At a glance.
- Clearview AI fined by Italian privacy regulator.
- Angry Birds suit.
- Healthcare breach disclosed.
Clearview faces fine from Italian privacy watchdog.
SecurityWeek reports that Italy's data privacy watchdog has hit US facial recognition tech company Clearview AI with a € 20 million fine. Clearview was found to be in violation of the General Data Protection Regulation for collecting photos of individuals to add to its database of over 10 billion facial images. Clearview says all of the images were taken from public websites like social media, and the data is used to aid law enforcement in criminal investigations. Nonetheless, the privacy watchdog has ordered the company to delete all data relating to the people of Italy and has banned Clearview from any further collection or processing of Italian data, stating, “The personal data held by the company, including biometric and geolocation data, are processed unlawfully.” Privacy advocates have condemned the company for its data collection activities. Privacy International has filed complaints with data regulators in France, Austria, Italy, Greece and Britain, and last year the privacy watchdogs of both France and Canada also found Clearview in violation of privacy laws.
Angry Birds has its feathers ruffled.
The New Mexico Attorney General has filed a complaint against Rovio Entertainment Corp, the game developer behind the popular mobile game Angry Birds, alleging that the company violated the Children's Online Privacy Protection Act (COPPA) by collecting the data of children under the age of thirteen without parental consent. Law360 reports that Rovio is angry, indeed, and is pushing to have the suit thrown out. Rovio claims the AG’s case is flawed, and that the state is going "out of its way to cast Rovio as a data-stealing, child-monitoring, time-traveling spy/villain more at home in a video game than reality." The company says the AG’s suit lacks any hard evidence of specific children in New Mexico who had their data collected improperly by the game, but instead relies “on broad, conclusory allegations regarding Rovio's purportedly improper data collection practices pertaining to 'children' across the country (if not the globe).” Rovio also asserts that the only data collected from minors was related to persistent device identifiers. "Once it is understood that the State's claims relate only to the technical aspects of electronic devices — as opposed to highly-sensitive personal details about their users — the State's alarmist rhetoric suggesting that websites (and, by extension, Rovio) are collecting sensitive personal information about a child's life loses relevance," Rovio stated. The AG declined to comment.
Worse than a pain in the back.
US medical specialist Central Indiana Orthopedics (CIO) has disclosed it suffered a data breach when an intruder gained unauthorized access to patient data last October. The potentially compromised data includes patient names, addresses, Social Security numbers, and some medical info. Though the ongoing investigation has shown no evidence of identity fraud, CIO says it has taken measures to mitigate the situation. “Specifically, CIO engaged a specialized third-party cybersecurity firm, changed administrative credentials, restored operations in a safe and secure mode, enhanced the security measures, and took steps and will continue to take steps to mitigate the risk of future harm.”
Felix Rosbach, VP of product management with data security specialists comforte AG, commented on this and other data breaches in the healthcare sector:
“With more news of breached patient data, we question whether healthcare providers are serious about data privacy and security.
"The more these types of data breaches occur, the more the general public understands that protecting borders and perimeters around sensitive data isn’t enough—effective data security needs to be applied directly to sensitive information in the form of data-centric security, including methods such as tokenization or format-preserving encryption. By tokenizing patient information as soon as it enters the data ecosystem, these organizations can continue to work with sensitive data in its protected state due to data format preservation. Better yet, if (or when) threat actors gain access to tokenized data, they cannot comprehend it or leverage it for personal gain or other nefarious purposes. If a healthcare organization isn’t actively assuming the worst and exploring data-centric security to protect patient data, the long-term prognosis doesn’t look good.”