News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Breaches at our front door: What we can learn from Clearview AI Related reading: Will NYT's facial-recognition story sway privacy debate?

rss_feed

""

A new competitor has entered the ring to dethrone Cambridge Analytica as the biggest privacy scandal of recent times: Clearview AI. In case you missed it, Clearview AI is a facial-recognition app that scraped millions of photos from the web to help law enforcement identify unknown people. Not long after The New York Times exposed it as the company that might end privacy as we know it, the plot thickened. The company was breached.

In response to the incident, Clearview AI observed that “data breaches are a part of life in 21st century.” But, more broadly speaking, what happened was more than just a breach of data. It was also a breach of trust. It is fundamentally similar and potentially worse than Cambridge Analytica.

Breaches are not limited to backdoors

All companies are at risk of becoming a victim of a backdoor breach. Examples include the Target and Equifax incidents that were a result of hackers breaking into the company’s systems. However, the Cambridge Analytica and Clearview AI breaches were not a result of a company’s systems being infiltrated. In the case of Clearview AI, the breach disclosed data about its customers, but the company indicated there was no compromise of its systems or network containing consumer information. Similarly, Facebook’s initial response to Cambridge Analytica was that no systems were infiltrated in a breach that involved the use of Facebook profile data to target users in political campaigns.

Instead, what happened was a result of the systems working as designed. They both involved amassing and using data perceived as assets in a way that proved to be a liability. But the more nuanced similarity is that the liability did not result from the data getting hacked or disclosed to unauthorized users; rather, it was the authorized sharing of the data itself that became the liability. They are examples of modern data breaches that are no longer limited to backdoor exploits but are instead happening at our front doors. They result from poorly navigated data protection risks and ignoring privacy commitments and obligations. And that should be a cause of far greater concern for us.

Why we should pay attention

The front door created by Facebook cost the company 500,000 GBP. The maximum fine if that incident happened today could be up to 1.4 billion GBP. In the case of Clearview AI, the breach is about sharing consumer personal data with undeclared third parties without explicit consumer consent. The timing of the breach makes Clearview AI potentially worse than Cambridge Analytica because there are data privacy laws that now exist to prohibit this type of data misuse. Legal action has already been filed under Illinois’ Biometric Information Protection Act prior to the breach, as well as under the California Consumer Privacy Act immediately after the breach. Most recently, the company has been sued by the state of Vermont for violating its data privacy laws.

What can we learn

The risks and consequences of front door breaches are very different and often ignored compared to backdoor breaches. Here is what we must keep in mind with this type of breach.

Identify your unique footprint

Not all data protection risks are created equal. We have to focus on what matters most. For example, what type of data can you collect, process and store? What type of controls is adequate or reasonable? What type of obligations should you accept or enforce? The answer to these questions is rarely one-size-fits-all but rather based on the company’s unique footprint. Privacy tools, such as data mapping and privacy impact assessments, are good starting points to identify that.

Right-size the risk profile

The next step is to right-size the risk profile. The path to navigating data protection risks is often filled with uncertainty. Overestimating the risks stifles growth and underestimating them can derail the business. To bring clarity to uncertain risk scenarios, we need to view them from both a technical and legal lens. These scenarios often center around the purpose of use. Doing this can help identify controls correlated with reducing data protection risks and consequently the liability exposure of the organization.

For example, the results of data mapping and PIAs should be shared with stakeholders, such as security and legal teams. Security teams can use the results to identify the additional controls necessary to safeguard processes that touch sensitive data (particularly when data sharing is involved). These controls could include a strict code review for modules that allow data to be shared with third parties for a legitimate purpose. It should include unit tests for making sure the ability to share data, such as via an application programming interface endpoint, is enabled or disabled only for the specified purpose.

Similarly, legal teams can use the input to ensure compatibility between the business objectives and its data protection obligations and putting necessary legal protections in place in the contracts. These protections could include an opt-in requirement to authorize the use or sharing of consumer data for a commercial purpose not covered as a legitimate business concern.

Be prepared to respond

Because breaches at the backdoor or front door are a reality, businesses must be prepared to respond. A demonstrably operational cybersecurity program can be the last line of defense in case of accidental breaches. Businesses often view compliance as a burden and question the value it brings to put the effort into a compliance framework. But governance activities, such as documentation of security procedures and practices, as well as certification of adherence to an established security standard, such as ISO 27001, the NIST Cybersecurity Framework or SOC 2, are helpful to demonstrate the reasonableness of your security program that can, in turn, help mitigate legal consequences for the business.

The emerging data privacy landscape has created a perfect storm in which data protection risks must be connected to the security agenda to protect the business from the legal consequences of front door breaches. The lesson we can learn is simple: Don’t ignore the data leaving your front door.

Photo by Beto Galetto on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Rafae Bhatti, CIPP/US, CIPM IAPP Member Contributor
Tags
Privacy Opinion
Comments

If you want to comment on this post, you need to login.

Related Stories

Related Stories
Tags
Privacy Opinion
Recent Comments