How to Safeguard Data in Virtual Environments

The Cybersecurity and Infrastructure Security Agency together with the National Security Agency, the Federal Bureau of Investigation (FBI), the National Cyber Security Centre, and other international organizations, published this advisory providing recommendations for organizations in how to protect the integrity, confidentiality, and availability of the data used to train and operate #artificialintelligence. The advisory focuses on three main risk areas: 1. Data #supplychain threats: Including compromised third-party data, poisoning of datasets, and lack of provenance verification. 2. Maliciously modified data: Covering adversarial #machinelearning, statistical bias, metadata manipulation, and unauthorized duplication. 3. Data drift: The gradual degradation of model performance due to changes in real-world data inputs over time. The best practices recommended include: - Tracking data provenance and applying cryptographic controls such as digital signatures and secure hashes. - Encrypting data at rest, in transit, and during processing—especially sensitive or mission-critical information. - Implementing strict access controls and classification protocols based on data sensitivity. - Applying privacy-preserving techniques such as data masking, differential #privacy, and federated learning. - Regularly auditing datasets and metadata, conducting anomaly detection, and mitigating statistical bias. - Securely deleting obsolete data and continuously assessing #datasecurity risks. This is a helpful roadmap for any organization deploying #AI, especially those working with limited internal resources or relying on third-party data.

The EDPB recently published a report on AI Privacy Risks and Mitigations in LLMs.   This is one of the most practical and detailed resources I've seen from the EDPB, with extensive guidance for developers and deployers. The report walks through privacy risks associated with LLMs across the AI lifecycle, from data collection and training to deployment and retirement, and offers practical tips for identifying, measuring, and mitigating risks.   Here's a quick summary of some of the key mitigations mentioned in the report:   For providers: • Fine-tune LLMs on curated, high-quality datasets and limit the scope of model outputs to relevant and up-to-date information. • Use robust anonymisation techniques and automated tools to detect and remove personal data from training data. • Apply input filters and user warnings during deployment to discourage users from entering personal data, as well as automated detection methods to flag or anonymise sensitive input data before it is processed. • Clearly inform users about how their data will be processed through privacy policies, instructions, warning or disclaimers in the user interface. • Encrypt user inputs and outputs during transmission and storage to protect data from unauthorized access. • Protect against prompt injection and jailbreaking by validating inputs, monitoring LLMs for abnormal input behaviour, and limiting the amount of text a user can input. • Apply content filtering and human review processes to flag sensitive or inappropriate outputs. • Limit data logging and provide configurable options to deployers regarding log retention. • Offer easy-to-use opt-in/opt-out options for users whose feedback data might be used for retraining.   For deployers: • Enforce strong authentication to restrict access to the input interface and protect session data. • Mitigate adversarial attacks by adding a layer for input sanitization and filtering, monitoring and logging user queries to detect unusual patterns. • Work with providers to ensure they do not retain or misuse sensitive input data. • Guide users to avoid sharing unnecessary personal data through clear instructions, training and warnings. • Educate employees and end users on proper usage, including the appropriate use of outputs and phishing techniques that could trick individuals into revealing sensitive information. • Ensure employees and end users avoid overreliance on LLMs for critical or high-stakes decisions without verification, and ensure outputs are reviewed by humans before implementation or dissemination. • Securely store outputs and restrict access to authorised personnel and systems.   This is a rare example where the EDPB strikes a good balance between practical safeguards and legal expectations. Link to the report included in the comments.   #AIprivacy #LLMs #dataprotection #AIgovernance #EDPB #privacybydesign #GDPR

Everyone’s feeding data into AI engines, but when it leaves secure systems, the guardrails are often gone. Exposure grows, controls can break down, and without good data governance, your organization's most important assets may be at risk. Here's what needs to happen: 1. Have an established set of rules about what’s allowed/not allowed regarding the use of organizational data that is shared organization-wide, not just with the IT organization and the CISO team. 2. Examine the established controls on information from origin to destination and who has access every step of the way: end users, system administrators, and other technology support people. Implement new controls where needed to ensure the proper handling and protection of critical data. You can have great technical controls, but if there are way too many people who have access and who don’t need it for legitimate business or mission purposes, it puts your organization at risk. 3. Keep track of the metadata that is collected and how well it’s protected. Context matters. There’s a whole ecosystem associated with any network activity or data interchange, from emails or audio recordings to bank transfers. There’s the transaction itself and its contents, and then there’s the metadata about the transaction and the systems and networks that it traversed on its way from point A to point B. This metadata can be used by adversaries to engineer successful cyberattacks. 4. Prioritize what must be protected In every business, some data has to be more closely managed than others. At The Walt Disney Company, for example, we heavily protected the dailies (the output of the filming that went on that day) because the IP was worth millions. In government, it was things like planned military operations that needed to be highly guarded. You need an approach that doesn’t put mission-critical protections on what the cafeteria is serving for lunch, or conversely, let a highly valuable transaction go through without a VPN, encryption, and other protections that make it less visible. Takeaway: Data is a precious commodity and one of the most valuable assets an organization can have today. Because the exchange-for-value is potentially so high, bad actors can hold organizations hostage and demand payment simply by threatening to use it.

A Quick Plan/Approach For CISO’s to Address AI Fast. As a CISO/CEO you have to stay on top of new ideas, risks and opportunities to grow and protect the business. As we all keep hearing and seeing LLM/AI usage is increasing every day. This past week my inbox is full of one question How do I actually protect my company's data when using AI tools? Over the last 9 years I have been working on, involved with and creating LLM/AI cyber and business programs and as a CISO I have been slowly integrating ideas about AI/cyber operations, data protection and business. Here are five AI privacy practices that I have found that really work. I recommend to clients, partners and peers. I group them into three clear areas: Mindset, Mechanics, and Maintenance. 1. Mindset: Build AI Privacy Into the Culture Privacy isn't just a checklist, it's a behavior. Practice #1: Treat AI like a junior employee with no NDA. Before you drop anything into ChatGPT, Copilot, or any other AI tool, stop and ask: Would I tell this to a freelancer I just hired five minutes ago? That's about the level of control you have once your data is in a cloud-based AI system. This simple mental filter keeps teams from oversharing sensitive client or company info. Practice #2: Train people before they use the tool, not after. Too many companies slap a "responsible AI use" policy into the employee handbook and call it a day. That's no good. Instead, run short, focused training on how to use AI responsibly specially around data privacy. 2. Mechanics: Make Privacy Part of the System Practice #3: Use privacy-friendly AI tools or self-host when possible. Do your research. For highly sensitive work, explore open-source LLMs or self-hosted solutions like private GPTs or on-prem language models. It's a heavier lift but you control the environment. Practice #4: Classify your data before using AI. Have a clear, documented data classification policy. Label what's confidential, internal, public, or restricted, and give guidance on what can and can't be included in AI tools. Some organizations embed DLP tools into browser extensions or email clients to prevent slip-ups. 3. Maintenance: Keep It Tight Over Time Practice #5: Audit AI usage regularly. People get busy. Policies get ignored. That's why you need a regular cadence quarterly is a good place to start where you review logs, audit prompts and check who's using what. AI is evolving fast, and privacy expectations are only getting tighter. What other ways are you using LLM/AI in your organization? 

🔒 Tools and techniques to ensure personal data security in the HR field. Below you find a list for a proactive approach and unceasing vigilance. ✅ Advanced Encryption: makes information unreadable to those attempting unauthorized access. ✅ Cloud Data Protection with encryption, access permissions and regular backups ✅ Restricted Access to Data with monitoring of user activity. ✅ Ongoing training, to promote awareness on potential threats and phishing tactics. ✅ Privacy by Design, i.e., including security measures right from the start. ✅ Sharing clear-cut Data Retention Policies. ✅ Compliance with Regulations: CCPA in America and GDPR in Europe. ✅ Data Security Audits, to assess the efficiency of the measures adopted and identify areas for improvement. ✅ Collaborations with Specialists, to ensure proper management of personal data in compliance with regulations. Which of these actions have you already implemented?

Data privacy might seem like a box to tick, but it’s much more than that. It’s the backbone of trust between you and your users. Here are a few ways to stay on top of it: + Encrypt sensitive data from day one to prevent unauthorized access. + Regular audits of your data storage and access systems are crucial to catch vulnerabilities before they become issues. + Be transparent about how you collect, store, and use data. Clear privacy policies go a long way in building user confidence. + Stay compliant with regulations like GDPR and CCPA. It’s not optional - it’s mandatory. + Train your team on the importance of data security, ensuring everyone from developers to support staff understands their role in safeguarding information. It’s easy to overlook these tasks when you're focused on growth. But staying proactive with data privacy isn’t just about following laws - it’s about protecting your reputation and building long-term relationships with your users. Don’t let what seems monotonous now turn into a crisis later. Stay ahead. #DataPrivacy #AppSecurity #GDPR #Trust #DataProtection #StartupTips #TechLeaders #CyberSecurity #UserTrust #AppDevelopment

When I first started working with a remote team, I realized that I needed to have a loss-prevention mindset. I couldn't afford to wait for something to go wrong. If confidential info were leaked or there was unauthorized access to your company's financial data, the consequences could be catastrophic. Trust would be eroded clients might leave, and  the financial loss could set you back months or years. I didn't wait for this to happen to me, and neither should you. I never want a situation where there's even a sliver of doubt because I don't want the added stress to distract me from my vision. So, it's important to plug in the holes before they become sinkholes. Here's what you can do: Secure Access ‣ Implement multi-factor authentication (MFA) for logins and regularly review and update access permissions. Regular Reviews ‣ Employees leaving the team or changing roles should have their access revoked or adjusted accordingly. Confidentiality Agreements ‣ Have all team members sign confidentiality agreements (NDAs). Open Communication ‣ Regularly discuss the importance of data security with your team. Data Encryption ‣ Encrypt sensitive data both in transit and at rest. Backup Systems ‣ Implement backup systems for your data. Education and Training ‣ Phishing scams and social engineering attacks constantly evolve, so keep your team informed. Create an access repository sheet ‣ This document should list all authorized users, their access levels, and the specific systems they can access. Take proactive steps now to protect your business before it's too late. Helpful?  ♻️Please share to help others. 🔎Follow Michael Shen for more.

As a lawyer who often dives deep into the world of data privacy, I want to delve into three critical aspects of data protection: A) Data Privacy This fundamental right has become increasingly crucial in our data-driven world. Key features include: -Consent and transparency: Organizations must clearly communicate how they collect, use, and share personal data. This often involves detailed privacy policies and consent mechanisms. -Data minimization: Companies should only collect data that's necessary for their stated purposes. This principle not only reduces risk but also simplifies compliance efforts. -Rights of data subjects: Under regulations like GDPR, individuals have rights such as access, rectification, erasure, and data portability. Organizations need robust processes to handle these requests. -Cross-border data transfers: With the invalidation of Privacy Shield and complexities around Standard Contractual Clauses, ensuring compliant data flows across borders requires careful legal navigation. B) Data Processing Agreements (DPAs) These contracts govern the relationship between data controllers and processors, ensuring regulatory compliance. They should include: -Scope of processing: DPAs must clearly define the types of data being processed and the specific purposes for which processing is allowed. -Subprocessor management: Controllers typically require the right to approve or object to any subprocessors, with processors obligated to flow down DPA requirements. -Data breach protocols: DPAs should specify timeframes for breach notification (often 24-72 hours) and outline the required content of such notifications, -Audit rights: Most DPAs now include provisions for audits and/or acceptance of third-party certifications like SOC II Type II or ISO 27001. C) Data Security These measures include: -Technical measures: This could involve encryption (both at rest and in transit), multi-factor authentication, and regular penetration testing. -Organizational measures: Beyond technical controls, this includes data protection impact assessments (DPIAs), appointing data protection officers where required, and maintaining records of processing activities. -Incident response plans: These should detail roles and responsibilities, communication protocols, and steps for containment, eradication, and recovery. -Regular assessments: This often involves annual security reviews, ongoing vulnerability scans, and updating security measures in response to evolving threats. These aren't just compliance checkboxes – they're the foundation of trust in the digital economy. They're the guardians of our digital identities, enabling the data-driven services we rely on while safeguarding our fundamental rights. Remember, in an era where data is often called the "new oil," knowledge of these concepts is critical for any organization handling personal data. #legaltech #innovation #law #business #learning

Think your AI tool is secure? Think again. Here’s how to protect your company’s data in 60 seconds: Most teams are using AI tools without knowing where the data goes. I spoke to a manager last week who had to deal with a major fallout. They let staff use a free AI writing tool. Turns out, it stored everything on servers in mainland China—without anyone realizing. Now they’re facing questions from legal, clients, and the board. The fix? Before using any AI platform, ask three things: - Where is the data stored? - Who owns the servers? - Are the regions GDPR/CCPA compliant? This simple check can protect you from lawsuits and fines. In some cases, millions of dollars. Want to be sure? Only use vendors that clearly state hosting policies—ideally in US or EU regions with strong privacy laws. Avoiding international data risk starts with asking better questions. Your clients trust you. Don’t lose that by skipping due diligence.

Yesterday, the FTC added to the ever-expanding jurisprudence of sensitive data.  By Final Order in X-Mode/Outlogic, the FTC has given a template for what the implementation of reasonable and appropriate safeguards might look like to avoid putting consumers’ sensitive personal information unlawfully at risk. Beyond not selling, sharing or transferring sensitive location data, X-Mode is required to: 1 - create a program to develop and maintain a comprehensive list of sensitive locations; 2 - delete or destroy all location data previously collected without consent (or deidentify/render non-sensitive); 3 – develop a supplier assessment program to assure lawful collection of data 4 – develop procedures to ensure data recipients lawfully use data sold or shared; 5 – implement a comprehensive privacy program, and 6 – create a data retention schedule. Without question, the FTC will expect businesses that collect, have, sell, share, transfer or otherwise obtain sensitive data and/or location data to follow most if not all of these or similar practices. https://lnkd.in/ecZ5aspU #safeguardprivacy #privacy #legaltech #compliance #adexchanger #iapp #dataprotection #onlineadvertising #ftc #tech #data #legal #advertising #law #compliance #ccpa #dataprotection #privacylaw #mobileadvertising #dataprivacy #advertisingandmarketing #technology #business #privacy #dataprotection #datatransfers Richy Glassberg, Katy Keohane, CIPP-US, Michael Simon, CIPP-US/E, CIPM,