The Australian privacy commissioner, Angelene Falk, has emphasized the importance of speed when it comes to notifying individuals impacted by data breaches. Falk urged organizations to be more expedient in their response in order to ensure affected individuals have sufficient time to protect themselves and remain vigilant against potential scams. While 74% of breached organizations in Australia reported the incidents within 30 days, Falk believes there is room for improvement.
One of the key factors leading to delays in notification is the practice of running assessments before launching an investigation. In one instance, an organization’s investigation took over five months due to this approach. Falk recommends that organizations conduct assessments and investigations simultaneously to increase efficiency. The Office Australia’s Information Commissioner (OAIC) emphasized that an eligible data breach can occur based on unauthorized access alone, even without conclusive evidence of unauthorized access, disclosure, or loss. Data can be stolen using less traceable means, such as screenshots.
In another development, the US Securities and Exchange Commission’s (SEC) new cyber incident rules for businesses came into effect recently. The new rules require breached companies to report an incident to the SEC within four days of determining that it is “material” in nature. Although this specific requirement will not be enforced until December, experts advise companies to start preparing for the change now. Companies are urged to collaborate between their security, legal, and corporate communication teams to adjust their cyber incident response plans and financial reporting processes accordingly.
However, there is some uncertainty surrounding what constitutes “materiality” according to the SEC. While the agency defines materiality as a breach that would likely change the judgment of a reasonable person relying on the report, there is still room for interpretation, especially considering the limited timeframe for disclosure. Additionally, the guidelines lack specific instructions on how companies should handle third-party attacks, which are increasingly common. Supply chain attacks present additional complexities in reporting the nature and scope of an incident. Companies need to determine how to involve third-party teams within a short timeframe for effective incident management.
In a nationwide effort, the top prosecutors from all fifty US states submitted a joint letter to the leaders of the House and Senate, urging them to pass legislation to combat the use of artificial intelligence (AI) in producing child sexual abuse materials. The prosecutors advocate for the creation of a commission of experts tasked with investigating how AI technology can be utilized to generate such content. The findings of this research would then be used to expand existing legislation. The prosecutors emphasized the urgency of the situation, stating that action should be taken to protect children from the dangers of AI. The bipartisan initiative has received support across party lines, highlighting the importance of protecting children from exploitation through innovative technologies.
While the US has yet to pass AI-related legislation, earlier this year, the Senate conducted hearings to discuss the potential threats posed by AI. In contrast, lawmakers in the European Union have already implemented AI rules. The prosecutors’ joint letter demonstrates a united front in addressing the issue and emphasizes the need for immediate action to counter the use of AI in the production of child sexual abuse images.
Overall, these developments highlight the ongoing efforts to enhance privacy and cybersecurity measures while safeguarding against emerging threats. Promoting prompt notification of data breaches, enacting effective cyber incident disclosure rules, and advocating for legislation to protect against AI-generated child sexual abuse materials are crucial steps in addressing these issues. It is essential for organizations, regulatory bodies, and lawmakers to collaborate and adapt swiftly to the evolving landscape of privacy and cybersecurity.