REGULATORY REVIEW

Every Thursday, I summarize the most important regulatory actions related to security and privacy. In today's issue, the French privacy regulator CNIL is investigating a leak of health data on 500,000 people that could lead to fines against companies involved.

To read the rest of the Regulatory Review and receive this feature weekly, start your FREE 14-day trial of premium!

Amazon's efforts to secure data are not sufficient to protect customers from data breaches and theft, three former high-level IT security employees at the company told Politico. They claim to have been retaliated against by senior leadership when they brought up security issues.

More from Politico:

• Two of the employees are based in the United States, and one is based in Europe.
• They alleged that Amazon prioritizes growth over the security of customer data and compliance with data security rules.
• British academic Garfield Benjamin related that Amazon's "disregard for privacy and security" was indicative of a "big problem."
• An Amazon spokesman disputed the employees' claims, stating that protecting customer privacy and security is a "top priority" for the company.

President Joe Biden has inked an executive order instructing federal agencies to review the supply chain security risks in critical industries. The order requires the Departments of Agriculture, Commerce, Defense, Energy, Health and Human Services, Homeland Security, and Transportation to issue reports on the risks for their particular industry that could disrupt the U.S. supply chain.

More from the order:

• The Departments of Commerce and Homeland Security are directed to submit a joint report on supply chain risks for the information and communications technology (ICT) sector.
• Each department's report should include an assessment of cyber risks, including risks posed by reliance on digital products.
• The Assistant to the President for National Security Affairs and the Assistant to the President for Economic Policy are directed to conduct an interim 100-day supply chain risk review.
• The Senate Intelligence Committee held a hearing Tuesday examining the cause and the consequence of the SolarWinds supply chain hack on the U.S. government and private companies.

Microsoft 365 has added Advanced Audit tools that include the ability for customers to retain Exchange, SharePoint, and Azure Active Directory audit records for up to 10 years for long-term investigations. In addition, Advanced Audit enables organizations to conduct forensic and compliance probes by providing access to crucial events, such as when and how mail items were accessed.

More from Microsoft:

• MailItemsAccess replaces MessageBind in mailbox auditing logging for Exchange Online, adding improvements such as the inclusion of sync activities.
• Advanced Audit now provides high-bandwidth access to the Office 365 Management Activity API for reviewing auditing data.
• To take advantage of Advanced Audit, a user needs to be assigned an E5 license; for the 10-year audit log retention feature, a user will need an add-on license.

Google and the Linux Foundation are teaming to fund Linux kernel maintainers Gustavo Silva and Nathan Chancellor to improve the platform's security. Chancellor will focus on fixing all bugs found with Clang/LLVM compilers for the Linux kernel, while Silva will work on patching kernel bugs and eliminating entire classes of vulnerabilities.

More:

• A recent report by the Linux Foundation and Harvard concluded that the open-source software, including the Linux operating system, needed better security.
• Linux had more than 20,000 contributors and 1 million code commits as of August 2020.
• "Ensuring the security of the Linux kernel is extremely important as it's a critical part of modern computing and infrastructure," said David A. Wheeler with the Linux Foundation.

Thirty-five percent of healthcare organizations suffered an insider attack that resulted in the theft of cloud data last year, according to the 2021 Netwrix Cloud Data Security Report. The report, which surveyed 937 IT pros globally, found that insider theft took much longer to detect and remediate compared to phishing and ransomware attacks.

More from Netwrix:

• 54% of organizations that store data in the cloud had security breaches in the last 12 months.
• 35% of organizations said that data theft resulted in customer churn and loss of competitive edge.
• 48% of CISOs said that business pressure of rapid transformation and growth distracts them from data security.

QUICK HITS:

• This company is reinventing home and renters insurance. Get a quote to see how much you could save.*
• The North Korean-linked Lazarus advanced persistent threat (APT) group has targeted the defense industry with ThreatNeedle malware, according to Kaspersky Lab researchers.
• More than 8 million COVID-19 test results were leaked online, apparently by the Health and Welfare Department of West Bengal, India.
• A Chinese security researcher has published a proof-of-concept exploit for the critical bug in VMware vCenter Server that the company patched this week.
• Ukraine's National Security and Defense Council warned that the country has been the target of a number of recent attacks from Russian cyberespionage groups.
• What are the costs of inefficiencies in your product release cycle? Read how top companies save over $1M each year.*

* This is sponsored content.