placeholder

From De-Identification to Re-Identification: Considering Personal Data Protection

The recently published research paper “Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models” shows how the likelihood of a specific individual to have been correctly re-identified can be estimated with high accuracy even when an anonymized dataset is heavily incomplete. The presented results reject the claims that, first, re-identification is not a practical risk and, second, sampling or releasing partial datasets provide plausible deniability. Moving forward, the results also question whether current de-identification practices satisfy the anonymization standards of modern data protection laws such as GDPR and CCPA and emphasize the need to move, from a legal and regulatory perspective, beyond the de-identification release-and-forget model.

placeholder

The SHIELD is Now Up: New Legislation To Protect New Yorkers Against Data Security Breaches

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Governor Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”

placeholder

A Practical and Looming Danger? SHA-1 Collision Attacks

The work that Thomas Peyrin and his colleague, Gaetan Leurent, have done goes far beyond just proving SHA-1 chosen-prefix collision attacks are theoretically possible. They show that such attacks are now cheap and in the budget of cybercrime and nation-state attackers.

placeholder

Utah: A Leader in Digital Privacy

Utah Gov. Herbert signed off this week on a bill that positions Utah as the state with the strongest data privacy laws in the country when it comes to law enforcement accessing electronic information. The bill, HB57, establishes that a warrant must be secured before law enforcement may access electronic data held by a third party, thus protecting information passed to a third party such as Dropbox or Google Drive.

placeholder

Privacy Shield and the UK: An Important and Time Sensitive Update

The United Kingdom (UK) has notified the European Union (EU) of its intention to withdraw from the European Union on March 29, 2019.  In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date.

placeholder

Russia, Runet, and Internet Independence

In a sensational test of technological independence, Russia is making plans to cut off its internet from the rest of the world, with a giant ‘unplugging’ experiment that will affect over 100 million Russian internet users. The contentious plan is expected to be enshrined in law soon, and although nobody knows just when the great unplugging will take place, it should happen imminently.

placeholder

Considering The California Consumer Privacy Act of 2018

The California Consumer Privacy Act of 2018 creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019.

placeholder

Research Replay: Norton Rose Fulbright Releases 2018 Litigation Trends Annual Survey

Released in November 2018, Norton Rose Fulbright’s 2018 Litigation Trends Annual Survey highlighted a decrease in the number of lawsuits commenced against survey corporate counsel respondent companies over the last year. However, the survey also noted that the growing international nature of many business operations has caused a spike in conflicts related to countries’ differing discovery and data protection laws and regulations.

placeholder

The Cost of Cookies in Bavaria: A Data Protection Authority Audit

The Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry – and one that can carry GDPR fine risk.