Employers that want to digitally track employees better watch themselves.

Oh, and employees? Hold on to your mouse jigglers.

The Consumer Financial Protection Bureau (CFPB) said in late October that companies using algorithm scores and surveillance-based AI to keep tabs on employees must treat the tech like a third-party consumer report and follow Fair Credit Reporting Act (FCRA) rules.

“Workers shouldn’t be subject to unchecked surveillance or have their careers determined by opaque third-party reports without basic protections,” CFPB Director Rohit Chopra said in an agency statement on Thursday, Oct. 24. “The kind of scoring and profiling we’ve long seen in credit markets is now creeping into employment and other aspects of our lives. Our action today makes clear that long-standing consumer protections apply to these new domains just as they do to traditional credit reports.”

Read the rest here.—BH

Using generative AI in cyberattacks is something that’s keeping CISOs up at night—but strategies to manage the danger are here to ease those sleepless evenings, no melatonin required.

“Their job is to be able to manage risks in this huge, uncertain environment that they have,” RSA Conference’s Laura Robinson told IT Brew. “And it’s not like uncertainty has changed with GenAI—they’ve always had to deal with uncertainty—but GenAI has really upped the level of uncertainty.”

Robinson is the program director for RSA Conference’s Executive Security Action Forum (ESAF), a community for Fortune 1000 security executives. In new data from the forum, the C-suite’s concerns over the increasing threat of generative AI are front and center.

Findings, findings. The ESAF survey of 100 Fortune 1,000 CISOs found that 70% of respondents have seen the technology deployed in phishing emails tailored to the victim, while vishing, automated hacking, and deepfake videos accounted for 37%, 22%, and 21%, respectively.

Read more here.—EH

Okta revealed that it fixed a big oopsy it made that allowed bad actors to potentially gain access to accounts with obnoxiously long usernames with ease.

In an Oct. 30 security advisory, the authentication vendor disclosed that it had identified a vulnerability that impacts its AD/LDAP Delegated Authorization process that would allow certain users to authenticate with just a username and a stored cache key of a previous successful login attempt.

The bug was introduced in late July as part of a standard release. Okta noted that the vulnerability could only have been exploited if a specific set of conditions were met, one of which including that a targeted account had to have a username with 52 or more characters. (So much for unique usernames…)

Keep reading here.—BM

Learn how to ride the wave of AI adoption into a more productive, less chaotic state of enterprise bliss. Grammarly sits down with us to discuss replacing AI complexity with clear ROI. Register now for our virtual event on Nov. 13. See you there!