More data breaches and privacy laws to hinder them are in the news this week. California continues to be proactive in this arena, as the Genetic Information Privacy Act (GIPA) is soon set to join CCPA in giving people more control over their data. In this case, the subject is biometric data: its collection, sale, or other form of disclosure. Express consent is required for any company to take these actions (for instance 23andMe or Ancestry.com), when it comes to data usage, storage, transfer, or marketing, with penalties up $10,000 for intentional violation. A right to private action may put companies at further risk, if the plaintiffs can demonstrate material loss as a result of the breach.
While the California Privacy Rights Act is also on the ballot for November, GIPA and CCPA will exist together, even containing some overlap pertaining to genetic data. Companies who fall under their purview will have to ensure their consent forms and privacy policies are up to date and compliant.
Laws like CCPA and GIPA are part of a continuing effort across industries and governments against cybercrime stories like the recent security incident with Inova Health Systems. After their third-party vendor Blackbaud endured a massive breach, Inova has announced it was one of the partners affected. More than a million donors and patients had their personal data exposed, including provider names, dates, and donation history.
“According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available,” Inova says, while also reminding people to monitor their accounts and take advantage of financial protection services where available. Ransomware was involved in this incident, and Blackbaud reportedly paid the hackers to return their data and permanently delete any stolen information. According to Blackbaud, they have confirmation their wishes were followed.
Human error also continues its perpetual reign of misfortune over cyber defenses. Over 18,000 citizens in Wales had their positive COVID-19 tests mistakenly accessible via public server for almost a full day. Records show that the data was in fact viewed 56 times before being removed. Precisely what sort of human error was at play here hasn’t been shared. It could very well have been something so minor and mundane, but that would just be the point, wouldn’t it? You don’t need to have a headline grabbing mega breach in order to put thousands of people at risk. All it could take is a stupid little mistake.