The Risk Report - April 16

There are currently four US states with comprehensive consumer privacy laws in place. That list could soon grow to five as one New England state is set to introduce its legislation as soon as next week. But are more state-level privacy laws really the answer? Or does the federal government need to enact a federal law instead?

BREACHES OF THE WEEK

💅 Concealer won't help

The UK division of Shiseido, a major cosmetics brand, suffered a far-reaching data breach that resulted in several employees having "companies set up in their name, bank accounts emptied, and their credit files destroyed." The Japanese company reportedly failed to notify impacted employees, with the news only breaking by way of a whistleblower employee and a cosmetics industry Instagram account. Shiseido has yet to issue a public response to the incident and has, thus far, reportedly denied any wrongdoing. It remains unclear what caused the breach.

Read the full story

🖥️ Upgrade issues

MetroHealth, a Cleveland, Ohio-based hospital system, has announced a data breach impacting 1,700 patients. In letters mailed to those impacted, MetroHealth detailed that the breach took place in November of last year while its online systems were being upgraded. Patient information compromised includes full names, names of their doctors, and treatment details. No patient financial information was impacted, nor was any other personal or health-related information.

Read the full story

💣 Email storm

The UK’s Home Office, which manages immigration, has apologized for a recent data leak after mistakenly including 170 people in one email in a classic case of reply-all gone wrong. The email group all received the same message about the details of an upcoming visa appointment. One day later, the apology email was sent. No personal information other than email addresses were included in the leak. The UK Visa and Application Service ("UKVCAS") is currently managed by a third-party contractor Sopra Steria.

Read the full story

‍

NOTEWORTHY THIS WEEK

🇺🇸 The fifth state

Connecticut could soon become the fifth US state with a comprehensive privacy law should the recently introduced Senate Bill 6 be signed into law. The bill would nearly mirror the existing privacy laws of Colorado and Virginia, allowing customers to access personal data that companies have collected about them, and would require companies to notify customers of their privacy rights. If SB6 passes, it would go into effect on July 1 of next year.

Read the full story

🎤 One more thing

The IAPP Global Privacy Summit took place in Washington, D.C. this week for the world’s largest data privacy-focused event. Delivering the keynote address was Apple CEO Tim Cook, who called the protection of privacy “one of the most essential battles of our time.” He also spent much of his speech selling the importance of Apple’s strict vetting of iPhone apps, and the dangers of “sideloading”, or the circumvention of App Store vetting. Apple is currently under threat from the EU's Digital Markets Act, which would force Apple to allow sideloading as well as third-party app stores. Was Tim Cook's keynote for the people or for the balance sheet?

Read the full story

Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.