In June 2018, Vietnam’s National Assembly passed a new cyber security law that has generated much concern for its stringent restrictions on popular social media organizations. Per the law that will go into effect January 1, 2019, tech companies would be compelled to store data about Vietnamese users on servers in-country, a move designed to improve the security of Vietnamese nationals. Vietnam has been historically weak when in it comes to cyber security, and has been ranked among the bottom regionally. According to a 2017 report by the United Nations’ International Telecommunications Union Global Cyber Security Index (GCI), Vietnam ranked 101 out of 165 countries in terms of being vulnerable to cyber attacks. The GCI is a survey that measures the commitment of member states to cybersecurity to classify and project development process at the regional and global levels.
There are several critics of the new cyber security law. Such a move – as has been expressed with regards to China’s new cyber laws – can potentially impact economic development and deter foreign investment. Perhaps more alarming, dissenters and even some Vietnamese lawmakers signed petitions and conducted peaceful demonstrations to denounce the new law. At the crux of this protest is the potential for the government to use this law in order to stifle human rights and privacy concerns such as online freedoms of speech and expression. According to the law, Vietnam’s authorities will have the discretion to determine when expression might be identified as “illegal” and restricted. It bans Internet users in Vietnam from organizing to conduct activities for “anti-state purposes” or to be allowed to distort the nation’s history. Unsurprisingly, Amnesty International has underscored how the law could empower the government to monitor everything people say online.
Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
Breaches and ransomware attacks are more prevalent than ever, and concern for protecting data is mounting on a global scale.
Toward that end, the EU has put forth its General Data Protection Regulation (GDPR), but no legislation can be implemented without having some consequences on the businesses that must comply with the laws. Given that GDPR aims to standardize data privacy laws and mechanisms across industries, there are few sectors that will not be greatly impacted.
Any company that directly or indirectly controls or processes the personally identifiable information (PII) of EU citizens will be affected by GDPR changes. Both terms ‘data controller’ and ‘data processor’ are broadly defined, which means that virtually every company will be impacted by these changes. For small businesses, dealing with these data collection and processing regulations will be overwhelming, if not crippling.
Approved by the EU Parliament in April 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) is set to go into effect in May 2018. The new regulation will be replacing the 1995 Data Protection Directive and is designed to be a new approach in the way organizations will address the processing and protection of data, particularly the personal identifiable information of EU citizens. In addition to streamlining how all EU member states secure information, the GDPR will standardize data privacy laws across the Union. Since the GDPR is a regulation and not a directive like its predecessor, the policy is binding across all EU member states.
The GDPR goes into effect at a time when substantial breaches have dominated the news, particularly in incidents where users – through no fault of their own – had their sensitive personal information put at risk. The breaches at Equifax and the Office of Personnel Management are two examples of this, the former surrendering nearly half of the population of the United States. One of the most notable aspects of the GDPR, as opposed to its predecessor, is that it focuses on individual EU citizen rights, empowering them to have substantial control over how organizations use, process, and store their information. According to the GDPR, among the individual-friendly rights include:
First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017. Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good. This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.
RSAC 2017 is behind us. It has been bigger, noisier and more crowded than any cybersecurity event in history. It’s so big, it’s overwhelming. And if you consider the off-site meetings, mini-conferences, meetups and parties you can forgive an average visitor if he or she feels kind of fuzzy afterward. Vendors don’t have it easy, either. With more than 700 companies and organizations presenting, trying to stand out or simply gauge the competition is extremely difficult.
The new GDPR (General Data Protection Regulation- see the full document here ) issued by the EU earlier this year raises many questions among compliance and privacy officers. Who is required to comply with the GDPR and are companies really expected to revamp the entire way they handle customer privacy?