Category: Uncategorized

Cyberattacks are a growing threat, making it crucial for us to understand the tools and techniques available to secure applications.  Today, we dive into the differences and similarities between Dynamic Application Security Testing (DAST) and Penetration Testing with insights from a Veracode industry expert and certified penetration tester, Florian Walter. DAST is an automated technique designed to identify security vulnerabilities in web applications and APIs during runtime. It effectively simulates attacks to detect common issues like SQL injections and cross-site scripting vulnerabilities, making it ideal for continuous security checks across various stages of the software development lifecycle. Conversely, Penetration Testing involves expert testers manually examining applications to pinpoint vulnerabilities that automated tools might miss. This method provides deep insights, especially in complex environments handling sensitive data, offering a nuanced…

New tech often requires new thinking — but that's harder to install.

• The Indiana Senate Committee on Commerce and Technology voted 11-0 to advance Senate Bill 5, an act concerning consumer data protection.
• A subcommittee of the Iowa House Committee on Economic Growth and Technology passed House Study Bill 12, an act to consumer data protection, to the full committee on a 3-0 vote.
• Two comprehensive privacy bills were introduced to the Hawaii Senate. Senate Bill 974 and SB 1110 passed their first readings on the Senate floor and await committee referrals.
• The Massachusetts Legislature will consider two comprehensive privacy bills in addition to Senate Bill 745. Senate Bill 1971, the Massachusetts Information Privacy and Security Act, and House Bill 3245, the Internet Bill of Rights, both take aspects from the EU General Data Protection Regulation.
• State Sen. Sharon Carson, R-N.H., introduced Senate Bill 255, an act relative to the expectation of privacy.
• State Rep. Shelly Kloba, D-Wash., reintroduced House Bill 1616, the Washington People's Privacy Act.

Hackers stole customers' encrypted data during a November 2022 security breach of GoTo, the parent company of password manager LastPass, CNET reports. The breach was a direct result of an August 2022 breach, in which an “unauthorized party� accessed a shared GoTo-LastPass cloud storage service. In November, hackers used the stolen data to access unencrypted customer files.
Full Story

Euractiv reports the Council of the European Union is drawing closer to a consensus position on the proposed European Health Data Space. The council's Working Party on Public Health agreed on amendments to the European Commission's proposed provisions regarding secondary use of data, including withholding data for the purposes of public security and national security. Member states also proposed a new criteria for health data access entities to allow or limit access to health data.
Full Story

• The Indiana Senate Committee on Commerce and Technology voted 11-0 to advance Senate Bill 5, an act concerning consumer data protection. The committee adopted an amendment to add a sunset on the right to cure in 2028. SB 5 needs two Senate floor votes to change chambers.
• State Sen. Sharon Carson, R-N.H., introduced Senate Bill 255, an act relative to the expectation of privacy. The bill carries no business exemptions and contains a right to cure. SB 255 was referred to the Senate Committee on the Judiciary.
• State Rep. Shelly Kloba, D-Wash., reintroduced House Bill 1616, the Washington People's Privacy Act. The opt-in bill is modeled after Brazil's General Data Protection Law and carries a private right of action. It was referred to the House Committee on Civil Rights and Judiciary.

IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, breaks down the latest privacy developments in the nation’s capital, including a look at the potential road ahead for the proposed American Data Privacy and Protection Act as the 118th U.S. Congress settles into its new structure.
Full Story

A view from Brussels: ENISA cybersecurity priorities and the threat landscape analysis

IAPP Managing Director, Europe, Isabelle Roccia considers the EU cybersecurity policy conference held by the European Union Agency for Cybersecurity this week. Some of its work, such as threat landscape analysis, guidance on breach notification and implementation of EU laws like the NIS2 Directive that entered into force last week, is particularly relevant to privacy professionals.
Full Story

Kenyan President William Ruto announced the formation of a “data protection registration system� as part of the country’s observation of global Data Privacy Day, The Star reports. Ruto made the announcement as part of a two-day event in Nairobi that connected “stakeholders from government agencies (and) private and public sectors . . . to help to raise awareness and promote privacy and data protection best practices.� Meanwhile, Pulse Live Kenya reports Ruto said Kenyan citizens will eventually need digital identification as the government digitizes approximately 5,000 services.
Full Story

1. The IAPP and FTI Consulting published the "Privacy and AI Governance Report."
2. The IAPP published the “Global Legislative Predictions 2023� white paper.
3. IAPP Editorial Director Jedidiah Bracy, CIPP, spoke with Goodwin Partner and IAPP Westin Emeritus Senior Fellow Omer Tene about what he thinks will be some of the biggest developments in privacy in 2023.
4. Ireland's Data Protection Commission sent the Meta data transfer case to the EU for EU General Data Protection Regulation Article 65 dispute resolution.
5. The European Data Protection Board published its binding decision in the DPC'S case against WhatsApp over violations of the EU GDPR concerning transparency and user consent.

The U.S. Department of Commerce National Institute of Standards and Technology released its Artificial Intelligence Risk Management Framework 1.0 Jan. 26. Required under the National AI Act of 2020, the framework is the product of 15 months of work by NIST scientists who compiled public comments from more than 240 AI stakeholders through multiple listening sessions and workshops, while producing two previous drafts of the document last year. The framework is voluntary but will help organizations deploying AI systems to enhance their trustworthiness and reduce biases. IAPP Staff Writer Alex LaCasse has the details.
Full Story