ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Disaster for Three Mobile as huge data hack is disclosed

three-logo

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

‘Panama Papers’ – a wake up call for the legal sector

April’s data breach legal, trust and accounting firm victim Mossack Fonseca of Panama, offers a perfect storm warning for law firms.  As reported in last week’s blog (see link), the legal sector is a highly attractive and potentially susceptible target for the armies of cyber attackers due to the sensitive data held by law firms about their clients.

All law firms should take the Panama breach as a major wake-up call,” says founder and executive chairman of IT Governance, Alan Calder. “Law firms have notoriously been targets for cyber criminals because of the sensitive information they possess. More recently, the scale and devastation that cyber breaches cause means that law firms need to consider their cyber security posture right now.”

The swift changes in cyber attack and swopping focus on market sectors makes trying to defend your crown jewels (ie. your data) ever more critical.  Law firms were ranked the seventh highest target for cyber criminals in CISCO’s 2015 Annual Security Report and in midsummer 2015, CISCO’s 2016 Annual Security Report noted that Professional firms were one of four sectors (Government, Electronics, Professional and Healthcare), most hit by Trojan related attacks, while the Professional Services vertical was hit with a high number of iFrame attacks.  Add to this, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms two years ago over data protection breaches.  It is not a comforting picture.  But there are good things that can be done by taking a proactive stance on security.

The ICO acknowledges ‘There is no “one size fits all” solution to information security, as the security measures that are appropriate for a particular organisation will be different to another. However, given the pressures facing the legal sector, companies would be well advised to adopt a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from the third party contractors and suppliers they use.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through the organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, a law firm which creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

As with all things technological these days, it’s not just about knowing what’s in your estate to protect, it’s about strategically identifying for the business what you might need to consider adding to your infrastructure, to build peace of mind for your Board and customers.  That journey will ultimately be better travelled with an expert MSP which has ISO 27001, a passion for data security, a keen eye on cyber security – and one which can not only advise but is able to deliver 24×7.

ISOIEC 27001 with UKAS

EU data privacy rules – Impact across the pond

A new European privacy directive is about to be signed, one which could see US tech firms fined millions of dollars if they don’t comply.

The directive regulates how tech companies obtain and use user data. According to USA Today, companies must get a clear consent from the user and have to explain just what their data will be used for. Companies must also explain to the user how the data was obtained, and in case the user wants that data changed or completely deleted, the company must do so.

As an example, if they choose to delete their Facebook account, Facebook would have to also delete all the information it had collected about them. The directive has been in production for several years and will replace a patchwork of laws from the 1990s.

“A lot of the language in this regulation has been sharpened in response to US companies walking very close to the line as far as complying with EU data protection regulations,” said Danny O’Brien, the international director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group for USA Today.

The Age of Data Consent will also be raised from 13 to 16 years old, meaning all younger than 16 will have to get their parents’ approval before giving their data to companies.

The European Commission and the European Parliament could not agree on the size of the penalty in case a company fails to comply, but it seems that 4% of the company’s global revenue could be the sweet spot. For companies the size of Google or Facebook, that is a lot of money.

As an IT Managed Service Provider, data controller and data processor, Amicus ITS has had to be proactive in looking at the impact of these changes for us and our customer base.  These changes, which will become law in the member states, reflect positively on individuals as we all obtain more rights over our data.  However, for any organization that holds or processes data these changes will have an impact that cannot be ignored.

eulaw

No Safe Harbour for data in European eyes

The European Court of Justice ruled this week that the Safe Harbour agreement, in place since 2000, is now invalid.  This story was originally covered in our blog in March 2015.

This is likely to create a sea change in where and how organisations hold their data.  With clear guidance yet to follow in what could be a confused few months of local and conflicting regulation, there may yet be a scramble to create urgent interim measures both within Europe and US businesses (of which about 5,000 US businesses make use of the arrangement), relying on Safe Harbour for the freeflow of information between the territories.

Designed to be a “streamlined and cost effective” way for US firms to get data from Europe without breaking the rules, the Safe Harbour agreement allowed US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security were upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).   With the security agencies exerting surveillance pressure revealed in the Snowden leaks, the safeguards were viewed as not being carried out.

It is not just about Facebook (who through a lawsuit brought a privacy campaigner Max Schrrems challenged their use of private data), though the news will have a big impact for the tech giants such as Facebook, Google and Twitter who may have to build new data centres in Europe to counter this decision.  It reflects the differences between the two cultures:  in the EU, data privacy is treated as a fundamental right, whilst in the US, other concerns which might conflict are sometimes given priority.

The patchy interim to authorise the “export” of the data will require for the two bodies involved to draw up new “model contract clauses” setting out the US organisation’s privacy obligations.
For Data Controllers, this will be something of an administrative nightmare and will likely push up costs and cause delays.   Managed Service Providers had better be thinking about their customer’s data with a sharper eye this week.

SafeHarbor Logo-Lines

This week’s technology news – 27th June 2014

Supreme Court ruling for mobile phone privacy does not answer Cloud issue
Forrester report an emphatic decision by the Supreme Court in the US this week, which has endorsed the fundamental right of the individual to safeguard the privacy of data held on a mobile phone and that the only way for 3rd party agencies to access this, would be to seek a warrant.

The sheer variety of applications now available on mobile phones (cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, newspapers, forums etc.) reveal much about its owner as well as what can be shown through the browsing history.  Consequently it was felt this would give 3rd parties too personal an insight about things we would prefer to keep private, even from our partners.  The crossover impact for this in business is in BYOD where corporate employers may not yet have taken steps to assess and implement data security policies to safeguard corporate privacy.

With the increase of devices and wearable technology, much of the content will inevitably be stored in the Cloud and what is not revealed through the phone as its conduit, will be accessible once it hits storage sites like Dropbox, Evernote etc.   So as soon as you have connected, you are no longer able to control that privacy, or that right.   This ruling is insufficient therefore in the wider context of cloud content and management of personal (and customer data), so expect more rulings in future as the further legal ramifications are reviewed.  As an MSP, it is your responsibility to be a privacy advocate.

Stop thief – you are turning me off!

Research by Glasgow Caledonian University into the way we hold and use smartphones, is leading to a new form of security being developed, to identify abnormal patterns which could trigger a “kill switch”. The software logs, monitors and profiles “normal” behaviour, carriage mannerisms, application access and timing, plus geolocation and browsing. Subtle changes to this information could indicate unauthorised use and prompt a shut down. The profiles take a few days of average use to build up a coherent picture and current versions of logging software are detecting illegal use within a couple of minutes which will no doubt get far quicker.

Lead scientist, Professor Lynn Baille notes that a further development of this software could be in authenticating identity. Research indicates users wiping or tapping in their pin up to 100 times a day to unlock their handset, which for some users is putting them off using security measures, if they have that choice. This new software could sanction access simply because the device is “in the right hands” and keeps a phone unlocked in normal use, except where a user needed to purchase something, or log in to a corporate network. Yet again, there are implications about privacy for such monitoring and whether this is managed centrally, or locally on the device.

This week’s technology news – 21st March 2014

Microsoft Office on an iPad near you soon
The first press engagement next week for new Microsoft CEO Satya Nadella, is rumoured to include an announcement for the long-awaited launch of an Office application for iPad.  Any misgivings internally about this move weakening the Windows platform is put into context when set against the estimated gap in revenue that this dedicated app would bring of around $2.5 billion per year.  Microsoft seem intent to ramp up the software onto as many platforms as possible having released applications onto iPhone, OneNote, Sky-Drive and Outlook for the iPad. 

Innovative evolution for wearable technology in US healthcare pilot
Wearable computing has moved one step further with the employment of Google Glass in a small pilot at the ED of Beth Israel Deaconess Medical Centre in Boston, USA.  Clinicians wearing unmissable orange specs, would glance at a bar code or QR code and receive patient details, location, lab results and other data through the glasses during examination.  The real time access to patient data through the glasses proved effective and life-saving during the pilot.  Concerns about data security were satisfactorily answered with data being held behind the BIDMC firewall and patient reaction and clinician usability both got approval.  With further testing ongoing, for limited or summarised information, the glasses have proved an effective compliment to current desktops and iPads in speeding up clinician workflow and enabling them to work hands free. The results will be closely monitored.  The potential for wider adoption across the US and internationally is tantalisingly close, whilst the use of tablets in healthcare may see a decline if it takes off.


Google Glass for clinicians

Google Glass for clinicians


The path of data security is never smooth

4th largest supermarket Morrisons, already facing a tough time in the UK press last week after announcing a sharp fall in profits, promptly endured a major security breach from a disgruntled employee, who published the payroll details of 100,000 of the company’s employees on a website including names, addresses and bank details.  Clearly, the need to secure confidential data from rogue internal use vs the cybercriminal bogeyman is less comfortable, but of equal necessity to firms.  This could have been the end of it, but perhaps the final lesson in what not to do, came with the retailers choice of messaging to inform and reassure staff about the data breach via social media behemoth, Facebook.  In this digital age, HR departments have the powerful and certainly more private tools of email and text to communicate private messages to staff. Perhaps if they had done this, it would have kept the last vestiges of their laundry from being aired quite so publicly.

Google – to infinity and beyond for mobile technology
Google has created an Android Wear mobile operating system to power smart watches. This smart strategy ties in with its move into robotics, Google Glass and data analytics.  As intelligence conjoins through Google Now, the company’s PA software, this helps inform and interact with the user to provide a more effective experience for the information and services received.  Globally, this strengthens Google’s wearable technology offerings promised in 2014, but they will not be on their own, as Motorola has announced it is launching the Moto 360 smart watch to run on Android Wear too.  Working with several consumer electronic partners including Samsung, Motorola, Asus, LG and HTC, plus chip makers, Google is ensuring that if it builds out this particular technology wardrobe, that it wants its software across as many devices as possible as the Android platform goes beyond today’s smartphones and laptops.