DPOInsider #37

AI frameworks; Data breach notifications

Feb 10

The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️

AI conflict of interests

The National Institute of Standards and Technology has released its AI Risk Management Framework, emphasizing the importance of trustworthy AI systems.

The guidance aims to help those developing and implementing AI address the unique risks posed by the technology. The first version of the framework is focused on four high-level functions - govern, map, measure, and manage. These categories include suggestions on evaluating AI for legal and regulatory compliance, tracking AI risks, and allocating resources to mitigate potential risks.

However, the framework's release has sparked concerns over conflicting messages about US federal AI policy.

Two US House leaders wrote a letter to President Biden expressing their worries about the inconsistent and duplicative AI guidance being released. The Biden administration's AI Bill of Rights outlines five core principles for designing and using AI, including protecting against algorithmic discrimination.

We are concerned that the release of the Blueprint, and subsequent public statements by OSTP, are sending stakeholders, the American public, and the international community, conflicting messages about U.S. federal AI policy

Despite the conflicting messages, the guidance documents are complementary frameworks. The Office of Science and Technology Policy provided insight on NIST's framework and was involved in the development of the AI Bill of Rights. Alondra Nelson, the Office's Deputy Director, stated that AI presents challenges that are bigger and broader than any single effort or agency.

AI is currently a hot issue, with Google set to more publicly use its capabilities following the rise in the use of ChatGPT.

This will mean more data being used to train these tools, and more robust regulation as well. Definitely an interesting space to watch. For more info on this you can dive deeper here.

To notify, or not to notify, that is the question

It seems like data breach notifications are not being as transparent as they should be. According to the latest annual data breach report, two-thirds of data breach notices failed to provide enough information for individuals and businesses to gauge the potential risk.

In contrast, back in 2019, data breach notices that contained attack and victim details made up 72% of all written notifications, but last year it dropped to a five-year low of 34%.

ITRC CEO Eva Velasquez says in the report, "The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one." With the number of potential victims jumping 41% YoY to 422 million, it's alarming that the details in the data breach notices are lacking.

According to ITRC, compromised businesses are making a conscious decision to withhold information and the group specifically calls out DoorDash, LastPass, and Samsung for not providing enough detail in their state-mandated breach notice. This lack of detail can cause severe problems, as we saw in the case of LastPass.

The potential damage caused by the breach at LastPass and its parent company GoTo escalated alarmingly when the password manager informed its customers that everything except their master passwords were compromised.

In conclusion, the inadequate information in data breach notices highlights the ineffectiveness of state data breach notification laws. And increasingly, it's not what we know, but what we don't know that is the most troubling.