Good morning, readers. 

This Digest has an uncanny ability, on occasion, to merely tell us what we already know, but in a surprising and unexpected fashion.

Take Cambridge Analytica, Facebook and Professor Aleksandr Kogan’s “thisisyourdigitallife” app. Obviously, the large platforms hold untold riches in data and usable insights on vast populations. We all expect intrusion attempts on their data sets. We possibly didn’t expect an extrusion of data. I’m still reeling at the fact that through just 270,000 installations of the app, Kogan and, through him, Cambridge Analytica obtained (or “extruded”) usable data about some 50 million Facebook users who happened to be “friends” of the 270,000 app users. No doubt, this scale of extrusion is one of the drivers for regulators placing platforms generally under the microscope, explained in some of our lead stories.

Something else we already know is that data security is hard. We all suspected that most organizations were suffering data breaches, but we didn't really know how many or how damaging. The cat's out of the bag now, though. ZDNet’s Asha McLean reports that mandatory data breach notifications are coming in at slightly more than one per day under the new reporting regime — 31 in the first three weeks, to be precise. That’s about a fivefold increase in reporting over the voluntary system. As reporting is only required when a breach can cause serious harm, it's a fair assumption that the rest of the data breach iceberg is keeping private professionals busy with potential harm assessments. It’s also disturbing that only about 20 percent of breaches capable of causing serious harm was being voluntarily reported.

We can expect this to blow a tail wind through New Zealand’s Parliamentary Committee process, as consultation commences on the long-awaited bill to update New Zealand’s privacy laws. The bill provides for mandatory breach reporting, along with other measures explained in NewsNow’s synopsis.