Hackers Can Turn AI Security System Against The Company

• Although AI and robotic systems can bring notable benefits to the company, cybercriminals can hack them to "weaponize malware and attacks to counter the advancements made in cybersecurity solutions".
• Hackers understand how AI automated systems can receive knowledge and adapt accordingly. Therefore, hackers can launch a few attacks and learn the systems' vulnerabilities before creating an effective malware attack to finally access the companies' data. They can also use AI to accelerate polymorphic malware that makes the code to change frequently and make them almost undetectable.
• For instance, TaskRabbit was attacked by cybercriminals which affected 3.75 million users, yet professionals and experts were unable to locate the attack.
• Along with the growth of AI and robotic systems, hackers can also learn the same technique to compromise the companies' data. Isaac Ben-Israel, the Director of the ICRC and Chairman of Cyberweek, believed that it only takes some time for hackers to succeed breaching the companies' data.
•  Richard Stanes, the Chief Security Strategist NEU for Capgemini, agreed that many cybercriminals are using machine learning and AI, especially phishing, due to their abilities to produce well-scripted attacks and automate them.

The High Cost of Data Breaches

• Along with the rise of advanced technologies such as AI, the need for consumer data becomes bigger. However, the data collected by the AI-integrated companies may also be stolen or commercialized for marketing opportunities, purchasing recommendations, or other services without the consumers' consent by cybercriminals.
• Based on a study conducted by Ponemon's Institute, the average US data breach cost $7.91 million in 2018. In 2019, the number rises to $8.19 million. In some cases, large-scale breaches may reach $350 million.
• The US is also named the most expensive country to experience a data breach.
• According to experts from Ponemon's Institute, companies need to start improving their abilities to identify and solve an incident in their AI system to reduce data breach costs.
•  Jon Oltsik, the senior principal analyst at IT research firm Enterprise Strategy Group, agreed that the cybersecurity professionals working in the company must know the most updated research and threat intelligence.

The Risk of Losing Customer Trust

• AI-integrated companies are likely to need customers' data for personalization services and improving customer experience. However, due to the complex definition of privacy and the lengthy user agreements, customers tend to click "accept" without realizing what privacy rights that they give to the companies.
• Cybercriminals may also breach customers' information due to the weak companies' data security. For instance, as of 2019, there are 3,800 publicly disclosed breaches cases that affect millions of people in the US. There's also a 54% increase in reported breaches this year compared to the first six months of 2018.
• The privacy breaches may cause consumers to lose their trust in the companies that they use. According to a study conducted by Ponemon's Institute, the average U.S. data breach reaches $4.2 million in lost customer revenue.
• The healthcare, financial, and pharmaceutical industries have the most difficulty in maintaining their customers after they experience data breaches. The healthcare industries' abnormal customer turnover is about 7.0%, whereas other industries typically only reach 3.9%.
• Although consumer trust in AI has been declining due to the irresponsible data breaches, Jim Hare, the research vice president at Gartner, is still positive about the usage of AI in companies to cut corporate brand and reputation risk. He also advises companies that use AI to "build a culture of responsible use, trust and transparency" to improve users' trust.

The Potential of Impacting Stock Prices

• Many companies use AI systems to increase customer experience by collecting users' data. However, privacy breaches in companies that use IT and robotics can lower stock prices. The consequences of data breach that involve highly sensitive information, such as credit card and social security numbers, are more likely to inflict greater damage to the companies' stock prices.
• Cybercriminals can easily use phishing campaigns, malware, or exploiting technical vulnerabilities in IT-integrated companies to collect sensitive information.
• Based on a study conducted by Comparitech, 28 companies that experienced data breaches tended to suffer from low stock prices for almost three weeks. On average, their stock value dropped by 7.27%.
• Rich Campagna, the chief marketing officer of Bitglass, believed that the breaches happening in the past three years have inflicted "massive and irreparable damage to large companies and their stakeholders."

Research Strategy

The Regulations

• California has passed several bills intended to curb negative impacts of specific AI-enabled technologies such as facial recognition systems.
• The Body Camera Accountability Act seeks to prohibit the use of facial recognition in police body cameras, while another would require businesses to publicly disclose their use of facial recognition technology.
• By passing the bills, cities like San Francisco and Oakland banned the use of facial recognition technology by city agencies and law enforcement.

• The law grants consumers data privacy rights related to how businesses can collect, use and sell their personal data.
• The law applies to all companies that collect data like artificial intelligence companies using or developing facial recognition softwares.
• The law not only impacts organizations conducting certain types of business in Nevada, but is also a precursor to similar provisions set forth in the California Consumer Privacy Act, as amended (CCPA) and other data protection bills being drafted and debated across U.S. state legislatures.

• The Artificial Intelligence Video Interview Act was recently signed into law in Illinois, and takes effect on January 1, 2020.
• Employers that record video interviews and use AI technology to analyze applicants’ suitability for employment must inform applicants that AI technology may be used to evaluate their interviews.
• This law highlights a myriad of privacy concerns for employers evaluating the costs and benefits of incorporating AI technology into their hiring practices.

• The Deep Fake legislation is a new bill to combat manipulated media content known as “deepfakes” and has passed the U.S. House of Representatives Committee on Science, Space and Technology. It is not an official law yet, but would impact AI and robotics companies in the future if enacted.
• It supports research on the outputs that may be generated by generative adversarial networks, otherwise known as deepfakes, and other comparable techniques that may be developed in the future, and for other purposes.
• The legislation would also support research in artificial intelligence through computer and information science and engineering.

CHANGE PRIVACY POLICIES

• GDPR enhanced the digital rights of EU citizens. Importantly, the regulations set strict terms of collecting, storage, and transfer of EU citizens data. In compliance with GDPR, tech companies had to provide a framework on how they would protect the collection, storage, and transfer of EU data through upgrading their privacy policies.
• The privacy policies of Microsoft's EU cloud computing contracts were revised in line with GDPR. However, the privacy policy changes were deemed inadequate by the European Data Protection Supervisor resulting in Microsoft revising its privacy policies again to meet the stringent GDPR requirements.
• Google updated its privacy policy in line with GDPR to meet data security regulation requirements. Notably, the updated Google's privacy policy provides updated consumer protection over data transfer and use.

PRIVACY PORTAL

• GDPR provides EU citizens with control over their data whereby user data collecting companies have to provide EU citizens access to their data.
• Apple established Apple ID Data & Privacy website for EU citizens to view all the data that Apple has about them. It includes information such as access to sign-in history data, contacts, calendar data, documents, and photos.

PERSONAL INFORMATION REMOVAL REQUEST FORM

• Before GDPR, the EU Data Protection Directive established that people could ask for their data to be deleted. The clause, known as the right to be forgotten, was included in the GDPR.
• Google provides individuals with a platform to have their personal information deleted from Google. In compliance with GDPR, Google set up a Personal Information Removal Request Form for EU citizens to fill to request the deletion of their information.

RESEARCH STRATEGY

1) Amazon

Cautionary Tales

• In general, Amazon Web Services (AWS) has had few security breaches in comparison to other large companies in the US. In November 2018, the company stated a "technical error" on the Amazon website had exposed an undisclosed number of customers' names and email addresses.
• Some companies using AWS, like Accenture, Uber, and Time Warner, have had significant security breaches.
• More significant concerns surround the worry that Echo home speakers are recording and transmitting information without their owners' knowledge.

Resulting Security Initiatives

AWS

• AWS is a division of Amazon that provides cloud computing, database storage, and other IT functions. Amazon provides services to some of the largest companies in the world — like Netflix, Expedia, and NASA.
• These resulted from incorrect configuration settings on the company's security settings. Incorrect settings cause most security breaches.
• In response to this issue, Amazon is "no longer leaving data security entirely up to its clients." AWS has improved its user interface to lessen the chance of user error. [3]
• It has also implemented a threat detection service called GuardDuty to protect Amazon accounts.
• It is also launching Amazon Mazie; a machine learning-powered solution focused on security.
• Amazon also has an application for a patent called "management of encrypted data storage" that describes new encryption services for AWS users.

ECHO

• To address user concerns, Amazon has provided detailed documentation describing when users are being recorded, how the data is used, and how to delete recorded data.
• Amazon has also implemented strict control standards on its apps, instituted a more comprehensive review processes, and, most notably, begun encrypting the data that travels between Echo and Amazon servers.

2) Microsoft

Cautionary Tales

• Because it has such a broad reach across many enterprise systems, Microsoft of necessity has a heavy focus on cybersecurity. That includes a deep focus on improving cloud security,
• Most recently, an IT expert in India uncovered a hole in a Microsoft subdomain that gave hackers access to user's Microsoft Office Accounts.
• The hacking of the DNC email accounts also provided an impetus for Microsoft to address its security.

Resulting Security Initiatives.

• Currently, Microsoft's largest security initiative is aimed at election security. 
• In response to the hack of the DNC Exchange server, Microsoft developed AccountGuard, which offers threat detection and security guidance across "both email systems run by organizations and the personal accounts of these organizations' leaders and staff who opt-in."
• As well as the AccountGuard program, Microsoft is also providing another feature called the Defending Democracy Program. This solution is designed to protect "organizations that underpin democracy" from hacking and disinformation campaigns. These programs have been installed across the US and Europe.
• According to the Tech Republic, Microsoft spends over $1B each year, defending against roughly seven trillion cyberthreats per day.
• Microsoft is also developing multiple patents in the area of homomorphic encryption (HE), which will allow operations to be performed on encrypted data without decrypting it first. Other stakeholders like IBM, Intel, and SAP are working with Microsoft to define industry standards for HE.

3) Google

Cautionary Tales

• A data breach in 2018 that allowed hackers access to 50 million users' names and email addresses resulted in Google shutting down Google+. It did not notify users or regulatory bodies in the EU until months later. France has fined it nearly $57M for GDPR violations.
• Google is also involved in a class-action lawsuit in Rhode Island with the state pension fund because of data breaches.

Resulting Security Initiatives

• Google recently "upgraded and improved users' control of account settings and permissions for Google accounts. These changes included new limitations for apps looking to access tools like Gmail and diminishing the ability for apps to access call logs and SMS history on Android mobile devices."
• In the 2018 midterm elections, it is estimated that 65% of the candidates used Gmail accounts. Consequently, Google's Advanced Protection Program was created for high-risk users, including "journalists, activists, business leaders, and political campaign teams." It provides a 2-step verification for sign-in and restricted account access to third-party apps.
• Google has also applied for a patent for "access control for user-related data." This system is designed to "detect potential large scale leaks while deploying encryption technology that can help maintain the privacy of the data."

California’s Consumer Privacy Act (CCPA)

•  CCPA is a law designed to protect the data privacy rights of citizens living in California.
• It forces companies to provide more information to consumers about what’s being done with their data and gives them more control over the sharing of their data.
• The law goes into effect on January 1, 2020.
• Businesses who annually buy, receive, sell or share the personal information of 50,000 or more consumers, have an annual gross revenue of over $25 million and derive 50% or more of their annual revenue from selling consumer personal information must comply with the CCPA.
• Provisions in the law include customers' right to request deletion of personal information and granting consumers the right to control selling their information to third parties.
• The maximum penalty of the CCPA is $7,500.
• Given that many tech companies mainly deal with customer data, they need to be aware of the CCPA and successfully comply with it.

Maine Act to Protect the Privacy of Online Consumer Information

• This regulation prohibits broadband Internet access service providers from using, selling, distributing or permitting access to customer personal information for purposes other than providing services, unless the customer expressly consents.
• It applies only to broadband providers operating within Maine and becomes effective on July 1, 2020.
• To comply, providers must provide notice and seek express opt-in consent before collecting personal information, and they must protect personal information.
• It also prohibits ISPs from refusing to serve customers who withhold consent, as well as it bans ISPs from offering financial or other incentives for customers to opt-in.
•  Sanctions for violation of the regulation can be found in chapter 15 of Maine’s title 35-A on Public Utilities.
• Implementation of the regulation may threaten the innovation of Internet-based technologies and services.

New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

• The SHIELD Act aims to enhance consumer data security by expanding the definition of protected data and enhancing breach notification requirements.
• It goes into effect on March 21, 2020.
• Penalties for failing to fulfill data security requirements are capped at $5,000 per violation.
• It can apply to any business that holds private information of New York residents, regardless of whether it conducts business in New York.
• Businesses, including tech companies, can adopt and follow a formal plan that includes a breach notification policy and data security measures to protect private information to limit their exposure to penalties for noncompliance.

New State Privacy and Security Laws in the U.S.

• Understanding what each of the top new privacy regulations entails is vital to understanding the necessary practices that should be taken by U.S. tech companies to stay in compliance with these new regulations. Three important new privacy and security laws in the U.S. include the California Consumer Privacy Act (CCPA), the Nevada Senate Bill 220 Online Privacy Law, and The Maine Act to Protect the Privacy of Online Consumer Information.

• In 2018, California passed the California Consumer Privacy Act (CCPA), a data privacy act based on the European Union’s General Data Protection Regulation (GDPR). The Consumer Privacy Act requires compliance by all businesses that collect data on California residents.
• The Nevada Senate Bill 220 Online Privacy Law was signed by Governor Janet Mills on June 6, 2019, and goes into effect on July 1, 2020. It amends "Nevada’s existing privacy law by requiring businesses to offer consumers an opt-out regarding the sale of their personal information, with some exceptions."
• The Maine Act to Protect the Privacy of Online Consumers was enacted to protect the privacy of customers of broadband internet access services and requires service providers to obtain opt-in consent before using, disclosing, or selling their customers’ personal information.

Best Practices for Compliance With New Privacy Legislation and/or Regulations

1. Providing Consumers With the Option to Opt-Out of the Sale of Their Information

Description

• The three privacy laws mentioned above require that service providers provide consumers with the option to opt-out of the sale of their personal information. This gives consumers the right and ability to control the act of selling their information to third-parties. Service providers can allow consumers to opt-out by placing a “Do Not Sell My Personal Information” link in the privacy policies or by setting up a designated request address that consumers can use to opt-out of the sale of their information.

Importance

• This practice has broad coverage and is listed as a recommended strategy to remain in compliance with the CCPA, the Nevada Senate Bill 220 Online Privacy Law, and the Maine Act to Protect the Privacy of Online Consumer Information.

Leaders Endorsing It

• In 2018, Senator Ron Wyden proposed The Consumer Data Protection Act of 2018 Discussion Draft that recommended service providers "give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it."

2. Updating Privacy Policies

Description

• This practice recommends service providers inform their users about how to exercise their rights under the new data privacy regulations.

• It is recommended this be done annually.

Importance

• A privacy policy should detail aspects such as the categories of personal information collected, a description of any process by which a consumer can review and request changes to their personal information, a description of how consumers will be informed of any changes to the privacy policy, disclosure of whether tracking technology will be used and the effective date of the notice. This ensures that consumers are well aware of the privacy terms and conditions of the service provider before proceeding to use the service.

Leaders Endorsing It

•  Representative Frank Pallone (Democrat representing New Jersey) called on Congress to pass legislation on Internet privacy during Facebook CEO Mark Zuckerberg's testimony. This was after the discovery of the Facebook and Cambridge Analytica data scandal.

3. Deleting or Anonymizing an Individual’s Data Upon Request

Description

• This practice entails that service providers know where they store personal information and make sure that they can delete or anonymize an individual’s data upon request.
• This practice goes hand in hand with ensuring that they can respond to the consumer within 60 days when such a request is made.

Importance

• This practice requires that the service provider carries out the duties of care, loyalty, and confidentiality and ensures that they do not disclose or share individual identifying data with any other person except for what is in conformity with the agreement between them and the consumer.

Leaders Endorsing It

• Senator Schatz, supported by 15 other Democrats, "released a draft Data Care Act that would establish duties of “care, loyalty, and confidentiality” for online providers that handle personal data."
• Senate Bill 3744 proposed by Senator Schatz aimed "to establish duties for online service providers with respect to end-user data that such providers collect and use."

Research Strategy