SecurityWeek editor-at-large Ryan Naraine examines the broad tension between tech innovation and privacy rights at a time when ChatGPT-like bots and generative-AI apps are starting to dominate the landscape. 

The post Microsoft’s Windows Recall: Cutting-Edge Search Tech or Creepy Overreach? appeared first on SecurityWeek.

San Francisco data privacy startup Transcend secures 40 million in a Series B funding round that brings the total raised to $90 million.

The post Transcend Raises $40 Million for Data Privacy Platform appeared first on SecurityWeek.

Data security and AI governance company Zendata has emerged from stealth mode with $2 million in seed funding.

The post Zendata Emerges From Stealth With Data Security, AI Governance Solutions appeared first on SecurityWeek.

After years of false starts, the US is edging closer to a federal data privacy law. In a surprise move, two lawmakers last month introduced a bipartisan, bicameral piece of legislation described as “the best opportunity we've had in decades” to finally enshrine a national privacy and security standard into law.

The post What America’s Federal Privacy Bill Means for Data Protection appeared first on Security Boulevard.

The 2024 Proofpoint “Voice of the CISO” report is a useful barometer for understanding the current cybersecurity landscape, providing valuable insights from 1,600 CISOs globally. This year’s findings reveal a complex picture where heightened concerns coexist with a growing sense […]

The post Human Error and AI Emerge as Key Challenges in Survey of CISOs appeared first on TechSpective.

The post Human Error and AI Emerge as Key Challenges in Survey of CISOs appeared first on Security Boulevard.

The custom policy wizard helps prevent data leaks in GenAI tools by using CDP, requires no coding, and offers adaptive, intuitive policies.

“The real threat is in unstructured data, the kind of problem that requires data scientists and developers to solve.”

The post Lasso Security Data Protection Tool Aimed at GenAI Applications appeared first on Security Boulevard.

Zoom is announcing post-quantum end-to-end encryption on Meetings, with Phone and Rooms coming soon. 

The post Zoom Adding Post-Quantum End-to-End Encryption to Products appeared first on SecurityWeek.

Slack reveals it has been training AI/ML models on customer data, including messages, files and usage information. It's opt-in by default.

The post User Outcry as Slack Scrapes Customer Data for AI Model Training appeared first on SecurityWeek.

The SEC is tightening its focus on financial data breach response mechanisms of very specific set of financial institutions, with an update to a 24-year-old rule. The amendments announced on Thursday mandate that broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents develop comprehensive plans for detecting and addressing data breaches involving customers’ financial information. Under the new rules, covered institutions are required to formulate, implement, and uphold written policies and procedures specifically tailored to identifying and mitigating breaches affecting customer data. Additionally, firms must establish protocols for promptly notifying affected customers in the event of a breach, ensuring transparency and facilitating swift remedial actions. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” According to the amendments, organizations subject to the regulations must notify affected individuals expeditiously with a deadline of no later than 30 days following the discovery of a data breach. The notification must include comprehensive details regarding the incident, the compromised data and actionable steps for affected parties to safeguard their information. While the amendments are set to take effect two months after publication in the Federal Register, larger entities will have an 18-month grace period to achieve compliance, whereas smaller organizations will be granted a two-year window. However, the SEC has not provided explicit criteria for distinguishing between large and small entities, leaving room for further clarification.

The Debate on SEC's Tight Guidelines

The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing. SEC’s interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law. Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures. Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to The SEC’s incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC’s new rules. “This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time. Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

For two decades, the Payment Card Industry Data Security Standard (PCI DSS) has been the only show in town when it comes to regulating cardholder data. Created by the five big card companies (Visa, Mastercard, Discover, JCB and American Express) in 2004, it aims to enforce compliance through a kind of carrot-and-stick approach. That is, follow the rules and your organization will be able to continue processing card payments as usual. But fail to comply, and major fines could be headed your way.

The post Counting the Cost of PCI DSS Non-Compliance appeared first on Security Boulevard.

Noteworthy stories that might have slipped under the radar: 4,000 take part in Locked Shields 2024 exercise, Qantas and JP Morgan hit by data exposure bugs, NVIDIA patches critical flaw. 

The post In Other News: Locked Shields 2024, Data Exposure Bugs, NVIDIA Patches appeared first on SecurityWeek.

A new Silicon Valley startup called Mimic is coming out of the shadows with a hefty $27 million seed-stage funding round led by Ballistic Ventures.

The post Ransomware Defense Startup Mimic Raises Hefty $27M Seed Round  appeared first on SecurityWeek.

Traceable AI has raised $110 million since launching in 2018 with ambitious plans in the competitive API security and observability space.  

The post Traceable AI Raises $30 Million to Safeguard Cloud APIs appeared first on SecurityWeek.

Despite competitive pressures from industry behemoths like Microsoft and Google, investors are still betting big on startups in the specialized enterprise browser space.

The post Island Secures $175M Investment as Enterprise Browser Startups Defy Tech Giants appeared first on SecurityWeek.

Microsoft provides an easy and logical first step into GenAI for many organizations, but beware of the pitfalls.

The post Why Using Microsoft Copilot Could Amplify Existing Data Quality and Privacy Issues appeared first on SecurityWeek.