Data Privacy Detective - how data is regulated, managed, protected, collected, mined, stolen, defended and transcended.

You buy a new computer. You push the power button. Your screen blazes with tips and prompts, not from the device maker but from tech giants like Microsoft and Google. You rush to get started with offerings from these giants and other iconic providers. What about your personal information and how your privacy will be affected by your launch on the new device? Or perhaps you skipped the privacy choices long ago and now wonder what happened by default and your deferral of exercising privacy options? Come along as the Data Privacy Detective activates his new desktop and laptop. Learn how tech giants confront how personal information will be collected, shared, and used - or not, depending on your choices - or your failure to make them. Consider how your decisions when you launch a new computer (or make privacy choices now with an existing one) expand or limit risks to your identity and personal privacy in the digital world. Time stamps: 02:43 — Google privacy settings 07:30 — Lenovo privacy settings

Episode 155 considers three important developments as 2024 opens: -How the European Union's pending AI Act blazes a new trail -How umbrella insurance may or may not apply to claims involving biometrics -How Quebec's 2023 data privacy act will reshape privacy notices throughout North America. Yugo Nagashima and Brion St. Amour, attorneys with the coast-to-coast U.S. law firm Frost Brown Todd LLP, team with the Data Privacy Detective to cover these three essential matters. On December 9, the European Union published a preliminary agreement on the Artificial Intelligence Act, a pioneering law that provides a framework for sale and use of AI in the EU. We consider what the AI Act covers and the four-levels-of-risk approach the EU will take for regulating AI. We then jump into discussion of a class action lawsuit against Krispy Kreme Doughnut Corp. The suit claims a violation of the Illinois Biometric Information Privacy Act (BIPA). Does Krispy Kreme's insurance coverage apply? We consider the distinction between the lawsuit's claims and the company's umbrella policy. The insurer declared that Krispy Kreme is not entitled to an insurance paid defense, based on a policy exclusion. The Quebec Act for protection of personal information in the private sector became law in September 2023. December 18, 2023 Guidance from Quebec's Commission covers what must be in privacy notices, including that they be in clear, simple language (in French and English). https://www.cai.gouv.qc.ca/politiques-de-confidentialite/ What is “clear and simple”? The Guidance offers a checklist of what organizations should say in their website privacy postings, and is certain to force changes in websites of digital businesses that cover U.S. and Canadian markets. Time stamps: 01:16 — EU's pending AI Act 10:11 — Umbrella insurance and biometrics 17:08 — Quebec's 2023 data privacy act

Why do businesses create cookies for their websites – and what choices can visitors make when a popup asks us to choose? Can chatbots write privacy policies for businesses? How can we determine if a website shares personal information we provide to it – and if so, for what purposes? Donata Stroink-Skillrud, President and Legal Engineer of Termageddon (https://www.termageddon.com), addresses these questions. As data privacy laws and regulations spread, data privacy technology and policies must adapt. As website visitors, we should understand our choices when deciding what to click on cookie popups and should know whether a website business is gathering our personal information for limited and proper purposes. Learn a trick about how to know if a business shares personal information. Businesses wishing to be privacy compliant and earn a privacy-centric reputation should consider top tips. For individuals, hear advice for how we can protect our personal information in a world of growing threats to our privacy. Time stamps: 01:00 — Cookies, explained 06:21 — Chatbots, explained 10:56 — How can we find out if a business is sharing our personal information? 14:21 — Tips for businesses that want to focus on user privacy 15:24 — Tips for individuals who want to protect their privacy

When we visit websites, we increasingly see popups. Why is this? How does consent affect online advertising? And what's changing in 2024? Mate Prgin, founder/CEO of Enzuzo (https://www.enzuzo.com) explains how Google's 2024 standards force online retailers to obtain express consent from customers for collecting and sharing personal information. Bolstered by the recent Quebec Law 25 (first in North America to adopt GDPR-style consent standards) and spreading U.S. state laws led by California, North American online sellers are driven to change their website technology and practices to give consumers the choice of allowing or refusing their personal information to be shared and used for personalized advertising. The meaning of “consent” and how it is provided in practice become essential for internet commerce in 2024. Understand how internet retailers can comply with law and private sector standards, how individuals will be empowered to exercise choices when shopping online about how their personal information will be used and shared. Time stamps: 01:30 — What do you see in 2023 about data privacy compliance 04:23 — Google's 2024 standards, explained 10:48 — Top tips for businesses in setting up their websites with privacy for users in mind 11:58 — Top tips for individuals who want to protect their privacy

Data clutter – we keep our homes tidy, at least some of us do. But what about digital data? It accumulates and grows over time. Unlike hard copy files, which can be pitched or sent to long-term (expensive) storage, data is silent and unobservable (except perhaps to IT personnel). Explore how organizations amass vast amounts of data containing personal information, some highly sensitive. There it resides, posing serious risks to organizations and individuals. In Episode 152 Jason Cassidy, CEO of Shinydocs (https://shinydocs.com ), takes us on a tour of data clutter. Learn the vast amounts of unintended data gathered and kept by businesses that don't need it, how this can be managed, how personal privacy can be more secure through state-of-the-art data management. Consider how data can be auto-classified on creation, how files can be better located with data breach risk minimized. Hear an industry expert's top tips about data management for organizations and individuals. Make it a new year's resolution to de-clutter, to data-minimize, to control fileshares, to design privacy-centric creation, retention, and storage of digital data. Time stamps: 01:10 — What info do organizations typically store in their databases? 07:20 — What risks to our personal privacy are posed by data clutter? 14:48 — Tops tips to organizations for dealing with data clutter 16:53 — Tops tips to individuals for dealing with data clutter

Major data privacy news from November - the meaning beneath the headlines: California issues proposed rules on ADTs – Automated Decision-making Technology. Applying California's principal data privacy statute, the California Privacy Protection Agency proposes opt-out requirements, pre-use notices, and other measures for AI and related organizations. A New Landmark for Consumer Control Over their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology (ca.gov). The TSA is using biometrics at U.S. airports with little notice or disclosure. Some U.S. Senators have called “time-out.” What's going on with biometrics at airports? BUR23A41 (senate.gov). The influential Data & Trust Alliance proposes eight cross-border Data Provenance Standards. Learn how international standards are being set by the private sector to increase transparency, reliability, and use of datasets essential for AI. Will data become labeled and tracked like food and art? How does private standard setting lay the groundwork for privacy conscious laws and regulations? Consider the immediate opportunity to provide your comments about AI and personal data privacy. The Data & Trust Alliance (dataandtrustalliance.org). Tune in to Episode 151 for analysis, as the world of data privacy spins toward 2024. Time stamps: 00:59 — ADTs 09:02 — The TSA is using biometrics 13:47 — Data & Trust Alliance proposed Data Provenance Standards

Perry Johnson & Associates (PJ&A) provides medical transcription services to healthcare organizations. Its website states that it offers “secure HIT solutions,” using “multiple U.S. based, secure data centers for documentation storage and disaster recovery.” But in November 2023, PJ&A began informing about nine million people by individually sent letters that “between March 27, 2023 and May 2, 2023, PJ&A learned that an unauthorized party gained access” to its network and “acquired copies of certain files from PJ&A systems.” A November 2023 TechRadar report summarizes the background: “A total of 8.95 million individuals are affected, with the stolen data including full names, birth dates, postal addresses, medical records, and hospital account numbers. Furthermore, the hackers took admission diagnoses, as well as dates and times of service. In some cases, the hackers also stole Social Security Numbers (SSN), insurance and clinical information from medical transcription files, and names of healthcare providers - all of which would be more than enough to stage highly convincing social engineering attacks (phishing, identity theft, etc.) and could result in many class-action lawsuits.” How did a leading MedTech company respond to this cybersecurity incident? Tune in to learn how one podcast listener was informed by letter about the wrongful release of the individual's medical information and sought details with no success. Consider how society must prepare better to address the aftermath of data breaches and what we can do collectively and individually to protect our most sensitive information.

Blockchain technology. Can it be a solution to privacy risks inherent in traditional IT? How is it different from cryptocurrency? What can it do to allow both individuals and organizations to limit and protect personal information exchanged in daily life? Explore these questions in Episode 149, with Zenobia Godschalk, head of communications for Swirlds Labs (https://swirldslabs.com). Take a brisk tour of an open-source approach that applies blockchain technology to our evolving web. Learn about Hedera – an open source, leaderless proof-of-stake network. Consider how an individual need not share a lot of personal information when a transaction requires only proof of one thing – such as whether the individual is an adult or whether a person actually is a bank account holder. Listen for top tips to organizations and individuals about how open-source blockchain technology can minimize risks to personal information and identity theft. Hear how public ledgers for decentralized economies are changing our digital existence and can be a means of protecting personal privacy without disrupting our digital world. Time stamps: 01:02 — What is blockchain technology, and how is it different from cryptocurrency? 07:30 — What is tokenization? 12:42 — Is blockchain 100% effective? 14:44 — Top tips for organizations in considering blockchain technology as a replacement for traditional IT 18:52 — Top tips for individuals in considering blockchain

Post-Quantum Data Privacy – what is it? What does it mean for organizations and individuals? That is this episode's focus. Tune in to learn how one company offers privacy-protect ive messaging and cryptocurrency services in the age of Web 3.0 and quantum computing. JB Benjamin, the founder of UK-based Kryotech Ltd. (Kryotech Group), provides a tour of Vox Messenger and Vox Wallet. These services employ privacy-centric technology. Explore how our personal information is collected, used, and shared often without our knowledge or approval. Consider how technology beyond passwords is essential to deter unwanted use of our personal information and to minimize rising theft of our financial resources and even our identities. Quantum computing means an exponentially increased power that can be used to break through lengthy passwords and otherwise hack and misuse data, both personal and organizational. Defenses are also evolving. Post-quantum privacy entails use of double-ratchet encryption, message immolation, sophisticated use of public and private keys, and other techniques. Individuals can be empowered to make choices about the value of their digital information and identities, which otherwise are swept up and used by businesses without payment. Understanding post-quantum data privacy is essential to empowering each individual to decide how to exercise choices about use of personal data. Time stamps: 01:08 — How is our personal info used by companies to make a profit? 04:51 — What does Kryotech do to enhance privacy? 12:54 — What is Vox Crypto and how does it enhance privacy 18:03 — Top tips for businesses who want to focus more on privacy 20:10 — Top tips for individuals who want to protect their privacy

How small and mid-sized organizations can afford privacy by design: Making data privacy and security affordable and scalable Tech giants have vast budgets for cybersecurity and data privacy. But most organizations are small or mid-sized enterprises (SMEs) and can't afford expensive in-house talent, hardware, and software to combat data piracy or prevent data breaches. How do startups, SMEs, and MSPs create a privacy responsible foundation as they start and grow? How can they make privacy part of their offering to customers? How can they maintain first-class cybersecurity and data privacy as they scale and grow on an affordable budget? Darren Gallop, co-founder and CEO of Carbide (Company | Carbide (carbidesecure.com), provides advice on these and other topics in this Episode. With an overview of how secure personal information is today, Darren explains the benefits of starting with a secure privacy-centric foundation on an outsourced basis, then adding essential tools as an organization grows. Listen for top tips on how organizations and individuals can protect sensitive personal information on an affordable basis. Time stamps: 01:59 — How secure is personal info these days? 06:10 — On a limited budget, how can small and mid-sized businesses invest in data protection? 12:02 — How does an SME maintain first-class data privacy practices? 17:19 — Top privacy tips for individuals

October 2023 was a busy month for data privacy. Join our monthly podcast of three major developments in the world of personal information and technology. Our picks are these: 1. On October 30, President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (AI). Noteworthy to Data Privacy was his call for Congress to pass bipartisan data privacy legislation, especially for children, which would be a significant step towards a federal data privacy law. In addition to national security and other features, the EO prioritizes federal support for accelerating privacy-preserving techniques, strengthening privacy-preserving research and technologies, evaluating how agencies collect and use commercially available information, and developing guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques. Explore what the Executive can do in the absence of Congressional action on data privacy. FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence | The White House. 2. The Federal Trade Commission amended its Safeguards Rule to require non-banking financial institutions to report certain data breaches to the FTC. Learn which businesses are covered and what the rule requires of them. Explore how the new reporting requirements will force a wide range of businesses to report data breaches in detail to the FTC, and how this could affect data privacy. FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches | Federal Trade Commission. 3. A United Kingdom court rules on October 17 that Clearview AI was not liable to the UK's Information Commissioner for scraping the photos of UK residents from the internet and offering its services to foreign law enforcement agencies. ukftt_grc_2023_819.pdf (nationalarchives.gov.uk). Learn why the extraterritorial reach of GDPR principles does not extend as many thought it might, how UK residents who have not consented to Clearview's use of their images have no remedy, and what this means for any regulation of what people post on the internet. Time stamps: 00:25 — Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence 05:53 — FTC amends Safeguard Rules 11:16 — UK Court rules in favor of Clearview AI

Malevolent attacks on data are rising. Misuse of data is an increasingly sophisticated criminal industry. How to defend? Philippe Humeau, a founder and the CEO of CrowdSec (CrowdSec - The open-source & collaborative security suite) is our guest. He explains how an open-source approach to editing a collaborative security stack for identifying and sharing malicious IP addresses across a community of users can be a powerful force for good in protecting data against mal-actors. This episode explores how malevolent data attacks occur and are expanding, how malicious IP addresses can be identified and shared, and how building a community defense can make the internet a safer place for everyone. Learn how open source can improve defenses, how multilayer firewalls function, how VPN's are addressed in the defense of data. Receive top tips for organizations and individuals on how to protect personal and organizational data. Time stamps: 03:08 - Malevolent Data Actors 08:03 - Can an open source platform defend against malactors? 10:26 - Multi-player firewall 11:58 - Top tips for organizations/businesses 13:56 - Tips for individuals

External data privacy – what is it? How do current threats to personal data privacy require defenses beyond stronger hardware and software? Harry Maugans, CEO of Privacy Bee - https://privacybee.com - explains how external data privacy requires us all to think beyond protections provided by organizations to which we belong. Data brokers, AI database collectors, and cybercriminals all seek access to PII (personally identifiable information), which can be used for good and bad purposes and can result in physical and financial risks to individuals. Steps can be taken to safeguard personal information, even of famous individuals who don't want certain types of information made public or misused about them. Tune in to Episode 144 to enrich your understanding of privacy-centric thinking and take practical steps in protecting personal data privacy. Time Stamps: 00:55 — What does 'external data privacy' mean? 08:55 — How do cybercriminals exploit systemic weakness? 11:25 — How does a well-known person keep their privacy?

Today's vehicles have cameras looking inside and outside and communicate information about us to third parties as we drive. This supports continuous product improvement by automakers. But it also raises important privacy concerns. Yevgeny Khessin, Founder and CTO, and Andy Chatham, Co-Founder, of DIMO (https://dimo.zone) take us on a tour of how our privacy is at risk while we are mobile. Episode 143 considers these questions: How do individuals and vehicles get connected while mobile? ​What privacy concerns does the modern vehicle raise? Who owns our data while mobile? ​How can privacy concerns be addressed by privacy-centric automakers? ​What can automakers and each of us do to safeguard privacy while mobile? Time Stamps: 01:28 — In what ways do people share data with their vehicles? 04:00 — What are the privacy concerns? 06:27 — What does DIMO do? 11:12 — Top tips for producers of mobile/vehicle products 15:05 — Top tips for individuals who want to safeguard their privacy

Amazon Store challenges the European Union over whether it is a VLOP. What's that, you ask? Find out and discover how an EU Court issued an early split decision under the EU's Digital Services Act. America's first state, Delaware becomes the 12th state to adopt a comprehensive data privacy code. Google agrees to pay $93 million, strengthen its privacy policies, and be more transparent about location tracking, to settle California claims. Explore the deeper meaning of these September 2023 data privacy developments. Yugo Nagashima, Brion St. Amour, and Joe Dehner, members of Frost Brown Todd LLP's Data Privacy and Cyber Security Team, discuss what these events mean for organizations and individuals. Join the dialogue! Time stamps: 00:33 — Delaware adopts data privacy code 05:20 — Google agrees to pay $93 million 10:48 — EU Court issues split decision under EU's Digital Services Act

Artificial intelligence – AI. Headline news, Senators gathering with gurus to figure out what to do, lawsuits, chatbots that offer to be our virtual concierge but then make up stuff in their responses. What's at stake for our privacy? And what does it mean for us as individuals? Not for us as unwitting data providers or as recipients of communications from machines that can spew misinformation, but as human beings? Tune in to Episode 141 for a brisk walk down the yellow brick road of AI. Check out what's behind the wizard's curtain as AI aims to improve our lives and even to organize them. Consider the front end – is our personal information ours, or is it free for the taking? And the back end – how can a Chatbot affect us when we seek its benefits and cause suffering when it misadventures? Time stamps: 00:29 — How is data being used to train AI? 09:20 — What can AI providers do to safeguard consumer privacy? 11:56 — What can we do to safeguard our privacy when working with AI?

Decentralized Finance – DeFi – is with us and spreading. Tune in to Episode 140 to understand DeFi - how blockchain technology works and what privacy concerns are at stake. Consider a technology that increases the protection of organizational and individual private information when financial transactions are conducted through DeFi instead of traditional buyer-seller information technology. Anish Mohammed, Co-Founder, CTO, and Chief Scientist of Panther Protocol, explains how DeFi works and the privacy considerations about its use. He discusses with the Detective the ways in which DeFi can be conducted in a way to protect financial data and trading strategies of DeFi participants, as well as how we as individuals can better guard our own identities and wealth. 01:07 — What is DeFi? 06:13 — Panther Protocol 09:49 — Advice for businesses 10:52 — Advice for individuals

Tech giants have invented eyeglasses that can tell us the name of a person we encounter. An image of the person is sent to an AI database. Within seconds, the glasses name the individual we are seeing. Retinal scans, fingerprints, photos posted on Facebook, Fitbit data about heart rate – all represent biometric information about us that is digitized and sent into the data stream. Imagine how useful such eyeglasses will be to visually impaired persons. The convenience and security of biometric data in making purchases or getting through airline security – undeniable. But also imagine how an authoritarian government or mal-actor can use biometric information teamed with AI to follow and target us. Is privacy dead? Has biometric AI gone too far? Tune in to Episode 139 for a tour of these profound issues. What are biometrics and how do biometric data get turned into products and services for good and ill? What laws and regulations protect and restrict biometric use? Who owns an individual's image? Can others access our data without our consent? What can organizations and individuals do about this? Dan Cotter, attorney at Howard & Howard, discusses these matters with the Detective in Episode 139. Time stamps: 03:20 — Do current laws have protections for people's biometric data? 06:50 — Do we own our own biometric data? 11:05 — Tips for individuals 13:31 — What are the top issues that arise for organizations that use biometric info?

August 2023 was a news-filled month for data privacy. Tune in for a review of top developments: Biometrics – how Illinois deals with ClearviewAI's use of facial recognition data and how a new lawsuit challenges Amazon's and Starbucks' use of biometric payment systems in New York City CFPB – how the U.S. Consumer Financial Protection Bureau has declared its intent to regulate data brokers India – how its newly adopted Digital Personal Data Protection Act charts an independent course to protecting personal digital data privacy of Indian residents. Brion St. Amour and Yugo Nagashima of Frost Brown Todd LLP's Data Security and Privacy Team join the Detective on a tour about the meaning of these developments. Time stamps: 00:10 — Biometrics 06:33 — CFPB 11:48 — India

The U.S. Government collects data globally about persons and organizations. In doing so, it collects vast amounts of data about U.S. persons “incidental” to collecting foreign intel for national security purposes. Since the Carter Administration when the Foreign Intelligence Surveillance Act (FISA) became law, this has raised conflicts between the personal privacy of U.S. and foreign persons and the Government's interest in national security and crime prevention. The FBI has accessed FISA databases millions of times through U.S. person queries without a warrant – creating front-page news and raising major concerns from the left and right of politics. Tune in to understand what is at stake, as Congress considers by December 31, 2023 whether and how to extend FISA. Learn about FISA, the reach of Section 702, how it operates in practice, and how the privacy issues involved affect data flows and commerce between the United States and Europe and the privacy of persons domestic and foreign. Consider how information about U.S. persons is involved and can be accessed without a judicial warrant. Our guests are Gene Price, a partner in Frost Brown Todd's Louisville office, retired as Read Admiral from the U.S. Navy where he supported U.S. Cyber Command and Naval Information Forces Reserve, and Yugo Nagashima, a partner in the firm's Washington, D.C. office and Deputy Chair of its Data Security and Privacy Team. Time stamps: 01:45 — What is FISA? 09:23 — What is a “US person query”? 15:15 — What are the privacy implications of FISA?

The world's most populous country adopted a comprehensive data privacy code in August 2023 – the Digital Personal Data Protection Act. Join this episode for a tour of the law's main features. A departure from the EU's GDPR approach and from prior draft bills of the Government, India took a unique approach to protecting digital personal information of its residents. Instead of data localization, it chose to encourage global data flows under relatively flexible standards while requiring reasonable safeguards to prevent data breach. The law will come into force on a rolling basis in coming months. Stephen Mathias, Bangalore office partner-in-charge and Co-Chair of the Technology Law practice of Kochhar & Co., one of India's premier large law firms, explains the Act's main features. Learn the basic approach taken, not only to comply if your organization may be subject to its reach but also to consider how a vast country with highly skilled tech professionals chose to regulate personal data privacy, enable government use of personal data for security and public order, and embrace India's strengths in the data economy. Time stamps: 01:00 — Evolution of the Digital Personal Data Protection Act 03:45 — How is the law similar to and different from GDPR 08:00 — The government's right to obtain data 13:32 — Data localization 15:02 — Significant data fiduciary

Generative AI – ChatGPT for example. Have you considered how generative AI collects our personal information to provide its benefits in ways that can do us wrong? What can we do about the risks? How should legislators and regulators balance AI's benefits with our rights to personal privacy? Rita Garry, a Chicago attorney with the firm of Howard & Howard Attorneys, PLLC, provides data privacy and cybersecurity services with a view to the specifics of each client. Tune in to learn what Generative AI is, how it affects individual privacy, what the recently announced White House five principles for AI regulation are, and what organizations and individuals can do about generative AI. Time stamps: 05:35 — White House's AI Bill of Rights 14:00 — Advice on how we can decide how AI uses our data

July 2023 was hot – record setting global temperatures. Likewise in the data privacy world. Tune in for an exploration of three top topics in data privacy by Frost Brown Todd's Yugo Nagashima and Brian St. Amour with the Data Privacy Detective. Illinois – major Supreme Court decision from the first state to adopt a biometric data privacy law – raising the stakes for businesses in using biometrics in the workplace. U.S./EU – a third attempt to facilitate personal data flows between the European Union and the United States is deemed “adequate” by the EU – will it work despite two prior failures? What's the new option for U.S. businesses? The United Kingdom's draft Online Safety Bill and Apple's threat to leave the UK – what's behind this battle between freedom and law & order in social media? Why is Apple threatening to leave the UK market rather than submit to new proposed rules that would require it to give the UK government a backdoor entry to end-to-end pro-privacy encryption? Time stamps: 00:40 — Illinois 05:47 — U.S./EU 14:22 — UK

Our personal data is collected, sold, shared, used, and misused in ways most of us cannot imagine. Data brokers that buy and sell our personal information (“PI”) do it behind the scenes and almost always without our knowledge or consent. Data brokers are largely unregulated. What can be done about perils that have led to murder, theft, and other mayhem through easy access to PI? Tom Daly, CEO of MePrism, takes us on a tour of the consumer privacy landscape. A consumer data privacy company, MePrism programmatically removes people's sensitive information from the internet. Explore what can be done to protect individuals from swatting, doxxing, and other misuse of their personal information, early state and federal steps towards regulating data sales and sharing, and measures that organizations and individuals can take to prevent mal-actors from gaining ready access to our PI.

Who owns our personal data? As technology advances in Web 3.0, traditional software and claims of third parties over what they can do with our personal data are under challenge. Join Chris Were, co-founder and chief architect of the Australian company Verida, to consider how blockchain thinking can allow us to achieve self-sovereign identity. Explore in Episode 132 what this means and how we can take better control of our digital presence. Understand the meaning of self-sovereign identity, how it aims to secure sensitive information about ourselves and to put us in control of how our digital footprints are used and shared with others. Learn the role of zero-knowledge credentials and how a crypto wallet holding our personal information functions. Explore how digital assistants we engage could help us control our personal information as AI scrapes, stores, employs, and adapts our data in ways we may not approve.

Oregon, California, and TikTok top the list of data privacy developments of June 2023. Tune in for how Oregon's new data privacy statute blends the best of California and other state statutes for a comprehensive code and adds a unique twist about who can enforce it. Learn how a California court extended the effective date of a California agency's regulations drafted to implement the Golden State's pioneering California Consumer Privacy Act. Consider a whistleblower's sworn testimony that contradicts TikTok's long-held position that it does not and will not share personal data of TikTok users with the Chinese Government, despite Chinese law intended to require such reporting on demand. In concise analysis that digs beneath the deadlines, Yugo Nagashima and Brion St. Amour, attorneys on the Data Security and Privacy Team of Frost Brown Todd LLP, share their insights with that of the Data Privacy Detective. Join our podcasts on the first Thursday of each month to probe three top developments from the prior month. Time Stamps: 01:04 — Oregon 05:41 — California 08:32 — TikTok

Employers and employees – how much privacy is there in the workplace? Episode 130 explores this question in the United States. What's an employee's reasonable expectation of privacy while working? How do federal and state laws limit employer surveillance of employee activity? What limits are there to an employer's monitoring of employee use of company time and property? Employees use company-provided computers, phones, and other property for a variety of personal purposes, often injecting personal information through a company's IT system. What should employers and employees do about this? And what about departing and former employees – to what extent can or should an employer monitor a departing employee's data streams or keep a former employee's personal information? Annee Duprey, a partner in the Labor & Employment Group of Frost Brown Todd LLP in its Columbus office, and Seth Granda, a senior associate in the firm's Nashville, Tennessee office, tour this complicated and challenging terrain and offer top tips to both employers and employees. Time stamps: 01:20 — What is a reasonable expectation for employee privacy in the US workplace? 08:18 — Are there limits to what kind of monitoring employers can conduct on their employees? 14:35 — What limitations are there for employees on what they can do with company-provided devices? 20:15 — Top tips for employees and employers?

What happens to our personal information after death? What can we or society do about whether any privacy exists for dead people? Episode 129 considers post-death privacy. Data privacy laws are largely for and about the living and give scant attention to the dead. But a few extend to protect data privacy after death, regarding medical information and dignitary interests of decedents and families. It's not quite a free-for-all. Consider how estate plans generally ignore a person's digital data but could be written to address this important interest. Learn how laws could be crafted to protect the reputational and other interests of deceased persons. Hear how technology can be used to create a digital avatar and project a person's immortal presence for interactive conversations with great grandchildren and beyond. Think how you might wish to preserve your private information beyond your lifetime.

Our personal medical information is sensitive. It becomes digital data shared beyond the medical professional who requests and needs it to provide care. Learn how our medical information is shared and used in ways that create privacy risks many of us do not wish to assume, how tech companies profit from its use, how federal and state law provide rules about medical privacy, and what companies and individuals can do about the subject. Our guest Jay Barnes is an attorney with the firm of Simmons Hanly Conroy, which represents consumers and local governments in mass tort and class actions. Jay shares insight into how tech companies collect and use personal medical information to generate profits through customized advertising we may or may not wish to receive. He explores how the underlying principle should be that of giving each person the freedom to choose whether individual medical data can be shared with and used by third parties. Tune in for a segment about what businesses should do to comply with law and earn a privacy-centric reputation and what each of us can do to increase the privacy of our medical data. Time stamps: 00:56 — How is medical data digitized and shared? 05:10 — How do state laws deal with medical data privacy? 10:04 — How can a balance between personal data privacy and public health data be struck? 14:22 — Advice for businesses on how to handle consumer medical data responsibly and safely? 16:16 — Advice for individuals on keeping their medical data secure

Get the latest on data privacy news from May 2023. Meta is fined about $1.3 billion for transferring European personal data to the States. But what's underneath this record fine? What does it mean for how personal data rules are enforced in the EU? Are EU standard contractual clauses no longer a safe harbor for trans-Atlantic business? Washington adopts a data privacy law for health data. Will this be copied by other states as part of the ebb and flow since Roe v. Wade's overturning? Texas adopts a comprehensive data privacy code. How does it differ from other states with personal data privacy statutes? What does it portend as this mega-state becomes the tenth state to adopt an overall approach to personal data privacy? Tune in to Episode 127 to join the conversation. Time stamps: 00:14 — Meta fined by Ireland 09:10 — Washington State's new data privacy law 15:00 — Texas's new data privacy code

Bail decisions are critical in the lives of arrested persons. They come without judgment of guilt or innocence but can mean the deprivation of freedom for individuals as they await trial. But they can also have crushing unintended consequences for persons who become the victims of persons released without bail or on insufficient bail. Episode 126 takes no position on the headline debates about bail reform. Instead, Ken W. Good takes us on a tour of the privacy issues involved with bail. A thirty-plus-year attorney, Ken is on the board of directors of the Professional Bondsmen of Texas, the voice of the bail industry in that state. What information does a magistrate or judge obtain when deciding on bail? What personal information about the accused individual is available, and does this data become available to the public? Is setting bail an open court matter? Is AI entering the courtroom through algorithms that make risk assessments about accused persons? Tune in to consider this critical stage of the criminal justice system and how the privacy of all of us is affected. Time stamps: 01:06 — What is the bail bondsman's view of bail and potential bail reform? 02:34 — What are the privacy issues of bail? 05:40 — What data is presented before a magistrate in determining bail? 08:52 — Is the bail decision a public record? 10:15 — Are A.I. and algorithms being used in bail determinations? 12:07 — How might bail decisions evolve in the next 5-10 years?

Identity orchestration. Explore its meaning. Discover in Episode 125 how identity orchestration can protect data privacy and data security. Founder and CEO of Strata Identity [https://www.strata.io/], Eric Olden explores with us the change under way from passwords and multi-factor authentication to a radically different approach to safeguarding and verifying identities in a world of distributed data. Learn what a blue checkmark will mean within LinkedIn as one example. Consider how a system of passwords and identity exposure sprinkled among hundreds of applications and sources exposes individuals and organizations to hacking and theft risk at the weakest link. Can technology protect us from ourselves? Learn what OIDC (OpenID Connect) means and how it relates to the ongoing struggle between mal-actors and the rest of us. Time stamps: 01:12 — What is Identity Orchestration? 04:12 — What is Project Indigo? 07:01 — OIDC - OpenID Connect Protocol 15:25 — Challenges for privacy as technology changes, and what we can do about it

The modern automobile – a marvel of technology and transportation. It collects enormous amounts of data about us. This information is used for continuous improvement in design and safety and for our convenience. But it also creates risks to personal privacy. Episode 124 provides a tour of what automakers, suppliers, and users can do to create fair controls over how the automobile monitors, records, and shares personal information. Standard setting includes the Alliance for Automotive Innovation, in its Consumer Privacy Protection Principles. NIST (the National Institute for Standards and Technology) issued 2023 revisions to its Cyber-Security Framework. In the absence of national law or regulation about automotive privacy, these standards are a baseline for acceptable use of automotive generated personal data. Tune in to consider what automotive businesses and private individuals can do to safeguard personal privacy while allowing continuing technological and safety progress. Matt Schantz, an attorney with Frost Brown Todd's Automotive Industry Team, with a focus on intellectual property and technology agreements, leads an exploration of how our car is watching, listening, recording, and sharing our data – and choices business and consumers have to protect personal privacy. Time stamps: 01:10 — How do today's automobiles collect data about their drivers? 05:00 — How do automakers and suppliers address privacy concerns? 06:40 — What guidance does NIST have on balancing automaker interests with individual privacy concerns? 10:19 — Tips for automakers and suppliers about meeting privacy concerns and/or regulations? 13:57 — TIps for drivers about safeguarding their data

What do Indiana, Tennessee, and Montana have in common? They adopted comprehensive data privacy laws in April 2023. Explore the similarities and differences and a unique Tennessee provision about national standards. Is a pattern emerging for how the U.S. regulates personal data? Consider the privacy implications of Artificial Intelligence. Global leaders are racing to understand and decide how to regulate AI. G7 leadership met in Japan on April 29 to consider a joint approach to the dark side of AI. And hear how a request to Google's Bard resulted in both a text and a refusal to generate a deep fake. Utah enacts the first state law giving parents control over minors' use of social media. Whose privacy is paramount before a person reaches age 18? How does Utah's law address the rights of parents and children in a world of social media with its far-reaching impact on us all? Time stamps: 00:40 — What do Indiana, Tennessee, and Montana have in common? 02:50 — Tennessee adopts NIST privacy framework 05:16 — How are governments thinking about how to regulate artificial intelligence? 07:27 — What is generative A.I.? 08:03 — G7 leaders met in April to discuss A.I. 11:07 — Utah enacts law giving parents control over their children's social media

How can an organization comply with a wide diversity of privacy laws being adopted and changed across the globe? How does an organization create a compliant and privacy-responsible policy to assure its customers that their privacy will be protected? Join Rachael Ormiston, Head of Privacy at Osano, as we explore these questions. Osano offers a “No Fines, No Penalties Pledge” to its customers. The World's Most Trusted Data Privacy Software Platform | Osano (https://www.osano.com/). Consider how and why it does this and seeks to offer real-time compliance in an evolving world of data privacy regulation. Hear the trends of data regulation and learn whether there is hope for harmonization across borders for how our personal information is regulated and protected. Time stamps: 01:28 — What does Osano do? 03:06 — What are the essential elements of a successful privacy policy for a mid-sized organization? 05:55 — How do you aim to create a privacy policy that is compliant with current and future regulations? 09:58 — How should companies think about their privacy policies in terms of international users? 12:14 — What does the future of data privacy regulations look like? Will different countries and regions develop their own different privacy regimes?

Join Duane Laflotte and Patrick Hynds of Pulsar Security as the Data Privacy Detective asks these essential questions about cyber-crime and data privacy: How hard is it to break into a website or organization's IT system? What are top tips for mid-sized organizations to defeat data attacks? What's the future for people seeking a cybersecurity career? Pulsar Security offers institutions cyber-protection through software and services to prevent data leaks and losses at reasonable cost. Offensive Network Security | Enterprise Security Software | Pulsar Security. Tune in for insights into countering the growing tide of data and identity theft Time stamps: 02:15 — How hard is it for a bad actor to infiltrate a company's website or IT system? 03:37 — How much safer is HTTPS? 05:50 — What are the top ways a mid-sized business can protect itself from cybercriminals? 07:10 — Why is it important to know which data is flowing through your organization? 09:55 — How often should you change your passwords? 13:18 — Are we going to be able to keep up with cybercriminals?

Artificial Intelligence and data privacy. Explore their relationship in this episode. It's a subject little addressed by law or regulators and largely invisible to the public. AI depends on amassing a huge amount of personal information, collected and processed largely without consent or awareness of individuals whose personal information is being used. Once collected by AI businesses, personal data can leak to bad actors. And the services that are AI-driven can result in misapplications and mistaken projections, causing untoward harm to individuals. Vinay Kumar, CEO and Founder of Arya.ai, opens for us the black box of AI. We consider how ML Observability tools such as AryaXAI can make AI understandable to all stakeholders, including those whose personal data is used to train AI models and create AI-powered services in finance and other fields. Time stamps: 01:08 — What do AI and data privacy have to do with each other? 04:28 — What is ML Observability tool?

What do ChatGPT, Iowa, TikTok, and Spyware have in common? They all made data privacy news in March 2023. Italy's Data Protection Authority blocked ChatGPT internet use on privacy grounds, the first western government to do so. Iowa became the sixth U.S. state to adopt a comprehensive personal data protection code. President Biden issued an Executive Order against federal use of social media containing spyware, without expressly naming TikTok or China as the targets. Join the Data Privacy Detective's conversation with Mike Nitardy and Yugo Nagashima, attorneys with the Data Privacy Team of Frost Brown Todd LLP. Explore the meaning of these developments for data privacy and its place in the world of technology and of us all. Time stamps: 00:43 — ChatGPT in Italy 06:54 — Iowa develops a comprehensive personal data protection code 12:00 — Executive order against federal use of social media containing spyware

Prominent South African data privacy attorney Ahmore Burger-Smidt described 2022 as a year of “bloodbath” for personal data privacy in a recent report from her firm Werksmans. The firm manages the Lex Africa Legal Alliance, with members in over twenty-five African countries. Cybercrime is extensive and growing in Africa, similar to trends evident in the rest of the world. Cybercriminals employ increasingly sophisticated phishing attacks and business email compromise schemes and have expanded with cryptocurrency attacks and direct entry into data storage and other technology to steal personal data and identities. African countries have responded through governmental and private sector efforts. South Africa's Protection of Personal Information Act (POPIA) is about two years in force, with its implementation encouragingly steadfast. Click on Episode 118 for an African view of how the battle between cybercrime and civil society is unfolding. Time stamps: 01:33 — What cyber crime / data privacy issues are we seeing in South Africa? 03:49 — Business email compromise 09:08 — South Africa's regulatory approach to data privacy 15:35 — South Africa's regulatory regime has both carrots and sticks

The European Union's GDPR (General Data Protection Regulation) became effective in May 2018. It declared a thorough and far-reaching set of rules for data privacy and became the global leader in how personal data privacy can be regulated and enhanced. What have almost five years shown? Is it successful? Entrenched? A model others follow? And how does it work in practice in 2023? Episode 117 considers how GDPR has become an embedded fabric for how personal information flows – or fails to flow – across borders. While an adopted framework within the EU and affecting global business without regard to borders, GDPR has not been copied everywhere. It varies both from the data localization approach of some countries and from the freer market approach of the United States and other countries. Tune in for what's happening in early 2023 with GDPR and how it has worked in practice. Time Stamps: 01:28 — GDPR Fines 03:36 — United Kingdom privacy regime 04:43 — 2023 examples of laws influenced by GDPR 07:40 — US and EU attempting to create a safe harbor for data transfers between the two 08:23 — Differences between US and Europe regarding privacy 09:30 — Europe's draft data act

Government regulation is moving towards giving consumers the right to stop companies from selling or share their personal information. How easy do companies make it for consumers to make this request—and then have it mean something? This episode contrasts two companies that take very different approaches to the question. One company makes its money through advertising, and to do that it needs to collect and share personal information of those who use its browser and other offerings. Another was fined by the California Attorney General for failing to give its visitors a choice. It now posts a clear and simple way for consumers to stop it from selling or sharing their personal information to others. Consider in Episode 116 how websites can provide consumers the right to protect their privacy and what consumers can do about it when companies make it difficult or impossible to stop them from selling or sharing their personal data. Time stamps: 00:30 — Sephora's privacy policy 07:57 — Google's privacy policy

Many of us wonder how the internet knows so much about us. We are barraged with tailored ads as we use the internet. How does this happen? How does this affect the compliance risks of businesses and the data privacy of us all? Dan Frechtling, CEO of Boltive, explores the digital advertising ecosystem in Episode 115. Explore the sub-terrain of the internet, how it creates advertising revenue that is the business model of many tech firms, how unwanted ads and mal-advertising encroach, how it affects our personal privacy, and how regulation increasingly requires businesses to offer consumers the choice of refusing the sale or sharing of their information. Learn how businesses can minimize risk and avoid compliance violations and how consumers can make privacy choices within their control. For information about inadvertent data leakage, Visit Boltive at https://www.boltive.com/ to learn more about inadvertent data leakage. Visit https://www.linkedin.com/in/frechtling/ to connect with Dan. Time Stamps: 01:40 — What brought Dan into the data privacy space? 07:50 — Consumer privacy concerns about digital advertising 09:06 — Data privacy minimization 09:42 — What Boltive does to address these issues 11:13 — What is the future of the digital advertising business model?

The Data Privacy Detective welcomes Frost Brown Todd attorneys Mike Nitardy and Yugo Nagashima to cover three important developments in the world of data privacy: -Updates to the California Privacy Rights Act (“CPRA”) – highlights of final regulations just issued -FTC settlement with GoodRX - the first enforcement of the Health Breach Notification Rule – its meaning for the healthcare industry and us -European Commission's proposed “Data Act,” which could radically change the rules of data sharing and stimulate competition in tech sector Time stamps: 01:15 - California Privacy Rights Act amendments 07:58 - FTC settlement with GoodRX 11:55 - EU Data Act proposal

Business Email Compromise – it's a major way that global thieves steal trillions of dollars. Bill Repasky, an attorney at Frost Brown Todd LLP, with years of experience in electronic payments and cyber-fraud defense, explains how attacks of this type occur, why they are growing, what can be done to prevent them, and what a business can do if attacked this way. Common types of Business Email Compromise attacks are what appear to be incoming customer payments, outgoing payments to suppliers of goods and services, and internal attacks (where a mal-actor takes over an employee's email account at the business). While anti-phishing training is important, it is not enough. Businesses can minimize risk of loss by upgrading institutional defenses this podcast discusses. Tune in for a tune up on how businesses can deal with the rising global crime wave of Business Email Compromise. Time stamps: 00:46 - What is Business Email Compromise? 03:28 - What businesses are being targeted? 05:35 - What are the common threads we see in business email attacks? 08:24 - How do internal business email attacks occur? 11:00 - How is public information on social media used as part of email attacks? 11:38 - Key things businesses can do to prevent attacks? 14:20 - What is “out-of-band” verification and how can it help prevent attacks? 17:15 - What should a business do once it knows it has been attacked?

In this bonus episode, we bring you the Data Privacy Detective's guest appearance on the Privacy Week podcast's "The Privacy Panel Discussion" special.

Canada and the United States are each other's major commercial partner. Many U.S. companies have Canadian customers and collect and process personal information about Canadians. They must therefore understand Canada's and its provinces' regulation of personal data privacy. The Canadian regulation of data privacy is very complex, with a maze of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws and regulations. In this conversation with Lyndsay Wasser, a Toronto-based attorney at the Canadian law firm McMillan LLP, the Data Privacy Detective asks what cross-border businesses should know about privacy and data security in Canada, as well as looming changes on the U.S.'s northern horizon. Time stamps: 01:05 - What is the general state of data privacy and security law and regulation within Canada? 02:33 - What does Quebec do differently? 03:18 - Do foreign companies need to consider individual provincial laws in addition to the federal laws? 05:27 - How is the Canadian privacy regime similar to the EU's GDPR? How is it different? 07:14 - What should a US company know if it collects data from Canadian users? 08:16 - How does Canada address data localization? 09:43 - What does the future look like for data privacy law in Canada? 13:06 - What advice would Lyndsay give on the type of guidance companies should seek regarding Canadian data privacy?

“If it's free, then you are the product.” We carry in our pockets devices that have powerful mechanisms for collecting our information–where we go, what we buy, and even how fast we move. Every time we scroll through social media on our phones, we are submitting extremely precise data about what we might be interested in… even down to how many seconds we slow down to look at an individual post. By using these products and services, we are in effect consenting to this data collection, which comes back to us in the form of targeted advertising. But is there an alternative? What can we do if we want to use these services but don't want to give over so much of our personal information? Ryan Patersen's company Unplugged is betting that there are many people willing to pay more for more privacy. The products and services Unplugged offers present a fascinating test case in how much people value their privacy, and Ryan joins the Data Privacy Detective podcast to tell us all about it. Learn more about Unplugged at their website – https://www.unplugged.com/ Time stamps: 01:23 – How do our devices collect data on us? 03:57 – How do companies use our data? 07:22 – What are the privacy risks? 08:44 – What is Unplugged doing differently? 14:10 – How much money is each user worth to the big tech companies as an ad delivery conduit?

Tech giants like Google, Apple, and Facebook incur huge Euro fines from European Union data privacy authorities. This is a “stick” approach, perhaps more like a “club,” of forcing EU rules upon global companies, aiming to force tech giants to change data privacy policies and practices to GDPR's strict demands. Enter the Netherlands - with a different way of achieving changes in privacy practices through a joint approach. A January 23, 2023 New York Times article by Natasha Singer highlighted the Dutch carrot and teamwork way of getting companies to embrace EU rules without first resort to financial penalties. This podcast considers how the Dutch treatment – an audit and negotiation approach – offers a successful means of boosting personal privacy through collaborative solutions. Tune in for a refreshing example of how data privacy authorities and technology giants can work together to achieve common personal data privacy goals. New York Times article - How the Netherlands Is Taming Big Tech (Jan 18, 2023) by Natasha Singer - Link: https://www.nytimes.com/2023/01/18/technology/dutch-school-privacy-google-microsoft-zoom.html Time stamps: 00:21 - How the Netherlands has approached GDPR compliance 01:41 - GDPR fines have gotten the attention of Big Tech companies 03:03 - NYT article by Natasha Singer on Dutch approach to Big Tech 07:40 - The Dutch's different approach of collaboration rather than lawsuits has been effective

The Data Privacy Detective Joe Dehner will be appearing as part of the LinkedIn Live event, "Privacy Week Podcast Palooza." Tune in on Thursday, January 26 from 3:00 to 4:00 p.m. EST: https://www.linkedin.com/video/event/urn:li:ugcPost:7021476486180212738/

A Third Way Emerges - Light Touch India -soon to be the world's most populous country, a fast growing economy with a highly sophisticated tech sector. It's a country with a digital rupee in circulation and digital identity cards. Since independent India has forged an independent path between “east and west.” About a year ago, the Modi Government withdrew a bill based on Europe's comprehensive privacy-centric approach to personal data privacy, GDPR. In November 2022, a very different bill was proposed by the Ministry of Electronics and Information Technology – the Digital Data Protection Act. What caused the change and where is India headed? In Episode 109, Stephen Mathias of the premier Indian law firm Kochhar & Co explains the new approach. Expected to be adopted by mid-2023 in a final form, it is very different from either the GDPR strict and privacy-centric approach or the U.S. model of sectoral and partial rules without an overarching federal code. India's will use a “light touch” approach. It will leave many details open to evolving technology and future administrative rule-setting. Explore this very different model for national regulation of data privacy and security.

Identity management. Learn how an automated approach can defend against the rising tide of data hacks, thefts, ransomware attacks, and other assaults on private information. Kevin Dominik Korte, IT Innovation and Growth Strategist of Univention, explains how an automated approach to login and other steps we take to connect to the internet and intranets can reduce the ability of bad actors to succeed in their attacks on IT systems, large and small. Traditional identity management is more costly and risk prone than what can be designed into an automated IT system that includes privacy and security by design. Consider how digital identities can be managed to increase security and minimize data breach risk in Episode 108.