The California Privacy Protection Agency (CalPrivacy) has announced a significant leadership appointment, as Assembly Speaker Robert Rivas named Nicole Ozer to the CPPA Board, emphasising California’s ongoing commitment to strengthening consumer privacy protections. The Nicole Ozer appointment comes at a time when privacy regulation, digital rights, and responsible data governance are taking on increased importance across both state and federal institutions. Ozer brings decades of experience working at the intersection of privacy rights, technology, and democratic governance. She currently serves as the inaugural Executive Director of the Center for Constitutional Democracy at UC Law San Francisco, where her work focuses on safeguarding civil liberties in the digital age.

Nicole Ozer Appointment Strengthens CalPrivacy Board

Jennifer Urban, Chair of the California Privacy Protection Agency Board, welcomed the Nicole Ozer appointment, citing Ozer’s extensive background in privacy law, surveillance policy, artificial intelligence, and digital speech. “Nicole has a long history of service to Californians and deep legal and policy expertise,” Urban said. “Her knowledge will be a valuable asset to the agency as we continue advancing privacy protections across the state.” Urban also acknowledged the contributions of outgoing board member Dr. Brandie Nonnecke, noting her role in supporting CalPrivacy’s rulemaking, enforcement efforts, and public outreach initiatives over the past year. The CPPA Board plays a central role in guiding how California’s privacy laws are implemented and enforced, making leadership appointments especially critical as regulatory expectations evolve.

Nicole Ozer’s Background in Privacy and Civil Liberties

Before joining UC Law San Francisco, Nicole Ozer served as the founding Director of the Technology and Civil Liberties Program at the ACLU of Northern California. Her career also includes roles as a Technology and Human Rights Fellow at the Harvard Kennedy School, a Visiting Researcher at the Berkeley Center for Law and Technology, and a Fellow at Stanford’s Digital Civil Society Lab. Her work has been widely recognized, including a California Senate Members Resolution honoring her dedication to defending civil liberties in the digital world and her contributions to protecting the rights of people across California. “I appreciate the opportunity to serve on the CPPA Board,” Ozer said. “This is a critical moment to ensure that California’s robust privacy rights are meaningful in practice. I look forward to supporting the agency’s important work.”

Role of the California Privacy Protection Agency

The California Privacy Protection Agency is governed by a five-member board, with appointments made by the Governor, the Senate Rules Committee, the Assembly Speaker, and the Attorney General. The agency is responsible for administering and enforcing key privacy laws, including the California Consumer Privacy Act, the Delete Act, and the Opt Me Out Act. Beyond enforcement, CalPrivacy focuses on educating consumers and businesses about their rights and obligations. Through its website, Privacy.ca.gov, Californians can access guidance on protecting personal data, submitting delete requests, and using the Delete Request and Opt-out Platform (DROP).

Leadership Shifts Across Security and Privacy Institutions

Ozer’s appointment to the California Privacy Protection Agency Board comes in the same week as another notable leadership development at the federal level. The National Security Agency (NSA) announced the appointment of Timothy Kosiba as its 21st Deputy Director, highlighting parallel leadership changes shaping the future of privacy, cybersecurity, and national security. As NSA Deputy Director, Kosiba becomes the agency’s senior civilian leader, responsible for strategy execution, policy development, and operational oversight. His appointment was designated by Secretary of War Pete Hegseth and Director of National Intelligence Tulsi Gabbard, and formally approved by President Donald J. Trump. While the missions of the National Security Agency and the California Privacy Protection Agency differ, both appointments underline a growing emphasis on experienced leadership in institutions responsible for protecting sensitive data, infrastructure, and public trust. Together, these developments reflect how governance around privacy, cybersecurity, and digital rights continues to evolve, with leadership playing a central role in shaping how protections are implemented in practice.

The National Security Agency (NSA) has announced the appointment of Timothy Kosiba as its 21st Deputy Director, marking a significant leadership development at one of the United States’ most critical national security institutions. The designation was made by Secretary of War Pete Hegseth and Director of National Intelligence Tulsi Gabbard, and formally approved by President Donald J. Trump, according to an official statement released on January 9. As NSA Deputy Director, Kosiba becomes the agency’s senior civilian leader, responsible for overseeing strategy execution, establishing agency-wide policy, guiding operational priorities, and managing senior civilian leadership. In this role, he will also support the broader U.S. defense and intelligence enterprise, contributing to the formulation of national security policy and strengthening NSA’s position as an integrated mission partner against evolving foreign threats.

NSA Appoints Timothy Kosiba as Deputy Director

The NSA leadership appointment places Kosiba at the center of U.S. efforts to maintain a decisive national security advantage, particularly in the areas of foreign signals intelligence and cybersecurity operations. His return to the agency comes at a time when cybersecurity, cyber defense, and intelligence integration remain top priorities for U.S. national security planners. Lieutenant General William J. Hartman, Acting Commander of U.S. Cyber Command and Performing Duties of Director of the National Security Agency, welcomed Kosiba’s return, emphasizing his leadership credentials and institutional knowledge. “Tim is a people-focused leader with a wealth of experience that makes him ideal for the deputy director role,” Hartman said, citing Kosiba’s 33-year federal career and extensive experience across intelligence and cybersecurity missions. Hartman added that Kosiba’s leadership will be critical as the NSA advances its mission to protect U.S. national security interests in an increasingly complex threat environment.

Deep Experience Across Intelligence and Cybersecurity

With more than 30 years in the U.S. Intelligence Community, Timothy Kosiba brings deep familiarity with the NSA mission, particularly in public sector cybersecurity, cyber policy, and operational execution. Over the course of his career, he has played a key role in implementing the NSA’s Cyber Security Policy and has frequently represented both the NSA and U.S. Cyber Command in cyber-related discussions at the White House and other interagency forums. Kosiba’s experience spans both technical leadership and strategic engagement, positioning him to bridge operational realities with national-level policy objectives. His appointment reinforces the NSA’s focus on aligning intelligence capabilities with broader government cybersecurity and defense strategies.

Career Path Spanning Global and Operational Leadership

Kosiba began his NSA career as technical director for the Joint Functional Component Command for Network Warfare, where he worked on mission-critical cyber operations. He later served as technical director for the Requirements and Targeting Office within the Tailored Access Operations organization, a role focused on advanced cyber capabilities. Selected for the Defense Intelligence Senior Level (DISL) Service, Kosiba was posted overseas as chief of the Special U.S. Liaison Office in Canberra, Australia, strengthening intelligence cooperation with key allies. After returning to the United States, he became deputy director of the NSA/CSS Commercial Solutions Center and was later appointed Chief of Computer Network Operations (CNO). Following three years as CNO, Kosiba was assigned as Deputy Commander of NSA Georgia, the largest NSA field location, where he oversaw large-scale operational and workforce initiatives.

Commitment to the NSA Mission

Commenting on his appointment, Kosiba described the role as a return to familiar ground. “It is an honor to come back home and serve as the National Security Agency’s next deputy director,” he said, emphasizing his long-standing commitment to the agency’s mission and workforce. As NSA Deputy Director, Timothy Kosiba is expected to play a central role in shaping the agency’s approach to cybersecurity, intelligence operations, and national security policy, reinforcing NSA’s position within the U.S. intelligence and defense ecosystem amid persistent and emerging global threats.

The Shinhan Card data breach has exposed the personal information of approximately 192,000 card merchants, the South Korea–based financial services company confirmed on Tuesday. The incident, which involved the unauthorized disclosure of phone numbers and limited personal details, has been reported to the country’s Personal Information Protection Commission (PIPC). According to Shinhan Card, the breach affected self-employed individuals who operate franchised merchant locations and had shared personal details as part of standard merchant agreements. The company said there is currently no evidence that sensitive financial information, such as credit card numbers, bank account details, or national identification numbers, was compromised.

Employee Misconduct Identified as Cause of Shinhan Card Data Breach

In a statement, Shinhan Card clarified that the Shinhan Card data breach was not the result of an external cyberattack. Instead, the company suspects internal misconduct, with an employee at a sales branch allegedly transmitting merchant data to a card recruiter for sales-related purposes. “This was not due to external hacking but an employee’s misconduct,” a Shinhan Card official said, adding that the internal process involved has since been blocked. The company launched an internal investigation immediately after becoming aware of the incident and has taken steps to prevent similar actions in the future.

Scope of Personal Information Leak

The leaked data primarily involved mobile phone numbers, which accounted for roughly 180,000 cases. In about 8,000 instances, phone numbers were leaked alongside names. A smaller subset of records also included additional details such as birthdates and gender. Shinhan Card stated that its investigation has not identified cases where citizen registration numbers, card numbers, account details, or credit information were exposed. At this stage, the company has also said that no confirmed cases of misuse of the leaked information have been reported. The personal information leak affected merchants who signed contracts with Shinhan Card between March 2022 and May 2025, according to findings shared with regulators.

Shinhan Card Data Breach Timeline and Regulatory Notification

The breach came to light last month following a report submitted to the Personal Information Protection Commission, South Korea’s data protection authority. After receiving the notification, the PIPC requested supporting materials from Shinhan Card to assess the scope and cause of the incident. Following its internal review, Shinhan Card formally reported the data breach to the PIPC on December 23, complying with regulatory disclosure requirements. The company has continued to cooperate with authorities as the review process continues.

Company Response and Merchant Support Measures

In response to the Shinhan Card data breach, the company published an apology and detailed guidance on its website and mobile application. It also launched a dedicated page allowing affected merchants to check whether their personal data was compromised. “We will make every effort to protect our customers and prevent similar incidents from recurring,” a Shinhan Card spokesperson said. The company has emphasized that it is strengthening internal controls and reviewing access permissions related to merchant data. Shinhan Card also urged merchants to remain vigilant for potential phishing or unsolicited contact attempts, even though no additional harm linked to the leaked data has been confirmed so far.

Broader Implications for Financial Data Protection

The Shinhan Card data breach incident highlights ongoing challenges around data governance and insider risk within financial institutions, even as companies continue to invest heavily in cybersecurity defenses against external threats. While many breaches globally involve hacking or ransomware, incidents stemming from employee misconduct remain a persistent concern for banks and payment providers. Authorities have not yet announced whether penalties or corrective actions will follow the investigation. For now, Shinhan Card maintains that it is focused on customer protection and restoring trust following the incident.