In the Connected and Automated Mobility (CAM) ecosystem, cybersecurity … should be seen as a core enabler that protects safety and provides value to products and services, and is integrated in the lifecycles of products’ and services’ activities., says the European Union’s Agency for Cybersecurity (ENISA) in a new report on the cybersecurity challenge in CAM.

Key points:
  • Raise awareness to the top management level.
  • Raise awareness throughout the organization, and especially at the right decision level.
  • Promote the integration of cybersecurity along with digital transformation at the board level.
  • Advise on fast-moving business and technology topics such as cybersecurity on a permanent basis at board level.
  • Promote procurement processes to integrate cybersecurity risk-oriented requirements.
  • Address cybersecurity skills to keep up with the creative (e.g. design thinking) skills that the company’s strategy aims to foster.
  • Define clear roles and responsibilities regarding cybersecurity.
  • Take into regard the cybersecurity needs of both business and supporting processes.
  • Define a risk management process.

diagram

“I strongly support legislation that would provide Connecticut residents with express and — frankly, overdue — privacy rights. My office has always maintained that consumers should have as much notice and control over the collection and use of their personal information as possible. Connecticut residents should be afforded the right to know, the right to correct, the right to delete and the right not to be treated differently if they exercise those rights. They should also have the power to stop businesses from selling their sensitive data,” says Connecticut Attorney General William Tong.

“There is also currently a focus on being proactive. When we are reacting, the damage has been done already — information has been compromised or a privacy violation has occurred. In our view, it is far more efficient to proactively ensure that privacy policies and practices comply with the law and are clear to consumers. We meet periodically with companies to discuss the privacy and security implications of upcoming or new products and services, and we have been able to have concerns addressed up front in a productive and cooperative fashion.”

Details from the International Association of Privacy Professionals.

“Perfect is the enemy of the good where it comes to regulation of data privacy rights,”  agree both Washington State Sen. Reuven Carlyle and California Supervising Deputy Attorney General Stacey Schesser in the International Association of Privacy Professionals panel, “State of the States.”

Per Carlyle
  • The Washington Privacy Act (WPA) is coming back next year and in the meantime will hopefully continue to inspire other states.
  • You need to figure out your focus: enforcement of the right of a particular individual or fixing systemic wrongs.
  • Private right of action calls out the balance between the risk of over enforcement and under enforcement.
Per Schesser
  • This is the “California Consumer Privacy Act” not the California Act of Businesses trying to mitigate risk, but actually pretty much doing the same thing as before.
  • The right to cure has surprisingly proven an effective tool to provide companies with clarity.
  • Dark patterns is a new area of proactive enforcement focus.
Per Colorado AG Phil Weiser:
  • You need to balance between being over prescriptive and too vague when drafting legislation.
  • The enforcement authority should have as many tools as possible, including something similar to the DOJ ‘no action letters’.

“Contrary to popular belief, data security begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration.” – says the  Federal Trade Commission. in a new blog post.

  • Build a team of stakeholders from across your organization
  • Establish board-level oversight
  • Hold regular security briefings

A strong data security program should never be reduced to a “check the box” approach geared toward meeting compliance obligations and requirements.

Read the blog post.

“When it comes to data — if you can’t protect it, don’t collect it,” says Maarten Bron of Riscure.

The National Institute of Standards and Technology (NIST) has issued a report on its workshop on home IoT devices.

Key takeaways which apply to other IoT devices like connected vehicles:
  • Creating a more secure IoT ecosystem for consumer devices can benefit all manufacturers and the “common good.”
  • Manufacturers are challenged by balancing the design and functionality of consumer IoT devices against maintaining a viable cost structure for their target market.
  • Manufacturers can benefit by having a recognized business model around a “connected device lifecycle” that covers the mechanical and information technology (IT) components of a home IoT device.
  • Consumers cannot bear the sole responsibility of maintaining cybersecurity on IoT devices.
  • Software and patch updates are critical to maintaining security, but a consumer’s ability to deploy them is limited.
  • Privacy plays a role in the manufacture and consumption of home IoT devices but is not well understood by consumers, especially third-party sharing.
  • Consumer education about home IoT cybersecurity should be an ongoing, shared responsibility among stakeholders.

Read the full report.

Better (cyber)safe than sorry.

“Cybersecurity is going to be the new safety, says Ikjot Saini, PhD Saini of University of Windsor.

“Unlike other technologies with links to electronic networks such as smartphones and smart appliances, physical accidents can happen if smart automobile systems are compromised through hacking or computer viruses, and these can cause real market damage.”

Cybersecurity “has many faces in today’s automotive industry and poses significant risks if left unchecked,” says Flavio Volpe, Automotive Parts Manufacturers’​ Association (APMA) president. “Companies must safeguard their products, operations and systems no matter the type of components, parts, systems and assemblies they produce.”

The SHIELD Automotive Cybersecurity Centre of Excellence is based at the University of Windsor will work with APMA to reduce cyber-vulnerabilities within autos and their components among manufacturers, researchers and motorists – with plans to offer consultation and test services to small and medium-sized Canadian companies.

Read the full article in Ward’s Auto.

Hey voice assistant: you’ve got some complying to do.

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants.

Some key points:
  • Transparency is key but is also not easy to do well: 30 pages of single-spaced privacy notice won’t cut it. Think more like dashboards and voice commands.
  • Mind your legal basis. “Necessary for contract” might work for certain things but “consent” might be more appropriate in others, especially when there is biometric data used for identification (which is Article 9 special category data).
  • Approach your data retention mindfully. It should be granular and specific for the different processing purposes.

Deeper dive in this insight article for OneTrust DataGuidance.

“Consumer data should be owned by the consumer. If we want to collect and use it for any marketing purpose, we must explain how we will do so – and obtain consent and permissions. (GDPR explains this quite nicely.)

But to get that agreement, the consumer must understand the trade-off. They need to understand what’s in it for them and see real value in the arrangement. On the whole, I’d argue we’re not yet holding up our end of the bargain,” says Robin ‘Bob’ Caller, CEO and founder of Overmore Group.

“That data is not, and never will be, ‘your’ first-party data. The customer is the first party in this transaction – you, as the marketer, are the second party.”

“As second-party data holders (i.e., you, the marketer), brands must obtain permission from the first party.”

“The path of least resistance is accepting that ‘privacy-first’ means ‘user-first.’ That needs to be buttressed by express and informed consent, an unbundling of permissions and empowering consumers to retain sovereign control over the what, as well as the why, when and how their personal data is used.

Details in this AdExchanger article.

About face.

“Obscuring your face does not hide you from facial recognition systems, researchers have found.”

“A group from the Max Planck Institute found that blurred images were still individually identifiable with just a few non-obscured images to train from. With the proliferation of images on social networks, it is possible that almost anyone’s blurred face could still be identified.”

“The researchers said only 10 fully visible examples of a person’s face were needed to identify a blurred image with 91.5% accuracy. With an average of just 1.25 tagged images, the system could still correctly identify an individual 56.8% of the time, which is 73 times higher than chance would allow.”

“The best method for staying anonymous is to post all your pictures …with a black box over your face and shoulders. The next safest would be blocking it out with a white box, then a Gaussian blur.”

Details in Wired magazine.

“[T]he customer is king. And data sharing increases comfort and convenience for customers, improves products and services, and contributes to achieving societal goals such as improving road safety, reducing fuel consumption and facilitating traffic management,” says Eric-Mark Huitema Director General of European Automobile Manufacturers’​ Association (ACEA).

“[The] principle that should guide the future framework for access to in-vehicle data is customer choice.”

“In-vehicle data sharing should be based on clear terms and conditions ensuring that consumers know what data they share and with whom, in full compliance with privacy and data protection rules. [C]ustomers need to give permission to allow third-party access to data and that they should remain in control of data sharing at all times.”

“Any future EU framework for access to in-vehicle data should not constrain innovation and competitiveness. Instead, it should lay down basic principles in key areas to safeguard fair and non-discriminatory access, technology neutrality, customer choice and – above all – people’s safety and security.”

Details from the European Automobile Manufacturers Association.