five phases, from understanding and mapping an IT system and all points of entry, to a final assessment and report after the system is ethically attacked.
This podcast episode will inform you about preventive system assessments that can fortify defenses against data theft, ransomware at
17/02/2022 • 21 minutes 39 seconds
Episode 82 - India’s Imminent Data Privacy Law
India is about to enact a far-reaching Data Privacy Law. Expected to be passed by April 2022 and in force as early as 1st quarter 2023, it represents a far-reaching comprehensive approach based on but extending beyond the model of European Union’s GDPR. It would govern not only personal information but how non-personal data is collected and processed across borders.
The bill would force global companies that gather and use data of Indian residents – or that have personal data of non-Indian persons processed by India’s stellar offshoring/outsourcing industry – to reconsider existing privacy policies and procedures. By including non-personal data and introducing measures of data localization, India’s novel approach would represent perhaps the most onerous and strict national policy about data collection, storage, and use.
Join this excursion to India, guided by Stephen Mathias, head of the Technology Law Practice at Kochhar & Co. (https://kochhar.com), one of India’s premier multi-city
11/02/2022 • 19 minutes 9 seconds
Episode 81 - Quantum Computing and Data Privacy Does a Privacy Apocalypse Draw Near?
Quantum computing – some view its emergence as heralding the end of data privacy. It threatens to penetrate encryption used in conventional computing to give hackers ready access to digital data. What will quantum computing mean for our privacy and the digital world? And what can we do to defend against its perils?
Our guest is Ken Morris, CEO of KnectIQ, a company that provides beyond military grade identity, authentication, access, and data protection solutions for highly sensitive environments. KnectIQ: ZeroTrust based identity, access & data protection. Explore the meaning of quantum computing - its promise, timing, and limitations, as well as the defenses against attackers who will harness it to steal and misuse our data. Learn the two schools of thought about defenses to data theft when quantum computing empowers bad actors as never before.
This podcast will force you to rethink cryptography as the sole defense against data loss. Learn how we can better protect data by dealing
28/01/2022 • 17 minutes 18 seconds
Episode 80 - Backup and Privacy
Backup – what does it have to do with protecting data privacy? And how does a backup service work? What should businesses and individuals know about backing up their digital data? On one hand, a backup of data provides a second target for data thieves. Not properly handled, backups can increase privacy risks. But without a backup of data, it can be lost and subject to exfiltration by thieves who steal or freeze the data held by businesses and government, the prime targets of ransomware criminals.
This podcast explores the world of backup with W. Curtis Preston, sometimes referred to as Mr. Backup. Host of the podcast series “Restore It All,” author of books, veteran of the data backup business, and Chief Technical Evangelist for Druva (www.druva.com), our guest will take you on a tour of a business and service little understood but vital for protecting and recovering data in case of loss.
Learn the meaning and importance in tech field lingo of “regular expressions” and “immutability.
24/01/2022 • 22 minutes 57 seconds
Episode 79 - Data Localization - The Case of Taiwan
Taiwan occupies a unique geopolitical position – with a substantial population and robust economy, it lacks formal diplomatic recognition by most countries and is considered by the People’s Republic to be rightfully part of it. Taiwan has its own system and laws. How does it approach personal data flows beyond its borders?
Taiwan has a comprehensive personal data privacy law with a GDPR-similar approach. It provides more flexibility than the EU in how Taiwanese personal information is collected and processed. There is no express extraterritorial reach to its law. But Taiwan businesses must comply with rules on handling data they collect and can be held criminally and civilly liable for exporting data that infringes Taiwan principles.
There are statutory exceptions to the relatively free ability for cross-border sharing and processing of personal data. Taiwan’s financial regulator requires financial institutions to obtain consent for the export of personal financial data. Taiwan prohi
14/01/2022 • 13 minutes 38 seconds
Episode 78 - Data Localization - The Case of Turkey
Turkey is the first 2022 stop on our global tour about data localization. What is Turkey’s approach to cross-border transfers of personal data about its citizens and residents?
Turkey’s Law on Protection of Personal Data is comprehensive and like the European Union’s former Data Protection Directive, though it differs in some respects. Data localization is not part of this existing Turkish law. Instead, Turkey takes a sectoral approach to cross-border collection and processing of personal data of its residents. Turkish banks must collect and store Turkish customer data within Turkey. Data localizations requirements apply to payment and electronic money institutions, forcing companies like Paypal or Venmo to locate a payment system within Turkey and to comply with Turkish data privacy regulations. Social media providers must register with and report every six months to Turkish authorities about Turkish social media users.
In August 2021, the Turkish Data Protection Authority (KVKK) p
05/01/2022 • 16 minutes 43 seconds
Episode 77 - Data Localization - The Case of Singapore
The Data Privacy Detectives turns his data localization spotlight on the island nation of Singapore. With a per capita income of 64% higher than the United Kingdom’s and a free-market economy that depends on global trade and commerce, Singapore takes a very different approach from China, Russia, India, and other countries that strive to localize their residents’ personal information.
Singapore’s Personal Data Protection Act (2012) provides a comprehensive set of rules protecting the personal information of its residents. Like GDPR in scope, it differs in its flexible approach to balancing privacy and national security protections. In 2020 Singapore’s Monetary Authority and the U.S. Treasury issued a joint statement opposing data localization requirements, calling them a risk to cybersecurity and economic growth. They called instead for data mobility in financial services as a spur to innovative services and economic growth and as a more effective approach to risk management and cross
27/12/2021 • 15 minutes 39 seconds
Episode 76 - Data Localization - The Case of Australia
Our prior podcast episodes detailed how China, Russia, and to a lesser extent India have created barriers to the free flow of personal information across borders. Data localization, sometimes called data nationalization, is the practice of governments to restrict or regulate closely how personal information of their citizens can be collected or shared outside a country.
This podcast episode looks at how Australia, a free-market country, is handling personal data transfers. Australia has no broad data localization requirements. But it restricts the export of medical information about its residents. Electronic health records with personally identifiable information cannot be transferred or processed outside Australia.
Australia’s Privacy Act, an early national data privacy law (1988), is comprehensive and different from GDPR. Collecting personal information is possible only if “reasonably necessary,” so does not require express consent. But Australia is protective of its citizens’ pr
06/12/2021 • 12 minutes 57 seconds
Episode 75 - Data Localization - The Case of Russia
We turn to Russia in our data localization series. Russia’s 2015 personal data protection law requires “data operators” to collect and keep information about Russian residents within Russia. It forces them to keep personal data about its citizens on a Russian located server, which must at all times keep at least as much data as is kept on a company’s servers outside Russia. This law resulted in LinkedIn’s being blocked from the Russian internet in 2016 for failing to do this.
In 2019 Russia expanded the authority of its regulator, Roskomnadzor, to levy fines instead of being limited to blocking for violations. While the fines are modest in amount, this lets regulators allow popular sites into Russia while insisting on data localization Russian style. In July 2021, Russia began requiring giant social media companies to establish a Russian presence to connect with Russian citizens.
It’s believed that more than 600 foreign companies have registered with Russian authorities to participa
09/11/2021 • 11 minutes 42 seconds
Episode 74 - Data Localization - The Case of India
In this second podcast episode about data localization, we spotlight India. Since 1993 the world’s largest democracy has enacted data localization laws aiming to keep certain personal records within India or otherwise restrict data transfers of Indians’ personal data. When in 2017 the Indian Supreme Court found personal privacy to be a fundamental constitutional right, a Personal Data Protection Bill (PDPB) was promptly drafted. It has since been percolating towards adoption. The draft bill defines certain personal data as “critical” and so must be stored only within India. Other data is called “sensitive,” and may be processed outside of India with a copy kept within India. A third category of “regular” data could be transferred abroad, pursuant to data transfer rules.
Unlike China, reviewed in the last podcast episode (episode 73,) India has a robust tech industry heavily involved in processing foreign data. India processes more personal data than any other country, so that parochia
02/11/2021 • 12 minutes 1 second
Episode 73 - Data Localization - The Case of China
The internet and the worldwide web – the words envision a global communications system that transcends national borders. But the reality differs. Is it increasingly the splinternet? Is www really a series of webs that don’t connect globally? And how is our privacy affected by data fences and controls erected by nations?
In this first of a series, we explore how China deals with personal information of its residents. China collects a vast array of personal information about its people – financial, judicial, commercial, societal, and governmental. These are the five pillars of China’s Social Credit System, which aims to reward loyal and trustworthy citizens and penalize others, based on information collected about Chinese residents. Individuals are white-listed or black-listed to be rewarded or penalized, based on personal data collected, analyzed, and applied by the Government to encourage a socially proper citizenry.
China has an extensive and evolving set of laws, including recent c
18/10/2021 • 19 minutes 46 seconds
Episode 72 - Personal Privacy Within Your Home
Home is our private place. But in the digital age, how private are our homes? And what can we do to protect our privacy from home invaders? 66% of us rate our highest privacy concern as being viewed through cameras in our own homes, according to a safehome.org June 2021 survey. Explore in this podcast how home devices are watching, listening, collecting, and sharing our personal data and steps we can take to limit unwanted intrusions.
Terry Rankhorn, a 22-year FBI veteran and founder of Rankhorn & Associates, conducts home and business sweeps to protect clients’ personal data and safety. Computers, televisions, smart thermostats, Alexa and Siri, even dog bowls collect and broadcast our personal data in unimagined ways, jeopardizing our privacy and security. Mr. Rankhorn explains the first step to increase home privacy is to know what devices we have and which ones collect and broadcast our data. We can delete devices we don’t need or want and use privacy setting choices and common-sen
30/09/2021 • 19 minutes 11 seconds
Episode 71 - Doxing and Kentucky’s Pioneering Anti-Doxing Statute
Kentucky is perhaps the first state to adopt a comprehensive anti-doxing statute that creates a civil tort of doxing, as well as providing explicit criminal penalties for defined doxing conduct. It allows Kentucky residents to sue someone for intentionally disseminating their personal identifying information (PII) with an intent to intimidate, abuse, threaten, harass, or frighten a person or immediate family or household member.
In this podcast episode, Justin Fowles, an attorney in Frost Brown Todd LLC's Louisville, Kentucky office, shares key insights on what the new law contains and could mean for individuals' and businesses' online behavior.
What is doxxing – or is it doxing? This word entered the Merriam-Webster Dictionary in the 21st century. It defines “dox” as a verb – “to publicly identify or publish private information about (someone) especially as a form of punishment or revenge.”
Today it connotes cyberbullying or troll harassment by posting personal information about
30/08/2021 • 18 minutes 53 seconds
Episode 70 - Backup Copies: Preserving Your Privacy and Business Data
Mike Potter’s cat bounced on his keyboard years ago. His hard drive cratered, and he lost his data. But he turned this disaster from feline treachery into a career and a company. Backing up data is an essential part of data privacy and retention for businesses as well as for people. Why is this, how does it work, and what’s the impact on how we keep and protect our data?
Mike Potter is CEO of Rewind, an Ottawa, Canada based company that backs up, restores, and copies to its cloud critical information businesses store in their SaaS (Software as a Service) applications. Apps sit atop a user’s platform. Not unlike cats, they can cause problems. Ransomware attacks, employee mistakes, and many other forces can cause a business to lose essential data even when the platform itself is running well. Having a readily available backup copy can allow a business to continue its customer connections, its bookkeeping, and other essential functions without material disruption. That’s the business of
17/08/2021 • 17 minutes 49 seconds
Episode 69 - Ransomware, Negotiating With Digital Kidnappers
Ransomware. It’s in the headlines. It’s digital organized crime across borders.
When an organization’s IT system freezes with its data locked by a ransomware gang, what happens? Ransom is demanded, and ransom often gets paid. But how does this work?
In this podcast episode, Bill Repasky, attorney with Frost Brown Todd LLC, shares key insights on the process of negotiating with ransomware criminals. They want payment in cryptocurrency. Victims want their data and systems restored. This becomes a business transaction. But not a typical one.
Ransomware strikes in 2021 involve highly sophisticated criminal syndicates. To them it’s about the money. When they strike a target and freeze the organization’s ability to operate an IT system, they reveal their digital identity and dictate how to send a ransom payment. The target may be willing to pay – but should do so only after negotiations to ensure that the payment will accomplish two essential objectives – (1) providing a decryption key to
27/07/2021 • 16 minutes 18 seconds
Episode 68 - Catching Cyber-Criminals With Digital Forensics
Ransomware attacks, data breaches, digital theft – on the rise. Who are the cyber-criminals? Can they be traced? And what can a company do to minimize risk and respond to an incident?
Joining us for a tour of the dark side of the digital age is Bill Corbitt, Vice President of Digital Forensics and Incident Response at Intersec Worldwide. www.intersecworldwide.com, a US-based team of former federal cybersecurity experts who have worked on some of the world’s largest security breaches. The firm was named a 2021 top Digital Forensics & Incident Response firm by Enterprise Security Magazine. Bill’s team has addressed serious incidents for many Fortune 100 companies. In this podcast episode he shares insights into dealing with ransomware attacks, data theft, and the aftermath.
Ransomware attacks are conducted by sophisticated criminal enterprises, usually operating from data havens where government seldom prosecutes them for attacks abroad. They probe for vulnerabilities and find attack v
07/07/2021 • 19 minutes 27 seconds
Episode 67 - Data Flows After Brexit... For Now
Europe finds UK data privacy system adequate, for now. On June 28, 2021, the Europe Union granted two adequacy decisions to the United Kingdom for personal privacy purposes.
1. Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation
2. Decision on the adequate protection of personal data by the United Kingdom - Law Enforcement Directive
This assures, for now, that data flows between the EU and UK can continue without restrictions. But for the first time, the EU’s decisions were not permanent and will last only four years. What’s going on?
Because of Brexit, the UK and the EU reached a transition agreement at the end of 2020. This included six months for the UK and EU to reach an agreement about data privacy flows. The deadline approached, and the EU decision was made just in time (the UK had already issued its own adequacy decision regarding data going to the EU). Had it not been made, one estimate was that UK businesses wou
01/07/2021 • 10 minutes 25 seconds
Episode 66 - Phone Scams and You
This is a true story of a phone scam of May 2021. The Data Privacy Detective got a call on the home landline.
This scam will succeed in stealing money from countless Americans. It’s targeted particularly at older people who dearly love their television, especially during pandemic times.
You can see the tricks and traps in this scam. Of course, the best defense is not to answer such calls at all, but then how can one know that a local number is not an old friend or acquaintance calling for a good reason.
If you get a call like this, write down the details. Share them with the fraud hotline of the company being impersonated. Notify the FBI and the Federal Trade Commission if you have the time. This builds a file on these entities. Though it’s unlikely that law enforcement will be able to shut down the criminal syndicates and others active in this fund-raising activity, it will build the awareness that our privacy is attacked through such intrusions. Without greater regulation and defe
09/05/2021 • 13 minutes 35 seconds
Episode 65 - Ransomware Basics
This podcast episode explores ransomware from preventive, legal, and communications angles. While there’s no 100% effective vaccination against a ransomware attack, there are steps enterprises and each of us can take to beware, prepare, and take care.
Ransomware. It’s the modern equivalent of kidnapping – except people aren’t grabbed and held hostage. Instead, an enterprise has its computer and information system locked by a criminal. Data gets encrypted and unusable until and unless the organization pays a ransom to the thief, who is known only by a digital address and often demands untraceable payment in cryptocurrency.
Ransomware is a type of malware – software installed in a system by an outside party for bad purposes. Unlike malware focused on stealing data, ransomware aims to extract a ransom payment in exchange for decrypting and restoring the victim’s data.
From a criminal’s perspective, ransomware is a simpler, less expensive way to get money than malware that aims to expor
03/05/2021 • 19 minutes 8 seconds
Episode 64 - The Two Faces of Browsers and Our Privacy Options
Janus was the Roman god of doors, gates, and transitions. He needed two faces to look in both directions - life and death, past and future. Internet browsers allow us to access and gaze across the internet, but at the same time, they are watching us, recording what we do while browsing.
True, browsers do not charge us for their services – browsing is free. But as it is said, when a product is free, we become the product – or more specifically, our data becomes the product.
In this podcast episode Jeff Bermant, the founder and CEO of the browser Cocoon, joins us to explore how browsers and privacy intersect. Cocoon was founded for the purpose of providing a more privacy-secure experience than any other browser by creating a cocoon around the browsing individual.
We discuss how users have data privacy choices – which browsers to consider, how to adjust privacy settings, and what add-ons are available for browsing. When it comes to data privacy, protecting your personal data begins wi
02/04/2021 • 25 minutes 18 seconds
Episode 63 - Your Face, Time To Scrub?
Facial recognition. It’s a hot topic. Targeting, misidentification, and doxing - the dangers are real. So are the benefits – finding criminals and solving crimes, searching for relatives and old friends, researching history, conducting social research, sharing with friends over a lifetime.
Kashmir Hill’s penetrating cover article in the March 21, 2021 New York Times Magazine, “Your Face is Not Your Own,” details how our photos are scraped and used by companies far beyond what we imagine. Our images are available from public sources such as driver’s licenses. Many arise from our choice– through Facebook and Instagram postings, directories, newspaper and other media sources.
As the TV series Cheers’ theme song sang, “Sometimes you want to go where everybody knows your name.” But now it’s not just the neighborhood pub. It’s the internet, where everybody knows your name, and everybody can find your face.
What to do? That’s where scrubbing comes in.
Scrubbing is the effort to erase, s
23/03/2021 • 9 minutes 1 second
Episode 62 - TIKTOK and Privacy: Challenges from Europe and America
On February 16, 2021 TikTok was sued in Europe for abusing consumer rights. Millions of Europeans use TikTok to post, share and watch videos 3 to 60 seconds long, ranging from dogs in pink tutus to Shaq dancing.
The European Consumer Organization BEUC is an authorized entity in the EU to file complaints against businesses. Its press release, BEUC files complaint against TikTok for multiple EU consumer law breaches | www.beuc.eu, claims that TikTok engages in a “massive scale” of consumer abuse, including unfair and deceptive practices, terms of use that hurt consumers, failure to protect minors from harmful content and embedded advertising, and misleading use of personal data.
By contrast, the U.S. President on August 14, 2020 issued an executive order to kick TikTok out of operation in the States unless it sold its American operations to a U.S. buyer. The Executive Order was based on TikTok’s Chinese ownership, which the prior U.S. Administration claimed was a threat to U.S. nationa
17/02/2021 • 14 minutes 36 seconds
Episode 61 - How Not To Get Phished!
Data theft set new records in 2020. The major causes are not failures of equipment, software, or services. In an estimated 85% of cybercrime, the cause is us. We make careless mistakes as though we were inviting villains into our homes. We let thieves into our IT systems by accident. We get phished.
You get a message on your computer. It may seem to be from a friend, a trusted source, a reliable company, even your boss. It might seek an urgent response about something. How do you avoid dealing with the emailed message without letting a villain into your computer, and so into your personal or business’ IT systems? How do you prevent making a mistake that gives a cybercriminal the chance to freeze and hold your personal or your company’s IT system for ransom or to hack personal and proprietary information?
Here are seven top tips to avoid being the reason you or your business is the victim of data theft. Check emailed messages for seven red flags before acting:
1. Bad spelling
2. Bad g
29/01/2021 • 8 minutes 5 seconds
Episode 60 - Cyber Insurance: What it Does and Doesn’t Cover
As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured?
Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / [email protected] . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use.
Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk.
Cyber insurance pricing is
04/01/2021 • 19 minutes 5 seconds
Episode 59 - Taiwan: A Bridge For East-West Commerce?
Taiwan is one of the “Four Asian Tiger” economies. Its companies hold 66% of the world’s semiconductor market. It consistently tops the USPTO per-capita list of patent files, and its population of about 25 million enjoys what is considered the world’s fastest internet connection. It is becoming a major player in data. Considered part of China by the PRC which refers to it as the “Taiwan Authority,” Taiwan declares itself to be the Republic of China. Despite geopolitical issues, robust business flows between the two. Taiwan is a leading investor in the PRC. Commerce between the two seems unimpeded by political differences. With rising tensions between the U.S. and PRC, alongside changes in Hong Kong that threaten the “one country two systems” approach, how should global business consider Taiwan? Is it a bridge for east-west data-related commerce?
John Eastwood leads of the Taiwan firm Eiger Law’s Greater China Practice. John EASTWOOD - Eiger. In this podcast John explains how Taiwan is
21/12/2020 • 14 minutes 50 seconds
Episode 58 - Personal Privacy and Community IT Systems
Data privacy is about balancing individual concerns and community needs. Without assurance that private information will be responsibly shared and used, people may not share accurate information or be willing to provide data at all. But to get student aid, applications must reveal sensitive family financial information. To gauge student success, performance details must be documented and shared with others. Sociological research requires that a database be accurate and credible.
How can a community design its IT system to reassure individuals about privacy but obtain and share data responsibly and create data platforms and visualizations to meet collective needs and aspirations?
This challenge is common to any community, whether it’s a city, a business, a university or other type of collective. In this podcast Lee Norris, Vice Provost for Enterprise Data Architecture of the University of North Carolina Greensboro, discusses how a community that gathers data of 25,000 people at its co
20/12/2020 • 17 minutes 8 seconds
Episode 57 - Protecting Data Privacy Within Databases
We all value privacy – at least to some extent. But some of us want to be famous, and all of us want to connect with friends and acquaintances. We like the convenience from technology that requires our personal information to operate. So we share our personal details in many ways, and our data flows like water down a stream into lakes and oceans, some of which we’d prefer to avoid. And our information becomes a piece of society’s knowledge base. Databases like the U.S. Census have essential purposes, but they’re only reliable and complete if we are comfortable sharing our data. How to respect individual privacy and achieve reliable databases? That’s a challenge!
In this podcast episode Alex Watson, co-founder and CEO of Gretel.ai, explains two essential phrases to understand how this can be done. Alex founded a security startup called Harvest.ai, which was acquired by Amazon Web Services in 2016, when he became AWS General Manager and it launched its first customer-facing security off
04/12/2020 • 17 minutes 17 seconds
Episode 56 - Ransomware and Privacy
Ransomware - a sinister type of cyberattack that installs malware onto a computer system. Once inside a network, the malware encrypts documents, freezing the IT systems of entities and individuals until they pay ransom to regain access to their data. Recent average cost paid to a ransomware syndicate? $333,000, according to Greg Edwards, founder and CEO of CryptoStopper, a leading anti-ransom software provider. www.getcryptostopper.com.
Ransomware surfaced in the late 1980’s, when AIDS Trojan was injected through floppy disks. Victims were asked to pay a “license fee” of $189 to a post office box to restore access to their data.
Ransomware became ever-more sophisticated. Thanks to Bitcoin and other cryptocurrencies that emerged around 2012, thieves could hide their identity, and attacks mushroomed. Most start through a careless employee who gets phished and permits the villain to enter the enterprise’s system. Malware is unleashed to encrypt data, including on back-up copies held wi
03/11/2020 • 16 minutes 24 seconds
Episode 55 - Differential Privacy and Academic Research
Science and knowledge advance through information gathered, organized, and analyzed. It is only through databases about people that social scientists, public health experts and academics can study matters important to us all. As never before, vast pools of personal data exist in data lakes controlled by Facebook, Google, Amazon, Acxiom, and other companies. Our personal data becomes information held by others. To what extent can we trust those who hold our personal information not to misuse it or share it in a way that we don’t want it shared? And what will lead us to trust our information to be shared for database purposes that could improve the lives of this and future generations, and not for undesirable and harmful purposes?
Dr. Cody Buntain, Assistant Professor at the New Jersey Institute of Technology’s College of Computing and an affiliate of New York University’s Center for Social Media and Politics discusses in this podcast how privacy and academic research intersect.
Facebo
26/10/2020 • 23 minutes 58 seconds
Episode 54 - Contact Tracing Apps and Australia
COVID-19 has changed the world in dramatic ways. Contact tracing emerged as an approach to fight the pandemic’s spread and save lives. The idea is to notify people who have been in close contact with another person who tests positive for the virus. This should allow the contacted individuals to self-quarantine and take measures not to spread the virus before experiencing symptoms or otherwise learning that they are infected.
Australia, a country of about 25 million, has an App called CovidSafe, developed and owned by the federal government. By October 1, 2020, it has been downloaded by about 27% of Australians. The government target is 40%. Sign-up is voluntary. To register, a person provides name, mobile number, postcode and age range. The App must be open on a user’s smartphone with Bluetooth enabled. It does not use GPS location technology. Persons in close proximity for at least 15 minutes will be identified as App contacts and eligible for future notices in case one person learns
30/09/2020 • 24 minutes 42 seconds
Episode 53 - Brazil’s New Personal Data Privacy Law
Brazil’s General Personal Data Protection Law or “LGPD” entered into force on September 18, 2020. In this podcast, Thiago Luís Santos Sombra of the prominent Brazilian law firm Mattos Filho, www.mattosfilho.com.br, explains the basic approach to personal data privacy of South America’s largest country.
Highlights:
• Brazil chose the European Union’s basic approach (GDPR), but there are differences between GDPR and LGPD.
• Personal data is defined broadly to include identifiers such as email address, geo-location and similar information particular to a person.
• Data mapping and risk assessment are the immediate steps a business should take that collects or processes personal data of Brazilians.
• Companies must assess whether consent or legitimate interest is the basis of holding particular personal data and decide a compliant approach thereafter. Brazil’s Code is broader than GDPR in providing various bases to hold and process personal data. Businesses will look to express consent a
24/09/2020 • 23 minutes 53 seconds
Episode 52 - Data Brokers: How our Personal Information is Sold
Robo-calls, phishing, identity theft, ads we didn’t ask for – and worse. How does this happen? How does our personal data get collected, used and sold, without our knowing approval? Data brokers are a primary answer. They are businesses that collect, use, and sell blocks of personal information to a wide variety of buyers. This is not per se a shady business, though it may seem that way to those of us overwhelmed with constant interference by phone, email, pop-ups, and attacks aiming to disrupt our day or steal our assets or identity.
Rob Shavell, CEO and co-founder of Abine, a 10-year-old privacy company, gives us a tour of data brokerage. Our personal data is collected in many ways. Some is virtually public – postal address, registered voter information, other ways in which details about us become publicly available. A lot of information about ourselves we contribute to the world – through social media posts, publicity, items we publish. There’s a tension between our instinct for pr
01/09/2020 • 25 minutes 35 seconds
Episode 51 - Non - Personal Data - India Stakes A Claim On Owning and Regulating NPD
A July 2020 Indian Government Report calls for regulation of Non-Personal Data. Most data privacy laws aim to protect (or not) personal data of people, This Report raises the question whether the world is about to see an explosion of regulation of non-personal data, which could change the business of data and how information flows within and across national borders.
Stephen Mathias, head of the Bangalore/Bengaluru office of Kochhar & Co., one of India’s largest law firms, first updates us on two ongoing data privacy topics and then explains a novel approach to non-personal data being considered by the world’s largest democracy.
The Personal Data Protection Bill is advancing toward adoption by the Indian Parliament. Patterned on EU principles, the Bill if adopted in its current form would align India generally with GDPR concepts, though with a data localization approach different from EU rules for data sharing across borders.
In August 2020 the Modi Government decreed as an emergency
20/08/2020 • 27 minutes 16 seconds
Episode 50 - Intersection Of Cloud Computing And Data Privacy
Cloud computing offers a business the prospect of efficiency and savings by improving data storage capabilities and outsourcing computing resources that a business need not build for itself. But when data moves to the cloud, does this raise new troubles and make legal compliance more difficult? Or can it minimize risk and increase compliance with a dizzying array of global data privacy laws? How do cloud computing and data privacy compliance intersect?
Lowell Thompson of Genity, a US-based company, discusses in this podcast how a cloud computing service can address this challenge and opportunity. Using encryption technology, Genity offers what it describes as data security by default that aims to bypass data privacy laws of Europe, California, Canada, and other countries.
Major data breaches such as Equifax (2017) revealed weaknesses in internal business systems, in that case exposing sensitive personal information of 147 million people from several countries. As a business focused o
06/08/2020 • 13 minutes 39 seconds
Episode 49 - Hong Kong: What Impact Of The National Security Law
On June 30, 2020 China enacted a National Security Law applicable in Hong Kong. The UK and USA governments reacted negatively, stoking fears that this could mean the end of the one-country-two systems concept. Front-page news abounds about the meaning, the reach, and the political implications.
But what about business and normal life, about Hong Kong’s role as a global financial and technology center? How does one understand the impact on data privacy? Does this mean a replacement of Hong Kong law or will it be Hong Kong business as usual? In this podcast Pádraig Walsh of Tanner De Witt Solicitors, a leading Hong Kong law firm, guides us.
If you have ideas for more interviews or stories, please email [email protected].
31/07/2020 • 13 minutes 52 seconds
Episode 48 - Colombia and Data Privacy
Colombia made personal privacy a fundamental right in its 1991 Constitution. A 2008 law protected personal financial information, and in 2012 Colombia adopted Law 1581, a broad code across all sectors, modeled generally on the European/Iberian approach.
Angela María Noguera Moreno, of counsel with the Colombian law firm of Vanegas Morales Consultores and an IAPP-certified Information Privacy Professional/Europe, explains in this podcast the Colombian approach to protecting personal data. Colombia requires all businesses to protect personal data. Consent of the data subject, the individual, is the keystone requirement. All controllers and processors of personal data must comply with the requirements of Law 1581 and decrees that function as regulations implementing the code. Responsible parties are both controllers and processors of personal data. Personal data categories include not only sensitive (financial, medical, religious, political) and non-sensitive (business or email address)
05/07/2020 • 20 minutes 48 seconds
Episode 47 - Cookies and California, Businesses Beware
Cookies in the internet sense are packets of data that a persons’ computer receives when visiting a website. Without a cookie sent by an online retailer, every time one moves to a different page on a site, the visitor would need once again to supply account data and other information – a terrible burden! But cookies also represent a potential threat, as disguised cookies can install viruses or malware on our computers, and supercookies and zombie cookies pose other threats to personal privacy.
Because a cookie can represent a third party that is accessing personal information of someone visiting a website, website owners and operators must consider whether the data streams arising from this use and the sharing with cookie senders amount to activity governed by the CCPA (or other states with similar or evolving data protection laws).
William Morriss, an attorney with Frost Brown Todd, LLC who advises numerous tech and other companies about software and internet matters and himself a
23/12/2019 • 8 minutes 9 seconds
Episode 46 - Finland Leads The Way In The Secondary Use Of Health And Social Care Data
Medical data are considered particularly sensitive personal information. Laws and regulations in most countries, including the USA and throughout Europe, generally aim to restrict sharing such information with the target of building privacy walls around each person’s data. But making such health data available more broadly is key to improved medical care, research and the advance of health science.
Finland is the first country known to have adopted an approach to allow third parties to access health data for the purposes of scientific research, drug and health technology development and knowledge-based management in social and health care. Researchers, service developers and other legitimate data users will be able to collect, combine and process data from Finnish registries smoothly and securely. While most data will be anonymized, for particular applications individual identities can be shared.
Those seeking access to such information will apply to a central authority that will scree
17/11/2019 • 5 minutes 20 seconds
Episode 45 - Will the "Right To Be Forgotten" Rewrite History?
California Consumer Privacy Act (CCPA) and the so-called European "right to be forgotten" are hot topics as summer turns to autumn.
With the CCPA coming into effect on January 1, 2020 amendments to modify it abound in the legislature. Stay tuned for a final Act! Even so, the driving force behind the Act’s passage, Alistair Mactaggart, is not trusting the legislature. Watch for voters to decide directly what California’s law will be in 2020 at the same time they vote on America’s president.
The EU’s "right to be forgotten". Media announced a victory for Google from the European Court of Justice (ECJ), claiming that the "right to be forgotten" under GDPR cannot be enforced outside the European Union and its 28 (soon to be 27?) countries. The ECJ’s September 24 ruling was on Google’s request for a preliminary ruling on appeal from the French Government’s 2014 order that Google delink globally its search engine from sites containing embarrassing or out of date information.
The "right to
14/10/2019 • 10 minutes 13 seconds
Episode 44 - First Week Of Fall 2019 Data Privacy News Rundown
What do Ecuador, San Diego, the FBI and Bayfront HMA Medical Center have in common? They’re all in data privacy news this first week of fall 2019. This podcast episode checks the data privacy temperature around the world this week.
If you have ideas for more interviews or stories, please email [email protected].
22/09/2019 • 8 minutes 35 seconds
Episode 43 - What You Need To Know About Maine’s New Privacy Law
Sometimes it seems the United States is more a loose federation than a national government. States have a major role in law-making. Data privacy is no exception. A recent law adopted by the State of Maine differs greatly from the California act that will come into force on January 1, 2020. Maine’s law will be effective on July 1, 2020. This podcast hits the highlights of it.
Melissa Kern, Co-Chair of Frost Brown Todd LLC’s Privacy and Data Security Team explains that the Maine law applies to broadband internet access services – the folks who bring us access to the internet – not website hosts, not everyone holding personal data – but providers like ATT and Spectrum as well as regional internet access providers. If a provider has even one customer in Maine that is billed for service there, the Maine law applies. There’s no safe harbor threshold.
If you have ideas for more interviews or stories, please email [email protected].
28/08/2019 • 9 minutes 43 seconds
Episode 42 - Encryption: When Data Privacy Best Practices Are Not
Encryption is often thought of as the basic and best cybersecurity approach to protecting data in transit or in flight. As guest Ken Morris, CEO and founder of KnectIQ, argues, it’s not. Encrypting data is an essential practice, but it’s really not the problem or the solution.
Instead, any organization must consider its keys. Best practices in cybersecurity in 2019 require new technologies that address the role of and threats to keys. Once a hacker gets access to a key, the data are there to be taken, even without the data controller or processor knowing that the thief has entered the storeroom. As the day of quantum computing approaches, it will become ever more certain that encryption alone is inadequate to protect data in flight.
This is becoming known to the authorities. And that is not an idle thought. Article 32 of the EU’s Global Data Protection Regulation, GDPR, forces possessors of personal data to consider the “state of the art” in deploying systems to protect personal da
15/08/2019 • 11 minutes 39 seconds
Episode 41 - Hong Kong and Data Privacy
One country, two systems – that’s the 50-year agreement that led to Hong Kong’s becoming part of China in 1997. This remains an evolution in progress. Hong Kong retains many of its systems independent of the PRC and yet is part of China. What does this mean for data privacy and the rules that apply to business in this powerhouse commercial center?
Padraig Walsh, a privacy leader at the prominent Hong Kong law firm of Tanner De Witt, provides insight into how multinational firms should view Hong Kong for digital services. Hong Kong’s 1996 data privacy law was a pioneer at the time in establishing a legal framework for protecting personal data and regulating companies that handle data flows as controllers or processors. If one asks is it like China’s or the EU’s or the USA’s approach to data privacy, the answer is that it is much more like the EU or USA approach than China’s. It was adopted in the final months of British sovereignty.
If you have ideas for more interviews or stories, pl
05/08/2019 • 12 minutes 23 seconds
Episode 40 - Avoiding Cyber-Disasters: The Human Element
No business or individual wants to be the victim of a disaster. Cyber-attacks can cause exactly that. Individuals are the first line of defense for personal privacy and cybersecurity. For businesses, it’s essential to train everyone associated with data systems to avoid letting hackers and other criminals into the network that holds data,
Dr. Gleb Tsipursky explains in this podcast how disaster avoidance requires an approach based on emotional intelligence and training based on human psychology. While firewalls, policies and procedures are essential for protecting a company’s data flows, so is effective training of personnel – of employees, contractors, others who hold the keys to accessing a company’s computer systems. Freezes of entire company systems caused by ransomware, thefts of financial and intellectual property by hackers, improper releases of personal data of customers – these and other crimes of the digital age are often caused by one individual’s careless acts in letting a
09/07/2019 • 12 minutes 7 seconds
Episode 39 - GDPR One-Year In: The UK Experience
The EU’s General Data Protection Regulation (GDPR) turned one year old on May 25, 2019. What’s been the experience? Kim Walker, Co-Chair of the Privacy Team of Shakespeare Martineau, a premier UK law firm, provides insight into how this comprehensive law of personal data privacy has unfolded in the United Kingdom.
If you have ideas for more interviews or stories, please email [email protected].
28/06/2019 • 15 minutes 8 seconds
Episode 38 - India and Data Privacy, Get Ready!
India is about to enact a comprehensive data privacy law that will force global and Indian businesses to revise their approach. Stephen Mathias, Co-Chair of the Tech Team at Kochhar & Co., one of India’s premier law firms, explains how India will shift from relatively lax regulation of data privacy to one of the world’s most protective regimens once the new bill is enacted.
If you have ideas for more interviews or stories, please email [email protected].
20/06/2019 • 13 minutes 50 seconds
Episode 37 - Catching Serial Killers, Employee Biometrics, Tracking and Personal Data Privacy
What do serial killers, employees who don’t want their fingerprints shared and a U.S. Senator have in common? Data privacy. In this podcast, Victoria Beckman, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team, discusses this and other news.
If you have ideas for more interviews or stories, please email [email protected].
08/06/2019 • 12 minutes 59 seconds
Episode 36 - Five Hot U.S. Data Privacy Developments
The Data Privacy Detective turns the spotlight on five American data privacy developments in a conversation with Melissa Kern, Co-Chair of Frost Brown Todd’s Privacy and Data Security Team.
1. California’s data privacy law, CCPA, comes into force in 2020. It’s occupied attention because of California’s size and its potential extraterritorial application. It provides limited rights for individuals to sue companies that violate CCPA, restricted to certain cases of data breach. Privacy advocates were disappointed when the California State Senate rejected a bill to empower individuals to sue companies that violate any part of CCPA, a big win for the tech sector in America’s largest state.
2. In the absence of an overarching U.S. law, the statutory action in data privacy has been on a state level, as in California. But the Network Advertising Initiative foresees the need for national standards and intends to fill that role as a Self-Regulatory Organization (SRO) rather than have a nationa
24/05/2019 • 10 minutes 42 seconds
Episode 35 - Hot Topics In Data Privacy - From The US Front
The May 2-3, 2019 International Association of Privacy Professionals Conference featured leading U.S. officials and participants in the data privacy field. Mike Nitardy, a certified Privacy Professional (U.S.) and data privacy attorney at Frost Brown Todd LLC shares highlights from the conference.
If you have ideas for more interviews or stories, please email [email protected].
13/05/2019 • 12 minutes 12 seconds
Episode 34 - When Employees Cooperate With Law Enforcement And Expose Personal Data
Picture frontline employees – like those at a motel’s front desk. In come ICE agents with gold badges asking to see guest logs, aiming to identify and track down undocumented aliens. What’s the desk attendant to do? Most likely, cooperate without thinking it through. This led to costly problems for Motel 6 – a $12 million settlement in the State of Washington alone. The lesson is this – don’t let frontline employees decide whether to turn over personal data of guests or customers. That’s a big decision that should be made at a higher level, in sync with the company’s privacy policy. This podcast explores what happened to Motel 6 and draws lessons for what a business should do to safeguard the privacy of customer data.
If you have ideas for more interviews or stories, please email [email protected].
30/04/2019 • 10 minutes 24 seconds
Episode 33 - Streaming Data Flows: Key Findings From An Important 2019 Data Privacy Maturity Study
Businesses have far more personal data than they think they have, and information expands by the hour. This is a key finding from an April 2019 Data Privacy Maturity Study from Integris Software – www.integris.io. Data flows change daily, and yet many businesses rely on spreadsheets and annual surveys to learn what data they house, resulting in inaccurate information that risks reputation and non-compliance. Kristina Bergman, Integris’ founder and CEO, offers important insights in this podcast about how business can deal more effectively with avalanches of data and blizzards of national and state data privacy regulation through an automated approach to the inventory of data.
If you have ideas for more interviews or stories, please email [email protected].
19/04/2019 • 19 minutes 50 seconds
Episode 32 - Discovering Personal Data: How The Unknown Becomes Known
Businesses hold vast amounts of digital and hard copy data. Much is personal data regulated by differing country and state laws and rules. The first step towards personal data privacy compliance is to know what personal data are held by a company. But traditional means of inventorying personal data undercount and are almost always behind the curve of time.
Network analytics is the answer to this challenge. In this episode, the Data Privacy Detective has a conversation with 1touch’s CCO Mark Wellins, and they explore how to discover, map and flow data in a more comprehensive and timely way than traditional methods allow.
If you have ideas for more interviews or stories, please email [email protected].
14/03/2019 • 16 minutes 3 seconds
Episode 31 - Data Incidents And Breaches: What Mid-Sized Companies Do When One Hits
Data incidents arise regularly for businesses. The perpetrators range from sophisticated scoundrels seeking a quick ransom payment, to foreign governments conducting industrial espionage, to thieves seeking inside information, to distant hackers seeking personal data to sell on the dark web. When an incident arises, companies turn to legal counsel as part of the response team. In this podcast, Bob Dibert, a Frost Brown Todd attorney with 30 years’ experience and a veteran of data incidents, discusses how incidents arise and how they’re handled.
There’s a three-step approach when an incident arises:
1. Contain: Immediately aim to stop further leakage and prevent additional harm from arising.
2. Counsel and Plan: Promptly analyze the scope and nature of the incident, what needs to be done to address it both immediately and longer term.
3. Remediate: Solve the problems, remedy the damage, notify those affected if required.
If you have ideas for more interviews or stories, please email in
03/03/2019 • 15 minutes 33 seconds
Episode 30 - Good news for 2019 from Europe for US firms handling European personal data
The European Commission issued its second review of how the EU PrivacyShield is working in late December 2018. Over 4,000 U.S. firms have signed up so far for this method of dealing with the GDPR (General Data Protection Regulation) of the European Union that protects personal data of its residents. The Commission’s report approves U.S. efforts to support the bilateral agreement that supports the Privacy Shield, with one important matter to be address in February 2019.
If you have ideas for more interviews or stories, please email [email protected].
03/01/2019 • 12 minutes 11 seconds
Episode 29 - China’s Social Behavior Measurement: The future or end of privacy?
China should never be viewed through a foreign lens. And yet, what other lens do we have from the USA or most of the world but to do just that? Bloomberg News reported two statistics on November 21, 2018 that will shock most non-Chinese citizens – “By the end of May, people with bad credit in China have been blocked from booking more than 11 million flights and 4 million high-speed train trips, according to the National Development and Reform Commission.”
If you have ideas for more interviews or stories, please email [email protected].
28/11/2018 • 5 minutes 28 seconds
Episode 28 - Russian Data Privacy And Protection: Basics For Global Business
Russia governs personal data of its residents based on a generally applicable law. As a federal country, Russia has rules below the federal law, but they conform to standards set by statute throughout the nation. Though not as comprehensive as Europe’s broadly extensive General Data Protection Regulation (GDPR), Russia’s statute aims to protect the personal data of Russians similar to the GDPR’s approach. Concepts of consent of persons to use their data, privacy by design, data minimization, cybersecurity minimum standards and other principles are augmented by a data localization focus different from the GDPR.
19/11/2018 • 16 minutes 3 seconds
Episode 27 - Digital Authoritarianism An Increasingly Dark Side Of The Internet
The internet was once viewed as an instrument of freedom. It freed communications across borders, aided the ability of people to rally against repressive governments, dramatically lowered entry barriers to sellers of goods and services across borders. But like many good things, the internet has been increasingly harnessed to repress – or more neutrally to assist those in control of government to keep their power and a watchful eye and long arm over those who threaten their view of public order, The Freedom House report is a disturbing compilation of the rise of digital authoritarianism. The study of 65 countries that hold 87% of the world’s internet users found a decline in freedom from June 2017-May 2018 in 26 nations compared to gains in 19.
If you have ideas for more interviews or stories, please email [email protected].
04/11/2018 • 12 minutes 42 seconds
Episode 26 - How Safe Is The Personal Data You Provide To State Governments?
Because U.S. states employ over 16 million people and hold the data of almost all American residents, state governments are major targets for data villains seeking to obtain data about us. How safe is our personal information in the hands of state governments and what security challenges must states address to better protect personal data?
Podcast guest Trey Grayson is a veteran of these issues, having served as Kentucky’s Secretary of State for eight years and later as director of Harvard’s Kennedy School of Government’s Institute of Politics and member of the President’s Commission on Election Administration, which reviewed the 2012 election. Trey is now a principal of the public policy firm CivicPoint and an attorney with Frost Brown Todd LLC. As an attorney and public policy expert, Trey offers guidance on the state of cybersecurity and state-held data in episode 26 of the Data Privacy Detective podcast.
13/08/2018 • 10 minutes 18 seconds
Episode 25 - Europe’s GDPR - Representatives And Data Protection Officers
The EU’s GDPR requires businesses outside the EU to appoint a “representative” in a member state and a Data Protection Officer in the EU to consult on and monitor data privacy matters. In this episode, Alessandro Di Mattia joins us to explore the definitions and requirements surrounding these positions and the roles they play in protecting consumer personal data according to the GDPR.
29/07/2018 • 12 minutes 18 seconds
Episode 24 - Internet Review Sites And Free Expression
The California Supreme Court faced a challenge that may have been the first stone cast in a global debate about free expression on the internet. The case centered on a San Francisco law firm that got a one-star YELP review from an unhappy former client. When the firm’s YELP rating dipped from 5.0 to 4.5 the law firm successfully sued the reviewer for a defamation claim. YELP was not originally a party to the case, but when the judgment ordered YELP to remove the information, YELP refused.
If you have ideas for more interviews or stories, please email [email protected].
23/07/2018 • 13 minutes 33 seconds
Episode 23 - California’s New Data Privacy Law
“California enacts the strictest online privacy law in the country!” trumpeted CNN/Tech. A statute passed unanimously in the legislature and immediately signed by Governor Brown, AB 375, had the support of large tech firms and privacy advocates. It moves California in the direction of the European Union, granting rights to California consumers concerning personal information they share online. The Data Privacy Detective turns his magnifying glass on this statute. It will have an impact. If California were a country, it would boast the world’s fifth largest economy.
California has citizen initiative rights that let people propose laws enacted by a popular vote, bypassing the legislature. Enraged by the Cambridge Analytica scandal of data shared by Facebook that ended up sold without consumers’ direct knowledge for political campaign purposes, a wealthy Californian tired of waiting for the legislature to act. He promoted an initiative aimed at creating tough consumer data privacy protec
04/07/2018 • 19 minutes 52 seconds
Episode 22 - GDPR And Non - EU Businesses
Businesses not located in the European Union have tried to understand whether the General Data Protection Regulation (GDPR), applies to them. And if it does, or if it might, one of the puzzles has been whether a non-EU business needs to appoint a natural person or legal entity to be its “representative” or a natural person to be its “Data Protection Officer” for dealing with EU and its Member States’ Data Protection Authorities (DPAs). This podcast focuses on that question.
If you have ideas for more interviews or stories, please email [email protected].
16/06/2018 • 10 minutes 20 seconds
Episode 21 - GDPR Is Here
How did U.S. businesses deal with the launch of GDPR? And what’s its immediate impact on how U.S. businesses address personal information they have? The Data Privacy Detective turns the magnifying glass to this question, focusing on small and mid-sized (SME) U.S. businesses that hold personal data of Europeans.
Most coverage about GDPR is about titanic battles of tech giants whose business models are based on monetizing customer data. My spyglass turns to a different subject: How did SMEs in the United States deal with GDPR? The clear majority of them do not sell personal data of Europeans, but instead collect and use it for ordinary business purposes, such as marketing goods and services, employing personnel, collecting payment and other processing that has nothing to do with surreptitious use of such personal information beyond the obvious.
If you have ideas for more interviews or stories, please email [email protected].
31/05/2018 • 18 minutes 52 seconds
Episode 20 - China's New Data Privacy Standards
GDPR, the European Union’s effort to protect personal data, has dominated the efforts of businesses to deal with personal data across borders. Less noticed is China’s evolving system of controlling, regulating and protecting the personal information of its people. On May 1, 2018, China issued standards for personal information protection.
14/05/2018 • 16 minutes 49 seconds
Episode 19 - The EU / U.S. and Swiss Privacy Shield
In this podcast episode, the Data Privacy Detective discusses the background to the EU / U.S. and Swiss Privacy Shield and how it relates to the new requirements of the EU General Data Protection Regulation (GDPR)that will take effect on May 25, 2018.
If you have ideas for more interviews or stories, please email [email protected].
25/04/2018 • 20 minutes 3 seconds
Episode 18 - How Businesses Outside The EU Can Comply With The GDPR
In this podcast, the Data Privacy Detective turns a magnifying glass to how businesses located outside the EU can gather and use personal data that originates in the EU without violating the GDPR. Businesses inside the EU are actively working to bring their policies and procedures in line with the GDPR, with the benefit of many years of practice under the 1995 EU Directive that required EU countries to adopt laws based on a common background and similar principles to what becomes a directly binding regulation on May 25, 2018. For businesses beyond EU borders, how do they determine if GDPR’s extraterritorial reach affects them and what should they do about it?
19/04/2018 • 15 minutes 46 seconds
Episode 17 - Consent: The Meaning Of It Under GDPR
The Data Privacy Detective explored in prior podcasts the broad scope of personal data, the differences between controllers and processors and other matters, including how processing can be lawful. That includes several specific, limited instances when acquisition and use of personal data can be legitimate in the absence of express consent of the persons whose data are held.
18/04/2018 • 15 minutes 6 seconds
Episode 16 - Lawful Processing Of Personal Data Under The GDPR
The EU’s GDPR – the General Data Protection Regulation – becomes law on May 25, 2018. This podcast explores what processing of personal data as defined by the GDPR is considered lawful. “Processing” is defined very broadly by Article 4.2 to encompass a wide variety of ways in which personal data are held or used.
Article 6 describes what constitutes “Lawfulness of Processing.” It lists six alternatives for when processing is lawful. The first and most basic is if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Express consent is at the heart of the European approach to personal data protection. But consent is not the sole basis for lawful processing of personal data.
10/04/2018 • 11 minutes 52 seconds
Episode 15 - Personal Data And The GDPR: What’s Covered And What’s Not
The GDPR defines personal data very broadly. But it is not an all-encompassing effort to protect all personal data from every conceivable use or misuse.
“Personal data” is defined by Article 4.1 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This defines personal data to include relatively non-sensitive information such as a phone number or email address, as well as more sensitive information such as biometric, genetic and other information about a person.
The GDPR does not protect the data of legal entities. Only personal data of natural persons are addressed. Business, non-profit organiz
09/04/2018 • 12 minutes 3 seconds
Episode 14 - Controllers And Processors – The Differences And Why It Matters For GDPR
Businesses collect, use and store personal data. It’s unavoidable. An email address, phone number, birthdate, postal address – these are all personal data that allow someone to identify or contact an individual. Other information is far more sensitive, such as health information, religious preference, political beliefs, race or ethnic origin, sexual preference, and financial details.
The European Union’s General Data Protection Regulation (GDPR) classifies businesses that hold personal data as controllers or processors. The GDPR applies directly to both controllers and processors, but in different ways. This podcast explores the meaning of controller and processor and how cross-border businesses can meet the differing requirements imposed by the GDPR.
02/04/2018 • 10 minutes 30 seconds
Episode 13 - Does The GDPR Apply To A Business Outside The EU? How And When?
How does a non-EU business know if it must comply with the GDPR? And what specific things are required if the answer is yes? This podcast explores these questions, detailing the specific activities that require a non-EU business to comply with this EU regulation.
Merely having a website is not enough. But if a company aims to sell goods or services to Europeans or to monitor the behavior of EU citizens or residents, compliance is expected. Conducting a data inventory and creating a data map are first steps to determine how a cross-border business can deal with the GDPR and comply with its requirements.
29/03/2018 • 10 minutes 15 seconds
Episode 12 - The GDPR Is Coming
On May 25, 2018 the European Union’s General Data Protection Regulation becomes law – not just within the EU but everywhere in the world in some respects. It is deliberately extraterritorial. The EU is serious about compliance with the GDPR. Fines can be as high as 4% of a company’s gross revenues or 20 million Euros.
The Data Privacy Detective launches a thorough exploration of the GDPR with this podcast, starting with the history, the context and the GDPR’s basic aim of protecting the personal data of its citizens and residents.
26/03/2018 • 9 minutes 41 seconds
Episode 11 - Tech Support Scams: How to avoid them and what to do if you fall for one
In this podcast, the Data Privacy Detective talks about tech support scams with Michael Severini, Director of Information Security for one of America’s large law firms, Frost Brown Todd LLC.
A tech support scam can start with a phone call claiming to provide computer support and security. But increasingly this scam pops up when you click on a website and your screen freezes, with a warning page that your pc is infected and you need to call a toll-free number immediately for help.
If you have ideas for more interviews or stories, please email [email protected].
24/08/2017 • 6 minutes 18 seconds
Episode 10 - Cybersecurity & IoT
The risk of the Internet of Things (IoT) is far more than a stolen credit card number or a banking loss. The risk could be mortal and pervasive if a critical device is hacked and a malicious command is issued through the IoT.
09/08/2017 • 6 minutes 49 seconds
Episode 9 - Phishing - How To Avoid Being Hooked
Phishing is an effort by cybercriminals to use bait in the guise of a familiar email address to hook you into revealing your sensitive information. This podcast tells a real story of two college professors who were initial victims of a clever evolution of a phishing scam.
03/08/2017 • 4 minutes 53 seconds
Episode 8 - FBI CyberAlert about massive attack – so what do we do?
On July 25, 2017, the FBI issued a TLP:AMBER alert on its Cyber Watch system about an elaborate cyber-criminal attack underway by sources believed to originate from Iran. The Alert lists about 200 domain names and IP addresses that individuals and businesses should avoid.
The Alert lists four actions that all persons and businesses should take to avoid being harmed, not only by this attack, but to address the burgeoning rise of malware and other attacks against our data privacy and use of the internet.
28/07/2017 • 3 minutes 16 seconds
Episode 7 - Big Data And Your Personal Privacy
Very private information about us can be extremely useful for medical research and other noble purposes – such as medical data that can be aggregated into a big database to help control and combat disease. But we’re reluctant to share our health and genetic details if we can be identified individually.
How can we contribute to the big data need of public health and still preserve our individual privacy? Pseudonymous and anonymous coding is the answer, many say. But wait, does that too have risks? Join a conversation with Ken Morris, a leading entrepreneur, technologist and attorney, to explore this essential question.
If you have ideas for more interviews or stories, please email [email protected].
29/11/2016 • 5 minutes 15 seconds
Episode 6 - Facial Recognition Technology And Our Privacy
The Data Privacy Detective talks about facial recognition technology, how it affects our privacy and what rights we have to fair use by the government. This episode will acquaint you with FIPPs and a law meant to ensure fair use by government on passports, videotapes and other images of our persona.
15/11/2016 • 8 minutes 18 seconds
Episode 5 - Top Tips On Protecting Your Data
So what can you do yourself to protect your personal data and the confidential information of your company or employer? Julia Montgomery of Traveling Coaches shares top tips on how to protect confidential and personal data.
02/11/2016 • 5 minutes 52 seconds
Episode 4 - Your Personal Checklist For CyberSecurity
John Hibbs, Chief Information Security Officer for J.P. Morgan Chase, gave a riveting talk in Chicago in the fall of 2016 about the devices that tempt us to spend our waking hours giving them attention. He began with a challenge I readily accepted - that humans are not good at guarding their data privacy. Technology is too strong and changing too quickly to keep up with. Nonetheless, there are choices we can make with regard to the equipment and software we use and thereby better protect our data. You are your own first line of defense against the loss of your data, and this episode of the Data Privacy Detective goes through a checklist of items regarding software and equipment to assist you.
17/10/2016 • 6 minutes 6 seconds
Episode 3 - The Battleground Of Data And Disclosure
Personal data is vast and expanding exponentially. And the means of combing through vast quantities of digital data is becoming easier and quicker than ever, with human beings linked to each other on a global scale never before possible. At an October 1, 2016, conference in Luxembourg, French attorney Olivier Saumon cited industry projections that by 2020 the world will have 50 billion connected devices – an average of over five per person. Computers, smartphones, wristwatches, vehicle devices, robots and other devices will create data and connect to an expanding galaxy of devices that will track our health, finances, genetics, emotional make-up, perhaps even our dreams. This episode of the Data Privacy Detective highlights an example that shows how websites can search for and secure highly personal data of individuals and also how governments can intervene to delete the information and penalize third parties that lack express consent to handle the information.
10/10/2016 • 5 minutes 4 seconds
Episode 2 - Google And European Data Privacy: a global blow for data privacy
A 2014 European Court of Justice decision against Google made Google the decision maker about whether to delink its search engine from sites that infringed the rights of European citizens – and raises the issue whether one government can set the rules of privacy worldwide. The intricacies of the case provide one glimpse into the evolving global battle over data privacy that faces technology providers. In the absence of a global agreement or a world court, the battles continue between disclosure and privacy. If you’re European, you have rights greater than those available to American citizens in having certain information about you deleted. This episode of the Data Privacy Detective dives into the Google case and its implications on technology companies and privacy rights of people around the world.
10/10/2016 • 7 minutes 19 seconds
Episode 1 - Data Privacy Starts With You
Privacy is dead, get over it. This is what a blockchain entrepreneur told a conference at the European Court of Justice on September 30, 2016. And yet, we know this is not true. If privacy were dead, we would know all the details of Donald Trump’s tax returns and we would have access to every email of Hillary Clinton from both public and private servers while she was Secretary of State. And we don’t.
Personal data privacy is alive and well, but it is under attack. And our own worst enemy is ourselves. Data privacy is not about protecting data – it’s about protecting you. Listen for tips on how to eliminate unnecessary risk by taking some simple steps to protect the data on your smartphone.
If you have ideas for more interviews or stories, please email [email protected].
