Tag Archives: Data Privacy

Data Protection, GDPR

The Queen’s Speech, GDPR & Post-Brexit

Following on from my initial article on GDPR and Brexit in September last year, there is no doubt that the UK will continue with strong data protection laws when the UK leaves the European Union (Brexit), this was confirmed in the Queen’s speech in June 2017, which introduced a bill to repeal the 1972 European Communities Act and replace it with the Repeal Bill 2017.

A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.

What does this mean ?

It means less uncertainty to what data protection laws will apply to UK businesses post-Brexit and more importantly, less certainty to the run-up to Brexit.

Many organisations have delayed their GDPR programmes or at least given less attention to it due to the lack of clarity.

For UK citizens, the commitment to enhanced data protection incorporated into law gives parity in this domain to GDPR.

For business, this confirms that the UK should continue to be an attractive location of data rich organisations.

Soon – the “UK GDPR – Flies in the ointment and devils in the detail”

Further reading

Queen’s Speech 2017

 

 

Data Loss, Data Protection, Personal Information

UK Healthcare sector accounted for 40% of data breaches

2014 Q4 figures released by the ICO (Information Commissioner’s Office) reveals that of the data breaches reported to them, over 40%  originated from the healthcare sector.  Local government and education are a distant 2nd and 3rd respectively.

Source : ICO Q4 2014 Data Breach figures

The vast majority of these were attributed to human error, broken down into detail in the next chart.

Source : ICO Q4 2014 Data Breach figures

Principle 7 failure originates from inadequate technical controls.

The ICO states :

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Chun’s View

The raw figures indicate that the healthcare sector is prone to unintended personal information exposure (bear in mind these numbers haven’t been normalised),  it could be that this sector’s threshold for reporting is lower, It does reinforce the point that the majority of data leaks are due to human error.

Mitigation

Board-level sponsorship of Data Protection and Information Security training, as part of a larger learning and development regime, is essential. It must be viewed by the organisational population as worthwhile.

This must be formalised into the training strategy and woven into the Employees Handbook and Security Policy of the organisation.

As well as regular training targeting people who handle personal data, the training quality assurance is provided by the tracking of training metrics, such as completion and pass rates. With a sufficient data set, this may be correlated against the number of incidents reported. Incident rates may actually increase, as more may be reported when people are more aware of their obligations.

Parting words

Whichever sector you’re in, guarding against unintentional exposure of personal information is essential to maintaining your organisation’s reputation and avoiding the attention of the ICO.

Further reading (ICO)

Data Loss, Data Protection, Personal Information

World Leader’s PI leaked

The personal details of all 31 leaders at the recent G20 summit in Australia have been accidentally leaked by the Australian immigration department. Despite being notified of the high-profile breach four months ago, it neglected to inform anyone.

The details included passport numbers, visa details and other particulars of each leader at the summit.

Tony Abbott and Vladimir Putin cuddle koalas before the start of the first G20 meeting in November 2014. Photograph: Andrew Taylor/G20 Australia/Getty Images

In a letter obtained under Freedom of Information requests, it’s been revealed that a staffer at the G20 leaders summit staged in Australia last November mistakenly mailed a list of the leaders’ personal details to an official at the Asian Football Cup Local Organising Committee.

Although the information hasn’t been publicly exposed and is unlikely to be of use for nefarious purposes, not many people are likely to pretend to be Vladimir Putin or David Cameron. The damage is reputational and is certainly embarrassing for the Australian government. Ironically it had just recently passed controversial mandatory metadata retention laws.

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015

International Business Times article on the new Australian Bill and obligations of ISPs

The Guardian’s article on the new Australian Bill

 

 

 

Data Loss, Data Protection, Hacked

2014 – The Year of 1 Billion Data Record Losses

Gemalto the digital security services company and Safenet have released a report titled “2014 – Year of Mega Breaches & Identity Theft”

2014 Data Breaches Gemalto Infographic

The headline numbers make for sober reading. The number of data records loss jumped 78%, from about 575 million in 2013 to more than one billion in 2014.

In terms of time, in 2014 some 2,803,036 data records were lost every day, 116,793 every hour, 1,947 every minute and 32 every second. So figure in about the time it took to read the previous sentence, about 400 data records would have been stolen or lost based on the 2014 data breach statistics.

Despite the widespread availability of commercially and indeed open source encryption solutions as a means for protecting  information and privacy, only 58 of the data breach incidents in 2014, or less than 4% of the total, involved data that was encrypted in part or in full.

In short, companies and organisations are still not taking protection of data seriously. It’s likely to take the commensurate loss of revenue or regulatory fines, up to and including gaol time for things to start improving.

One catalyst for this may well be the EU General Data Protection Regulations, but there’s a lot of lobbying and compromises between the proposals and actual legislation. It may still revert back to being an EU Directive. Meanwhile our Personal Information is being  shared, sold and aggregated ad infinitum, that’s before it’s leaked and stolen !

Gemalto’s 2014 Data Breach Report

Data Loss, Data Protection, Hacked

Significant data theft from Anthem – one of USA largest health insurers

anthemlogo

Anthem, the US’s second biggest health insurer with about 70 million people on its books across the country, admitted late on 4th February 2015, that it was the target of an external cyber attack.

These attackers gained unauthorised access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.Tens of millions of records are likely to have been obtained illegally as a result of the hack, Anthem warned.

Health plans branded Anthem Blue Cross; Anthem Blue Cross and Blue Shield; Blue Cross and Blue Shield of Georgia; Empire Blue Cross and Blue Shield; Amerigroup; Caremore; Unicare; Healthlink; or DeCare, are at risk.

It is not clear when the company’s databases were compromised – just that it was discovered some time last week.  Anthem is offering free credit and identity monitoring cover to those affected by the breach.

Up to 80 million Americans (current and ex-insurees), are now being warned that they’re being targeted by scammers who are trying trick the victims into revealing additional personal information. Scammers are running email phishing campaigns, and even placing phone calls to affected customers, Anthem says.

The identity of the perpetrators hasn’t been disclosed yet, the FBI are are investigating the. Mandiant, a well-known cybersecurity firm, to look into vulnerabilities of its computer system.

Anthem’s statement

An interesting viewpoint from Kreb’s 

Chun’s view

It’s way too soon to speculate on the whys and what happened, only that your organisation is neither too big or too small to be vulnerable.

Good policies and good housekeeping are the backbone of any ISMS. Having a comprehensive plan to deal with breaches and data loss will go a long way in containment and minimising the damage.

 

Data Loss

First post of 2015 – Insider Threat – Data theft from 350000 Morgan Stanley’s clients

A Morgan Stanley employee, Galen Marsh stole sensitive information from 350000 wealth management clients in December 2014, of which 900 client’s data was posted on Pastebin, an internet expose site with a link for interested parties to purchase more information.

http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/?_r=0

http://www.morganstanley.com/about/press/articles/7f189537-f51c-40b0-a963-fc0dc6c65861.html

Protecting from external threats is relatively simple, the insider threat is much more difficult to mitigate and potentially a lot more damaging.

A robust security policy with regular employee security awareness and obligations training, allied to a well tuned data loss detection and protection is essential. Post-incident response and lessons learnt completes the cycle.