Third Party Tracking Cookies lead to a data compromise || UK's new IoT law
CyberInsights #137 - 13.4 million users data slurped up by tracking cookies || Legally securing IoT devices
And then there were third party tracking cookies
The lure of ad revenue from these cookies is hard to ignore. Till something like this happens.
Cliched cookie image (above) - check. Third party cookies slurping up information - check. Data Leakage - check.
Kaiser Insurance reported a data leak. The leak was related to third party tracking cookies used to track user activity on the site [LINK]. I’ve written about tracking cookies and the challenges faced because of them on CyberInsights:
Kaiser health handles information about patients and is required to comply to the HIPAA provisions.
Take Action:
Organisations handling PHI (Protected Health Information) should be extra careful about using third party tools to monitor websites. If you are a ‘covered entity’ or a ‘business associate’ of a covered entity, remember to do the following:
Check all your websites and identify how to monitor user behaviour
If you are using third party tracking cookies (quite likely that you are, especially if your website is outsourced, of if you are using a CMS solution for your website) identify the agency involved. Add them to your list of vendors.
Check if they are HIPAA compliance.
Check if you can sign a business associate agreement with them.
Or simply stop using these tracking monsters!
A new law to secure the Internet of Things
A legal framework is good. Getting it implemented is where the challenge will lie.
IoT risks are well known. Measures to improve IoT security have also been in the works.
In Feb 2022, NIST released a consumer IoT device labelling programme. It’s a well thought out document. Access the pdf here. [LINK]
Now, the UK has come up with a specific cybersecurity law for the connected world! [LINK]
The law covers the following:
TVs, streaming devices, speakers
Games consoles, smartphones, tablets
Base stations and hubs
Home automation and alarm systems
“Wearables”: smart watches, fitness trackers, etc.
Home appliances (thermostats, washing machines, light bulbs, fridges, home assistants, etc.)
Security devices (doorbells, security camers, baby monitors, etc.)
Children’s toys
The law has specific duties for manufacturers, importers, authorised representatives and distributors as well. [LINK]
The fines are 10 million pounds or 4% of global revenue, whichever is higher.
Take Action:
If you are the CISO or General Counsel of an IoT related firm (manufacturing, importing, distributing, etc.) that operates in the UK, read the entire act in detail. [LINK]
Even if the law does not apply to you yet, you can be sure that a similar law will be enacted in your country and state soon. Understand the requirements, especially around ‘statement of compliance’ and processes to investigate and take action on compliance failure.