CNIL publishes update to security guide

https://www.cnil.fr/fr/la-cnil-publie-une-nouvelle-version-de-son-guide-de-la-securite-des-donnees-personnelles

For this edition, the main changes concern the following files:

  • Sheet no. 2 “Authenticating users” takes into account the new recommendation relating to passwords and other shared secrets adopted in 2022 by the CNIL. In particular, it uses the notion of password entropy to offer greater freedom in the definition of password policies and abandons the obligation to renew passwords for “classic” user accounts.
  • Sheet no. 4 “Tracing operations and managing incidents” takes into account the recommendation relating to logging adopted in 2021. It explains how to ensure traceability of access and actions in multi-user systems while finding the balance between security, surveillance and associated risks.
  • Sheet no. 12 “Supervising IT developments” has also been enriched with elements from the GDPR guide for the development team .
  • Finally, sheets no. 15 “Securing exchanges with other organisations” and no. 17 “Encrypting, hashing or signing” have been updated to take into account changes in currently recommended practices.

Other more ad hoc updates and improvements have been made to keep up with the evolution of the threat and knowledge.

Brazilian DPA Enacts Regulation on the Setting and Application of Administrative Penalties Under the Brazilian General Data Protection Law

includes the methodology for calculating fines and determining other administrative penalties under the LGPD, such as public disclosure of the infringement and suspension of data processing activities..

Fines can be up to 2% of the annual turnover of the data controller or processor, limited to BRL 50 million per infringement. (approx. 8.8 mEUR)

https://www.huntonprivacyblog.com/2023/03/23/brazilian-dpa-enacts-regulation-on-the-setting-and-application-of-administrative-penalties-under-the-brazilian-general-data-protection-law/

full report at
https://www.bmalaw.com.br/en-US/conteudo/protecao-de-dados-tecnologia-e-negocios-digitais/special-report-regulation-on-the-setting-and-application-of-administrative-penalties-under-the-lgpd

Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations – Initial public draft of NIST AI 100-2 (2003 edition)

The initial public draft of NIST AI 100-2 (2003 edition), Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, is now available for public comment.
https://csrc.nist.gov/publications/detail/white-paper/2023/03/08/adversarial-machine-learning-taxonomy-and-terminology/draft

NIST is specifically interested in comments on and recommendations for the following topics:

  • What are the latest attacks that threaten the existing landscape of AI models?
  • What are the latest mitigations that are likely to withstand the test of time?
  • What are the latest trends in AI technologies that promise to transform the industry/society? What potential vulnerabilities do they come with? What promising mitigations may be developed for them?
  • Is there new terminology that needs standardization?

FTC/GoodRX – Latest FTC Health Privacy Case Sheds Light on Agency Health Privacy Approaches

https://www.bakerdatacounsel.com/ftc/latest-ftc-health-privacy-case-sheds-light-agency-health-privacy-approaches/

HBNR

“The complaint also alleges that until early 2020, GoodRx did not have “sufficient or formal compliance programs for reviewing and approving all data sharing requests or third-party tracking tool integrations. It also had no policies or procedures for notifying users of breaches of their personal and health information.”