Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

Law firms face increasing cyber attacks in 2016

law society of ireland

The start to Summer 2016 has seen a sizeable increase in recorded attacks on legal firms in Ireland, as reported by RTE news on 5th June 2016.  Over a dozen firms have recently suffered ransomware attacks.

Why is the legal sector a prime target?
The legal sector is a prime target for cyber criminals on one side due to the sensitivity and volume of private client data held on their computer systems and secondly, because of the large sums of money held by solicitors in their client accounts on a daily basis.

What are common ways for ransomware attacks to take place?
Computer systems can be compromised by ransomware attacks either through email or a web browser.   A user might open what to them looked like an innocuous email, which once opened immediately encrypts files across their entire network.  The message (which can be remarkably polite), then warns that immediate payment is required by a given deadline, or the files will be destroyed.  Victims will often see a timer ratchet as well, whereby any delays to settlement increase the sum demanded.  The warning is stark and often along the lines of:  “Any attempt to damage or remove this software will lead to the immediate destruction of the private key to your server.”

What kind of sums are involved in ransomware attacks?
Sums can range from a few hundred to many thousands of £pounds.  In this particular spate of attacks, the Irish legal firms had had ransom demands of between 5,000 – 30,000 Euros from the criminals to unlock their computers.

One solicitor wishing to stay anonymous commented: “The accounts system was in jeopardy, which we would be accountable for a closing balance of E4-5m every day to clients.  Trying to identify 2,500 clients whose money was actually in the account to the very cent was never going to be achievable going forwards”.

The general advice is for all organisations would be:

•      To regularly review your data security policies and procedures (and ensure they are up to date and fit for purpose reflecting the current threat landscape).
•      To regularly back up your data to mitigate any losses
•      To act expediently and deal with the issue
•      To deploy up to date antivirus software
•      Have effective web filtering
•      To utilise up to date firewalls
•      To educate staff to heighten everyone’s awareness about cyber security – what different attacks look like – and importantly what their process and actions should be should they receive something they believe to be a cyber threat.

This news comes on the heels of the annual risk management survey by Legal Business and Marsh which found that “IT security breach / data management accident or breach” was the highest risk to law firms in terms of damage it could cause and the likelihood of it occurring.

For regulated industries especially, the demand for effective and contemporary security systems and knowledgeable management teams will serve as a significant reassurance to their customers.  Amicus ITS provides specific Security as a Services offerings to protect against cyber attack. These include ‘Foxcatcher’ and ‘Amicus Viper’.  Anyone wishing to discuss any cyber security issues in confidence can ring the security team on 02380 429429.

TalkTalk talk of recovery – hopefully no joke for their customers

talktalk_logo_0

TalkTalk have announced that their profits halved following the cyber attack on the company in October 2015.  Profits fell to £14m down from £32m the year before. The fall is attributed in part to the costs from the cyber attack by a number of hactivists in the UK (six arrests have been made – all individuals are under 21).

TalkTalk lost 101,000 subscribers in the quarter immediately following the attack where the  personal data of around 160,000 was compromised. This included email addresses, names and phone numbers, plus 21,000 unique 21,000 unique bank account numbers and sort codes.

TalkTalk’s immediate response was to play hardball with any customer trying to leave – quoting contract terms and penalty fees should they go.  Nowhere in their response was an identification of their responsibility for safeguarding customer data – and the onus fell to the customer to prove that any loss of future money was solely due to the hack.  So, for example, if a customer was spear-phished through social engineering as a result of the compromised personal data, that would be the customer’s fault.

If there was an Incident Response Plan (they had suffered previous breaches in the preceding year), then there’s little to show any learning outcomes to date.

Despite this, TalkTalk CEO Dido Harding maintains today that the company has recovered and that the customer churn experienced in the first quarter following the attack has since stemmed, indicating in her eyes, customer satisfaction.

Total revenues are reported to have grown 2.4% to £1.83 billion in the 12 months to 31st March 2016.  However, no matter how upbeat the CEO talks up the positives in May 2016, their PR mishandlings, lack of probity and lack of knowledge, indicates a disrespect of the customer, who (along with their data) should be and feel cared for, at all times.

So we’ll need to wait and see over the next 12 months what the figures and customer base numbers reveal.  However, one thing that is certain, the company’s failure to manage and protect their customer’s data with due diligence and probity has led to a very public sullying of the brand and ridicule in some boardroom circles.

The TalkTalk debacle should go into the lexicon for all future Board directors as a lesson in how not to do Disaster.  For any Board today, at least one member must understand and be accountable for cyber so that the appropriate reviews, decisions, IT investments and staff education are undertaken. This means:

1. Understanding cyber and identifying what your data crown jewels are
2. Ensuring your company has up to date security policies and practised procedures following ISO27001 compliance procedures
3. Interrogating your company’s infrastructure interrogated regularly for vulnerabilities and plugging any gaps
4. Working with data security specialists to monitor any devices, any infrastructure, any locations where your business or staff operate to ensure you maintain end point security at all times.

Amicus ITS has a Security as a Service offering, called Foxcatcher.   If you wish to speak to one of our team to discuss your organisation’s security.  Call us on 02380 429429.

 

The ‘hokey kokey’ of the Referendum debate

graph 2

With June 23rd closing in upon us, political ping pong seems to be the order of the day.  With so many mixed messages in the market, it is difficult to see the wood from the trees.

As we are all aware this is obviously a personal decision, but I believe one that should be based upon facts not political point scoring around the pros and cons of a Brexit decision.

We are given some estimates suggesting the total economic cost of EU membership is around 11% of our annual GDP at around £200 billion.  Some say this money would be better spent on new British industries.  It is also stated that the EU is one of the world’s largest markets, accounting for 25% of global GDP.

The interesting point is that it is said that the EU is our biggest trading partner, with 45% of the UK’s exports to the EU, and 50% of all imports are from the EU.  You could argue that our membership makes us a more attractive destination for foreign investment.  Figures from 2012 show we received around £937 billion of Foreign Direct Investment, while 50%  of UK FDI is EU-related.

It is thought by ‘Brexiters’, we can independently pursue international trade deals with China, India and the US, this may well be true, but there is nothing stopping us today, or is there?

It is said that the EU has many layers of bureaucracy and regulatory issues.

I see that Nigel Farage believes we could strike an agreement with the EU that is similar to Norway’s, having access to the EU but not being bound by it.

And not to mention the most charged debate around the immigration effect on the country.

When I questioned my professional colleagues, it is very clear to me that they all have differing opinions, some to stay in and some to exit, both parties putting up convincing arguments and as far as I can see neither is wrong and there is value in both.

One thing that is understood is that we are all aware of where the EU has taken us as a country since 1972, but what will exiting deliver and where would this untrodden ground take us?    In reality, nobody knows.

map 1

I therefore question what the real issues are and whether we are being given all the correct facts, plus what are the motives? Will we ever understand what it will mean to us before we are asked to vote in 27 days time, or will we all be simply voting upon minimal information based on a favoured approach by our local MP’s – and on the basis of a set of reforms negotiated by Prime Minister David Cameron, be they weak or strong?

As an IT Managed Services Provider we could sit on the fence, however for a few of our customers, it could have major repercussions if we left the EU.

What do you think?  How might it affect your business?

The UK Referendum – Macro and Micro events impacting on your IT environment

_88531589_86624272

The Macro Picture
On 23rd June 2016, all British, Irish and Commonwealth citizens resident in the UK will be able to exercise their democratic right to vote for the UK to remain a member of the European Union, or leave the EU.

As you would expect in a modern democracy, all eligible citizens will be free to vote as heart or mind dictates and it’s no surprise that such an economically seismic event of this nature is leading to much debate and consideration by politicians, pundits, colleagues and friends alike.

However you vote on the day, this event can rightly be classed as a genuine macro event which happens not every 5 years, but potentially once a generation and both outcomes from the vote have the potential to profoundly impact the UK business environment.

As an organisation that provides integral support to businesses both within the UK and across the world, we have been keeping a keen eye on the implications for staying in or exiting and we know a number of our customers have been doing the same. We are aware that customers across industries have been undertaking discrete assessments of their business footprint, trading parameters and their IT infrastructure in order that policies and processes are developed to accommodate both outcomes. Amicus ITS’ regulatory and compliance teams have been very active with a number of customers to ensure the implications of data management and the storage of data offshore from the UK are clearly known and managed.

At Amicus ITS, our position on the need to assess, review and prepare your IT and data management infrastructure to ensure it is ready for any outcome is clear – TAKE ACTION, however discretely, to provide reassurance to the stakeholders in your business that you can manage and thrive in the unknown environment to come. Depending upon your perspective, macro events can be dealt with as minor bumps in the road or full on roadblocks. Your position on this should be determined by action and not inaction.

The Micro Picture
So what about micro events? These exist all around us and are multiple within the commercial environment that all companies operate. This is the same whether this is within the UK, EU or across the globe and within Amicus ITS we see the impact of these every day. Invariably, our everyday policies, procedures and good common sense ensure that micro events are managed and dealt with in a clean and efficient manner. However, at such a critical time as a major referendum, macro and micro events are inexorably drawn towards each other and this is something we are already starting to see within the IT managed services support environment.

As 23rd June approaches, we are starting to see a rise in the number of micro cyber security related incidents within our customer base, ranging from CryptoLocker attacks, to targeted DDoS attacks. More worryingly, we are seeing refined and highly complex preparation and targeting of brands and institutions for whom the macro outcome of the election could be doubly impacted by a breach of their security thresholds. A complex and high profile breach of cyber defences at the time of our Referendum could damage both commercial performance and reputation to companies and brands who may need to support a new direction within their chosen business space.

The simple truth is that macro or micro events happen all the time. By focusing on the right sort of preparation and planning to ensure IT infrastructure and security is kept at the front of your mind, alongside doing what you do best, will means that you can successfully adapt to any outcome and take some time to embrace the outcome – whichever way things go.

plan_perform

 

The 53rd State of IT

epa05133258 A Union Jack flag flutters next to European Union flags ahead a visits of the British Prime Minister David Cameron at the European Commission in Brussels, Belgium, 29 January 2016. Cameron arived in Brussels for unscheduled talks on a Brexit referendum. EPA/LAURENT DUBRULE

Research has suggested that British technology companies are significantly in favour of remaining within the EU, but Matt Warman, Conservative MP for Boston and Skegness, told a debate about the UK’s digital future that if the sector was so passionate about that position, it should speak up and hope to influence public opinion.

“The tech community is very, very strong in the opinion [that technology] is global,” said Warman, who is also in favour of staying in the EU and is former consumer technology editor of The Telegraph and chair of the all-party parliamentary group For Broadband and Digital Connectivity.

“If you guys believe this stuff, get out there and say it. It’s a hard task for politicians because we are often not the most trusted people in the room.”

Tech and politics
He noted that US-based technology figures, such as Apple CEO Tim Cook and Mark Zuckerberg, hold strong political views as well, particularly with regards to the Republican party frontrunner Donald Trump’s hopes of becoming the next president of the USA.

Indeed, Box CEO Aaron Levie opened his keynote speech at an event in London last week to “apologise” for Trump’s views, which have proved divisive both at home and abroad. However Warman accepted that technology firms had to balance their political beliefs with commercial sensitivities.

“Businesses need to find a way to get it out there. They need to … publically say it rather than hope [the Referendum] goes one way.”

Industry support for EU
Research from industry body techUK suggest that 70% of its members want to stay in the EU, 15% want to leave and 15% don’t know. The majority support the UK’s membership because it makes the country more attractive to international investment, makes the UK more globally competitive and gives it a more favourable trading relationship with other members.

“There is a strong message from the tech industry that Europe is good for business. Tech leaders are clear that the UK needs to be holding the pen on the laws that affect their businesses,” said Julian David, techUK CEO.

“A vote to remain is a vote to ensure the UK voice is at the heart of policies that support the UK’s most innovative sector to continue to grow and create jobs. A vote leave would mean that the UK tech industry would lose its voice on the issues that matter most.”

Tech London Advocates surveyed its members and found that 87% of its members oppose Brexit (the Leave campaign), because they believe that membership of the EU boosts the UK economy by making it more attractive to international businesses looking to operate in Britain.

It seems that just 3% of respondents favoured the UK leaving the EU. The remaining 10% reportedly declined to express their opinion on the matter.

It is clear there is concern within the tech industry about the impact of losing access to the European market. The survey found that nearly three in four (71%) feel Brexit would make it harder to reach customers in EU countries, and threaten existing relationships with suppliers based in Europe.

And more than four out of five (81%) believe that Brexit would make it harder to employ people from EU countries.

“London has established a global reputation as the digital capital of Europe,” Russ Shaw, the founder of Tech London Advocates said. “There is significant concern within the digital community that Brexit would undermine this position and threaten relationships with the European market.

“Attracting international companies to the capital has been one of the great success stories of London’s digital economy,” said Shaw. “Brexit could see global businesses locating in emerging digital hubs in Berlin, Paris and Stockholm rather than London.”

Besides the above reasons, it seems that the London tech sector is not keen on the uncertainty that could be generated by a British exit.

“There are things I don’t agree with in the EU, but no can tell us what the alternative will be like,” said Michael Seres, founder, 11Health. “I have an investment round coming up and looking to hire 14 new people in the next 2 years, I can’t make those decisions if my access to markets and the regulation in this and those markets is unknown.”

Business Risk

“The business risk of leaving the EU is on balance too high,” said Nick Thomson, Chief Revenue Officer at Workshare. “The business risk of leaving the EU is on balance too high. Not just for us but for all businesses engaged in the sharing of data securely.”

And Thomson pointed out Europe’s role in tackling America over recent data protection concerns.

“As a large trading block the EU was able to secure the EU Data Protection Regulation against US pressure,” said Thomson. “The UK may well have to compromise this level of data to protection in the negotiation for its new trade concession from the US. Leading not only to less data security for people and businesses based in the UK, but also making it vastly more complicated to share data with the he rest of Europe – our main trading partners.”

There is a real possibility that the UK could vote to leave, as recent polls have suggested that almost seven in 10 pensioners want to leave the EU, while young people were more likely to be pro-European, but are less likely to cast a vote.

Thoughts

It is clear that the UK Referendum will have a potentially significant impact on IT and Data which is quickly becoming, and always should have been, the “crown jewels” of every company.    If you consider what transpired with Safe Harbour and with the European General Data Protection Regulations (GDPR) on the horizon, would the UK be in such a strong bargaining position outside the EU – or would we be caught in-between the US and the EU?

Added to this, the European GDPR will come into effect before the UK can legally depart the EU, so data controllers and data processors need to think ahead for this anyhow.   Let alone the question of what would the Data Protection and Handling Policy of the UK post referendum look like if we exited?

Technology is global.  Manufacturers are producing to global standards – and yet we still have geographic data protection regulations to adhere to.  Would a global data protection standard work?  Could nation states agree to subsume their local preferred interests against a global framework and would this mean watering it down to gain agreement?

What do you think?

size_500x500

 

The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation introduces crucial data protection requirements for companies with data subjects in the European Union. This page offers a breakdown of the key provisions that will come into force May 2018.

Final text
The final text of the EU General Data Protection Regulation (GDPR) is now available and has been approved by the European Parliament.

Penalties
The Regulation will enforce tough penalties: breached organisations can expect fines of up to 4% of annual global revenue or €20 million, whichever is greater. Fines will be imposed within two years of the Regulation being ratified.

Below is a breakdown of the key changes introduced by the Regulation:

1. If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

2. The definition of personal data is broader, bringing more data into the regulated perimeter
Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

3. Consent for Children’s Data Processing.
Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

4. Changes to the rules for obtaining valid consent
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

6. The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

7. New data breach notification requirements
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

8. The right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

9. The international transfer of data
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

10. Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

11. Data portability
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

12. Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

13. One-stop shop
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

Organisations should take action NOW to implement appropriate measures for improved data security.

teaserbox_53378034