Well, this is interesting: This is the second week in a row with data breaches involving both encrypted passwords and digital “account tokens,” which connect to third party services. In this regard, news compiler Flipboard’s recent breach does sound somewhat like Canva’s. Though it’s not yet clear how, Flipboard has announced the unauthorized access of its databases, which stored personally identifiable information on an unspecified portion of its 145 million monthly users. The notable aspect of this intrusion is that it lasted for over nine months before the company detected it. Regardless, if these breaches can teach us anything—at least, anything positive—it’s that things could be a lot more thorny for users if their passwords weren’t protected, or if even more sensitive information were needlessly collected. It appears that these organizations are learning.
In their thorough notice of the event, Flipboard describes what precautions its users should take in great detail. The platform has also reset all passwords.
In tangentially related news, with all the personal information up for grabs, lawmakers across the country are taking the initiative to protect it as best they can. The absence of a unified federal standard has most recently seen the wheels in motion in New York. Taking charge as other states have done, the New York State Senate is expected to pass the Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act (can’t help but wonder if that’s a Marvel reference) as its own GDPR equivalent. I say GDPR equivalent, as it seems the SHIELD Act specifically borrows quite a bit from the European regulations.
If it passes, not only will businesses need to follow New York cybersecurity guidelines if they are located in the state, they will be equally on the hook if they handle NY resident data. This is a similar stipulation to what we saw in GDPR requirements across countries. The SHIELD act could likewise have major international repercussions. As Dov Goldman of Panorays points out, speaking to ISBuzz News, “NY regulates thousands of financial service firms that are headquartered or just have a presence in the state….In this regard, SHIELD may be to the US what GDPR has been for Europe.”
Whether or not this law acts as a standard for other states, as California’s privacy laws have, remains to be seen. Some organizations may at long last be taking better defensive measures, but cyber criminals never stand pat; expect to see more state-level actions, as long as there is an absence on the national level.