Latest news with #dataprotection
Yahoo
3 days ago
- Business
- Yahoo
German data protection official wants Apple, Google to remove DeepSeek from the country's app stores
A German data protection official has reported Chinese AI app DeepSeek to Apple and Google, saying the app transfers users' information to China illegally. Meike Kamp, Berlin's Commissioner for data protection and freedom of information, told the companies that DeepSeek did not provide 'convincing evidence' that users' data was protected as required by EU laws. 'Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies,' Kamp said, adding that the two tech firms must now review the report and decide whether to remove the app. Kamp said that her office had asked DeepSeek to comply with EU laws for transferring data outside the bloc or pull its app from the country, but the Chinese company did not do so. Italy earlier this year banned DeepSeek from app stores in the country, citing similar data protection concerns. Notably, two key details about DeepSeek that consumer privacy advocate groups in the EU highlighted are that the service is made in and operates out of China. Per its privacy policy, this includes the information and data that DeepSeek collects and stores, which is also housed in its home country. Apple and Google did not immediately respond to requests for comment. This story was corrected to clarify that Berlin's data protection commissioner reported DeepSeek to the companies.
Forbes
3 days ago
- Business
- Forbes
Colorado's Biometric Privacy Law Takes Effect July 1: Are You Ready?
Colorado's biometric privacy law reflects a broader movement to treat biometric information as a ... More distinct and highly sensitive category of personal data. Biometric compliance isn't hypothetical anymore in Colorado; it's here. Colorado's new biometric privacy law, House Bill 24-1130, takes effect on July 1, 2025. Enacted more than a year ago, the law now moves from policy to practice. Employers and businesses that collect biometric information, such as fingerprints, facial scans, iris images, or voiceprints, must ensure their systems and policies comply with the statute's requirements. The law expands the Colorado Privacy Act (CPA) by creating specific protections for biometric identifiers and biometric data. These protections reflect a growing concern: once compromised, biometric information cannot be replaced. A person's voice, face, or fingerprint is uniquely their own. The risks of misuse are real and lasting. As biometric technologies become more common in authentication, timekeeping, and access control, Colorado's law introduces a structured framework that protects individuals while guiding businesses toward responsible use. Who Is Covered? Colorado's biometric privacy requirements apply to any business that collects, uses, or stores biometric identifiers or biometric data from Colorado residents. Importantly, these requirements apply even if a business does not meet the CPA's general thresholds for covered entities. That means a company may be exempt from other CPA provisions, but still obligated to follow biometric-specific rules. This distinction is especially relevant for employers. While the CPA generally exempts personal data collected in the employment context, the biometric provisions specifically cover data collected from employees, job applicants, contractors, interns, and fellows. Understanding the Terminology Colorado distinguishes between 'biometric identifiers' and 'biometric data.' A biometric identifier is a unique biological, physical, or behavioral characteristic that can be used to identify someone. This includes fingerprints, voiceprints, facial geometry, iris scans, and similar measurements. The term biometric data includes one or more biometric identifiers that are used or intended to be used to identify an individual. In other words, the data becomes regulated once it is used for identification. Digital photographs, audio recordings, and video files are excluded from the law unless they are used to extract biometric identifiers for identification purposes. That distinction matters for companies that rely on technologies like computer vision or speech analytics, which can convert images or recordings into data points such as facial geometry or voiceprints. If those tools extract biometric information and use it to identify a person, the data becomes subject to Colorado's law. What Must Businesses Do? Colorado's law imposes strict requirements on how biometric information is collected, stored, used, and shared. Businesses must: Businesses must adopt a publicly available policy that explains how they handle biometric information. The policy must include: Biometric identifiers must be deleted when the original purpose for collection has been fulfilled, within 24 months of the last interaction with the individual, or as soon as they are no longer necessary for the purpose identified by the business, whichever comes first. A 45-day extension is permitted if needed to finalize deletion. Policies do not need to be made public if they only apply to internal employee operations, but they still must be documented and followed. Before collecting biometric identifiers, businesses must provide individuals with a clear and understandable notice. The notice must include: Consent must be obtained before collection. The law requires that consent be freely given, specific, informed, and unambiguous. Consent must be separate from other agreements and may not be bundled with terms of service or other privacy acknowledgments. In the employment context, employers are permitted to use biometric data in limited, clearly defined situations. These include securing access to physical spaces or software systems, recording work hours, and monitoring workplace or public safety during emergencies. Employers may not collect biometric data to track an employee's location or monitor productivity without separate, voluntary consent. Any other purpose requires a separate and voluntary consent. Employers may not retaliate against employees or job applicants who decline to provide additional consent. The law prohibits the sale, lease, or trade of biometric identifiers. Disclosure to third parties is permitted only if: Additionally, businesses may not refuse goods or services to someone who declines to provide biometric data, unless the data is necessary to provide that service. Individuals have the right to request information about the biometric data collected about them, but only if the business is subject to the general thresholds of the Colorado Privacy Act. If a business is a controller subject to the CPA's general thresholds, it must disclose the types of biometric data collected, the purpose for collection, the source of the data, the third parties with whom it has been shared, and the categories of information disclosed. This information must be provided free of charge upon request by the individual or their authorized representative. Businesses that are not subject to the CPA's general thresholds, such as some small employers, are not required to respond to access requests, but must still comply with all other biometric data requirements under the law. Both controllers and processors must protect biometric information using industry-standard safeguards. Security measures should support timely deletion in accordance with the business's documented retention schedule. If a data breach affects biometric identifiers or biometric data, the controller or processor must follow its response protocol and notify affected individuals if required by law. Enforcement and Penalties Failure to comply with Colorado's biometric privacy requirements may trigger enforcement by the Colorado Attorney General. Businesses may face civil penalties, injunctive relief, or other remedies available under the Colorado Privacy Act. How Should Employers Prepare? With the law taking effect on July 1, 2025, employers should evaluate their timekeeping systems, access control technologies, and any software or hardware that collects biometric data. These tools must align with the employee's role and the reasonable expectations associated with that position. Internal policies should be updated to reflect lawful use, clear notice, and proper consent. It is essential that staff are trained on proper data handling and deletion timelines. Employers should coordinate with vendors to ensure that they follow applicable obligations. Parting Thoughts Colorado's biometric privacy law reflects a broader movement to treat biometric information as a distinct and highly sensitive category of personal data. While Illinois set the precedent for biometric privacy laws, Colorado's statute reflects a growing national trend. Other states are now following suit. For businesses operating in Colorado, the time for compliance planning has passed. Now is the time for implementation. House Bill 24-1130 sends a clear message. Colorado residents have a right to control how their biometric data is collected and used. And businesses, starting July 1, are required to honor that right.
Khaleej Times
4 days ago
- Khaleej Times
Tenable research finds rampant cloud misconfigurations exposing critical data and secrets
Tenable®, the exposure management company, today released its 2025 Cloud Security Risk Report, which revealed that 9% of publicly accessible cloud storage contains sensitive data. Ninety-seven percent of such data is restricted or confidential, creating easy and prime targets for threat actors. Cloud environments face dramatically increased risk due to exposed sensitive data, misconfigurations, underlying vulnerabilities and poorly stored secrets – such as passwords, API keys and credentials. The 2025 Cloud Security Risk Report provides a deep dive into the most prominent cloud security issues impacting data, identity, workload and AI resources and offers practical mitigation strategies to help organisations proactively reduce risk and close critical gaps. Key findings from the report include: Secrets found in diverse cloud resources, putting organisations at risk: Over half of organisations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions — creating a direct attack path. Similar issues were found among organisations using Google Cloud Platform (GCP) Cloud Run (52%) and Microsoft Azure Logic Apps workflows (31%). Alarmingly, 3.5% of all AWS Elastic Compute Cloud (EC2) instances contain secrets in user data — major risk given how widely EC2 is used. Cloud workload security is improving, but toxic combinations persist: While the number of organisations with a 'toxic cloud trilogy' – a workload that is a publicly exposed, critically vulnerable, and highly privileged – has decreased from 38% to 29%, this dangerous combination still represents a significant and common risk. Using Identity Providers (IdPs) alone doesn't eliminate risk: While 83% of AWS organisations are exercising best practices in using IdP services to manage their cloud identities, overly-permissive defaults, excessive entitlements, and standing permissions still expose them to identity-based threats. "Despite the security incidents we have witnessed over the past few years, organisations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations,' said Ari Eitan, director of cloud security research, Tenable. "The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritise and automate remediation before threats escalate. The cloud demands continuous, proactive risk management, and not reactive patchwork." The report reflects findings by the Tenable Cloud Research team based on telemetry from workloads across diverse public cloud and enterprise environments, analysed from October 2024 through March 2025.
Globe and Mail
4 days ago
- Business
- Globe and Mail
Liviniti Achieves HITRUST i1 Certification for Industry-Leading Security Practices
Certification demonstrates Liviniti's strong commitment to data security and risk management Natchitoches, Louisiana--(Newsfile Corp. - June 26, 2025) - Liviniti, a national leader in PBM transparency and prescription drug savings, today announced it has achieved 2025 certified HITRUST status for information security. Platforms with HITRUST certification include the Liviniti client portal, member portal and SoloRx. "HITRUST i1 Certification demonstrates our commitment to high standards for cybersecurity and data protection, giving our clients confidence we are following leading security practices," says LeAnn Boyd, CEO. "Practicing strong cybersecurity is critical to minimize information security risk and protect Liviniti, our clients and their members in this age of information security challenges." HITRUST i1 Certification demonstrates that Liviniti platforms and facilities are leveraging a set of curated controls to protect against current and emerging threats. The HITRUST i1 Validated Assessment and Certification helps organizations address cybersecurity challenges and remain cyber resilient over time. "The HITRUST i1 Validated Assessment is a powerful tool for cyber-aware organizations, such as Liviniti," says Robert Booker, Chief Strategy Officer at HITRUST. "HITRUST i1 Certification provides measurement, implementation, and performance assurance of information security controls. Congratulations to Liviniti for earning HITRUST i1 Certification and demonstrating the operational maturity of their cybersecurity program." "Our systems are purpose-built to serve PBM transparency and ease of data access, allowing clients total visibility into plan information, cost drivers and expenditures," adds John Pramik, Chief Technology Officer at Liviniti. "HITRUST certification and SOC compliance speak to our stringent security and privacy practices to protect sensitive information and adhere to healthcare industry standards. With this milestone, we reinforce our alignment with best practices, and our commitment to protecting the security and privacy of healthcare data." LeAnn C. Boyd, PharmD - CEO and Founder To view an enhanced version of this graphic, please visit: HITRUST i1 Certification To view an enhanced version of this graphic, please visit: About Liviniti Liviniti is a pioneer in pharmacy benefit innovation. Built by pharmacists, the company offers pass-through pricing within a fully transparent business model that delivers meaningful savings to clients and optimal health outcomes to members. Founded in 2011 as Southern Scripts and rebranded to Liviniti, the new name reinforces the power of medication to change lives through infinite possibilities. With an approach that delivers savings, clinical value, exceptional service and management of high-cost medications, Liviniti provides pharmacy benefit services to regional and national employers across the U.S. For more information, visit
Tahawul Tech
4 days ago
- Tahawul Tech
Cloud misconfigurations expose critical data and secrets, says Tenable
9% of publicly exposed cloud storage hold sensitive data, 97% classified as restricted or confidential Dubai — Tenable, the exposure management company, released its 2025 Cloud Security Risk Report, which revealed that 9% of publicly accessible cloud storage contains sensitive data. Ninety-seven per cent of such data is restricted or confidential, creating easy and prime targets for threat actors. Cloud environments face dramatically increased risk due to exposed sensitive data, misconfigurations, underlying vulnerabilities and poorly stored secrets – such as passwords, API keys and credentials. The 2025 Cloud Security Risk Report provides a deep dive into the most prominent cloud security issues impacting data, identity, workload and AI resources and offers practical mitigation strategies to help organizations proactively reduce risk and close critical gaps. Key Findings From The Report Include: ● Secrets Found in Diverse Cloud Resources, Putting Organizations at Risk: Over half of organizations (54%) store at least one secret directly in Amazon Web Services (AWS) Elastic Container Service (ECS) task definitions — creating a direct attack path. Similar issues were found among organizations using Google Cloud Platform (GCP) Cloud Run (52%) and Microsoft Azure Logic Apps workflows (31%). Alarmingly, 3.5% of all AWS Elastic Compute Cloud (EC2) instances contain secrets in user data — major risk given how widely EC2 is used. ● Cloud Workload Security Is Improving, But Toxic Combinations Persist: While the number of organizations with a 'toxic cloud trilogy' – a workload that is a publicly exposed, critically vulnerable, and highly privileged – has decreased from 38% to 29%, this dangerous combination still represents a significant and common risk. ● Using Identity Providers (IdPs) Alone Doesn't Eliminate Risk: While 83% of AWS organizations are exercising best practices in using IdP services to manage their cloud identities, overly-permissive defaults, excessive entitlements, and standing permissions still expose them to identity-based threats. 'Despite the security incidents we have witnessed over the past few years, organizations continue to leave critical cloud assets, from sensitive data to secrets, exposed through avoidable misconfigurations,' said Ari Eitan, Director of Cloud Security Research, Tenable. 'The path for attackers is often simple: exploit public access, steal embedded secrets or abuse overprivileged identities. To close these gaps, security teams need full visibility across their environments and the ability to prioritize and automate remediation before threats escalate. 'The cloud demands continuous, proactive risk management, and not reactive patchwork.' The report reflects findings by the Tenable Cloud Research team based on telemetry from workloads across diverse public cloud and enterprise environments, analyzed from October 2024 through March 2025.
