Tag Archives: Data Protection

Data Protection, GDPR

UK GDPR – Flies in the ointment and devils in the detail

This is the third article on GDPR, the first dealt with Brexit and GDPR, the second confirmation that UK will be implementing stronger Data Protection.

Complications

There may be some “gotchas”, possible “flies-in-the-ointment”; the question of adequacy due to differences in equivalence and the effects of divergence.

Equivalence – EU GDPR

Overtime, you get divergence in any system if there isn’t a common control factor. Which is likely to test compatibility in the future, but for now, more importantly, what will 2019 bring us ?

The Supervisory Authority enforces the GDPR (and DPA98), the European Court of Justice (CJEU) has the final say. Post-Brexit, this is unlikely to be the case and will likely be the UK’s Supreme Court.

There are other UK laws, such a Regulation of Investigatory Powers Act (RIPA) 2000 which are not compatible with the current EU directive, so are not going to work in harmony with GDPR. GDPR allows investigations for crimes, RIPA’s definition are looser.

There is also a political element too, will the other 27 EU member countries be generous in their assessment of UK Data Protection 2019 and grant her equivalence with a few choice derogations ?

So what’s going to happen?

No one knows for sure – this is my take on it :

UK (and globally others) will have to comply with EU GDPR, by May 2018 (it’s actually in force now, but not enforced till May 2018, EU 95/46/EC was repealed in April 2016).

Post-Brexit UK businesses will have to comply with UK GDPR and EU GDPR.

What happens to the contentious bits of UK law or UK interpretation / implementation ?

UK will have to negotiate acceptance of her derogations or compromise on some aspects of internal laws.

Without this, we will not have equivalence, which may lead to data processed in another more compliant EEA member state instead, which is something we’d all prefer to avoid.

… next article

More practical aspect of GDRP – How to approach  GDPR and  towards the goal of compliance

Further reading

The Future of UK data protection laws post-Brexit

Data Protection, GDPR

The Queen’s Speech, GDPR & Post-Brexit

Following on from my initial article on GDPR and Brexit in September last year, there is no doubt that the UK will continue with strong data protection laws when the UK leaves the European Union (Brexit), this was confirmed in the Queen’s speech in June 2017, which introduced a bill to repeal the 1972 European Communities Act and replace it with the Repeal Bill 2017.

A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.

What does this mean ?

It means less uncertainty to what data protection laws will apply to UK businesses post-Brexit and more importantly, less certainty to the run-up to Brexit.

Many organisations have delayed their GDPR programmes or at least given less attention to it due to the lack of clarity.

For UK citizens, the commitment to enhanced data protection incorporated into law gives parity in this domain to GDPR.

For business, this confirms that the UK should continue to be an attractive location of data rich organisations.

Soon – the “UK GDPR – Flies in the ointment and devils in the detail”

Further reading

Queen’s Speech 2017

 

 

Data Loss, Data Protection, Hacked

2014 – The Year of 1 Billion Data Record Losses

Gemalto the digital security services company and Safenet have released a report titled “2014 – Year of Mega Breaches & Identity Theft”

2014 Data Breaches Gemalto Infographic

The headline numbers make for sober reading. The number of data records loss jumped 78%, from about 575 million in 2013 to more than one billion in 2014.

In terms of time, in 2014 some 2,803,036 data records were lost every day, 116,793 every hour, 1,947 every minute and 32 every second. So figure in about the time it took to read the previous sentence, about 400 data records would have been stolen or lost based on the 2014 data breach statistics.

Despite the widespread availability of commercially and indeed open source encryption solutions as a means for protecting  information and privacy, only 58 of the data breach incidents in 2014, or less than 4% of the total, involved data that was encrypted in part or in full.

In short, companies and organisations are still not taking protection of data seriously. It’s likely to take the commensurate loss of revenue or regulatory fines, up to and including gaol time for things to start improving.

One catalyst for this may well be the EU General Data Protection Regulations, but there’s a lot of lobbying and compromises between the proposals and actual legislation. It may still revert back to being an EU Directive. Meanwhile our Personal Information is being  shared, sold and aggregated ad infinitum, that’s before it’s leaked and stolen !

Gemalto’s 2014 Data Breach Report

Data Loss, Data Protection, Hacked

Significant data theft from Anthem – one of USA largest health insurers

anthemlogo

Anthem, the US’s second biggest health insurer with about 70 million people on its books across the country, admitted late on 4th February 2015, that it was the target of an external cyber attack.

These attackers gained unauthorised access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.Tens of millions of records are likely to have been obtained illegally as a result of the hack, Anthem warned.

Health plans branded Anthem Blue Cross; Anthem Blue Cross and Blue Shield; Blue Cross and Blue Shield of Georgia; Empire Blue Cross and Blue Shield; Amerigroup; Caremore; Unicare; Healthlink; or DeCare, are at risk.

It is not clear when the company’s databases were compromised – just that it was discovered some time last week.  Anthem is offering free credit and identity monitoring cover to those affected by the breach.

Up to 80 million Americans (current and ex-insurees), are now being warned that they’re being targeted by scammers who are trying trick the victims into revealing additional personal information. Scammers are running email phishing campaigns, and even placing phone calls to affected customers, Anthem says.

The identity of the perpetrators hasn’t been disclosed yet, the FBI are are investigating the. Mandiant, a well-known cybersecurity firm, to look into vulnerabilities of its computer system.

Anthem’s statement

An interesting viewpoint from Kreb’s 

Chun’s view

It’s way too soon to speculate on the whys and what happened, only that your organisation is neither too big or too small to be vulnerable.

Good policies and good housekeeping are the backbone of any ISMS. Having a comprehensive plan to deal with breaches and data loss will go a long way in containment and minimising the damage.

 

Data Loss

First post of 2015 – Insider Threat – Data theft from 350000 Morgan Stanley’s clients

A Morgan Stanley employee, Galen Marsh stole sensitive information from 350000 wealth management clients in December 2014, of which 900 client’s data was posted on Pastebin, an internet expose site with a link for interested parties to purchase more information.

http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/?_r=0

http://www.morganstanley.com/about/press/articles/7f189537-f51c-40b0-a963-fc0dc6c65861.html

Protecting from external threats is relatively simple, the insider threat is much more difficult to mitigate and potentially a lot more damaging.

A robust security policy with regular employee security awareness and obligations training, allied to a well tuned data loss detection and protection is essential. Post-incident response and lessons learnt completes the cycle.