Hello Friends,
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has issued new directions that require all service providers, intermediaries, data center providers, corporates, and government organizations to report certain cyber incidents within 6 hours of their detection.
The directions cover aspects relating to synchronization of ICT system clocks; mandatory reporting of cyber incidents to CERT-In; maintenance of logs of ICT systems; subscriber/customer registrations details by Data centers, Virtual Private Server (VPS) providers, VPN Service providers, Cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers, and custodian wallet providers.
This news and more, in this fortnights' Data Privacy Insights- curated privacy news from across the globe.
Enjoy reading!
Top News
CERT-In Issues Directions Relating To Information Security Practices, Procedure, Prevention, Response, And Reporting Of Cyber Incidents For Safe & Trusted Internet
India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has issued new directions that require all service providers, intermediaries, data center providers, corporates, and government organizations to report cyber incidents within 6 hours of their detection.
It also requires virtual asset, exchange, and wallet providers to maintain records on KYC and financial transactions for a period of five years. Companies providing cloud, a virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.
These directions will become effective after 60 days of issuance of the direction.
The directions issued by CERT-In are available at https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
Audit Finds India’s UIDAI “Deficient” In Data Management Practices
A recent government audit of India’s Unique Identification Authority of India (UIDAI) concluded that the agency’s data management practices have been “deficient” for a long period of time.
Responsible for distributing and maintaining the country’s Aadhaar national ID cards, required for accessing a variety of government services, UIDAI is now being taken to task for failing to have a data archiving system and an alarming rate of Aadhar cards returned in the mail as undeliverable (among other systemic failings).
The audit report is available at https://cag.gov.in/uploads/PressRelease/PR-UIDAI-report-no-24-of-2021-in-English-0624d89a0e200e2-55589718.pdf
Data Breach
USA Public School Security Breach Exposes Data Of 820,000 NYC Students
A widely used online grading and attendance system have been hacked, causing what could be the largest ever exposure of students’ personal data in American history.
Cyber-criminals broke into the IT systems of Illuminate Education in January 2022, gaining access to a database containing the personal data of around 820,000 current and former New York City public school students.
Illuminate Education is a taxpayer-funded software company based in California. The company created the IO Classroom, Skedula, and PupilPath platforms, used by New York City’s Department of Education to track grades and attendance.
Panasonic Admits Suffering A Second Cyber Attack In 6 Months
Japanese tech company Panasonic disclosed that it was the victim of a “targeted cyber-attack” on its Canadian operations. According to malware analysis group VX Underground, the Conti ransomware group claimed responsibility for the attack. The group claims to have stolen 2.8 gigabytes of data from Panasonic Canada.
The February attack was the second to devastate the company within six months. In November 2021, Panasonic Japan disclosed that a third party had breached its network and accessed files on its servers. The company disclosed in January 2022 that the attack leaked the personal information of job candidates and interns.
ENFORCEMENT
US HHS OCR Announces Four HIPAA Enforcement Actions Against Dental Practices
On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities.
Three of the actions pertained to dental practices. One of those dental practices took the rare approach of never responding to OCR’s data request, never acknowledging or responding to OCR’s administrative subpoena, and then did not contest OCR’s findings in the Notice of Proposed Determination. Another dental practice used its patient list to fundraise for an unsuccessful state senate campaign.
Privacy Regulations
Arizona Expands Regulator Data Breach Notification Obligations
Arizona recently amended its breach notice law to change the regulator notification requirements. Starting this summer, depending on the scope of the incident, the Arizona Department of Homeland Security will need to be notified. Specifically, as amended, if more than 1,000 Arizona individuals are notified of a breach, then notification must be made to the three largest consumer reporting agencies, the Arizona attorney general, and the Arizona Department of Homeland Security. Previously, only the consumer reporting agencies and Arizona AG needed to be notified if that threshold was met. This notification should be made within 45 days after the determination that there has been a breach.
Privacy In Spotlight
Google Search Removal Requests Expanded To Include Personal Contact Information
Google has now expanded Google Search removal requests to include additional personally identifiable contact information, such as a person's phone number, email address, or physical address.
Up until now, people have been able to request the removal of other certain sensitive information from Search, such as doing content -- which is when a person's contact information is shared in a malicious way -- or information like bank account or credit card numbers that could be used for financial fraud.
Under the expanded policy, users can also request the removal of additional information that may pose a risk for identity theft -- such as confidential log-in credentials -- when it appears in search results.
Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document
Facebook is facing what it describes internally as a “tsunami” of privacy regulations all over the world, which will force the company to dramatically change how it deals with users’ personal data. And the “fundamental” problem, the company admits, is that Facebook has no idea where all of its user data goes, or what it’s doing with it, according to a leaked internal document obtained by Motherboard.