News, articles, legislation and analysis, all about data protection and cybersecurity technologies
Survey: Greece, Italy and Romania have reported the fewest breaches per capita – More than 59,000 personal data breaches notified to regulators in the first eight months after GDPR coming into force, according to a DLA Piper survey.
Public Policies: The GDPR Cookies Paradox – Asking users to consent when surfing on a website is far from GDPR spirit.
Inside Threats: Security Principle of GDPR – Data breaches caused by negligent and malicious insiders have increased by 26% and 53% respectively in the past two years.
Brexit: What will be the impact Protection – If the UK exits the EU UK on 29 March 2019 without a deal the UK would still be subject to the GDPR but as of 30 March 2019, the UK would become a “third country”
Legislation: Tech giants join forces to support US GDPR – Apple chief executive Tim Cook’s call for the US to introduce GDPR-style legislation
IoT: Child smartwatch as possible serious risk – The European Commission has ordered the recall of a smart watch aimed at kids that allows miscreants to pinpoint the wearer’s location, posing a potentially “serious risk”.
Image of the week: CYBERSECURITY REFERENCE MODEL
Greece, Italy and Romania have reported the fewest breaches per capita
According to a DLA Piper GDPR survey, eight months since GDPR came into force, more than 59,000* personal data breaches have been notified to regulators.
These range from minor breaches, such as errant emails sent to the wrong recipient, to major cyber attacks affecting millions of individuals and making front-page headlines.
The Netherlands, Germany and the UK had the most data breaches notified to supervisory authorities, with around 15,400, 12,600 and 10,600 respectively. The countries with the fewest breaches notified were Liechtenstein, Iceland and Cyprus with around 15, 25 and 35 breaches respectively.
According to a breach notified per capita classification, the countries with the most breaches notified are the Netherlands, Ireland and Denmark. At the opposite edge Greece, Italy and Romania have reported the fewest breaches per capita.
Until now, 91 reported fines have been imposed under the new GDPR Regulation. The highest GDPR fine imposed to date is €50 million, (not relating to a personal data breaches) was a decision by the CNIL made against Google.
The German data protection authority LfDI Baden-Württemberg imposed a €20,000 fine a company for failing to hash employee passwords, resulting in a security breach. The same German data protection authority imposed an €80,000 fine in January 2019 for publishing health data on the internet. German authorities have also reported 62 other fines.
The majority of fines are relatively low in value, including a €4,800 fine issued in Austria for the operation of an unlawful CCTV system that was deemed excessive for its partial surveillance of a public sidewalk. Cyprus also reported four fines, with a total value of €11,500, and Malta reported 17 fines, a surprisingly large number given the relatively small size of the country. Not all of the countries covered by this report make breach notification statistics publicly available and many provided data for only part of the period covered by this report. READ FULL REPORT HERE
The GDPR Cookies Paradox
Last November, members of the European Consumer Organisation, BEUC, lodged formal complaints against Google with their national Data Protection Authorities based on research carried out by the Norwegian Consumer Council (NCC).
The study analysed settings in Facebook, Google and Windows 10, and found that the interfaces were designed in a way that makes turning off privacy-intrusive settings much harder than turning them on. The NCC said that “default settings, dark patterns, techniques and features of interface design” are meant to “manipulate users,” and drive them towards privacy-intrusive options. This abusive business practice that NCC described as “unethical, deceptive and manipulative,” could violate the GDPR’s principles of “informed consent,” “data protection by design, and data protection by default.”
According to the study, many sites require users to give consent or leave the site, while many interfaces “nudge” users into making what may not be a fully informed choice, through a combination of design and wording tactics that may obscure privacy-friendly choices, offer an illusion of control, or require users expend more time and effort in choosing the pro-privacy option.
Users are encouraged to click on the “Agree” button through clever design. Scare tactics are also used, as popups are worded to compel users to choose certain options, while information is omitted or downplayed. Users are often asked to review hundreds of ad trackers.
The problem is often heightened with mobile sites, where the limited size of smartphone screens can further cramp the interface, making it more cumbersome for users to manage their consent options.
Could be ePrivacy the key to real consent? Although the GDPR lists some methods by which personal data may be collected and processed, ePrivacy Directive it is that really sets out when and how cookies can be used. Tracking people without their consent is already illegal under the ePrivacy Directive, but the GDPR establishes a stronger definition of consent – that it must be freely given, specific and informed.
Unfortunately for those pinning their hopes on a revised ePrivacy Regulation, negotiations have stalled as national governments cannot agree on their position. The European Parliament reached its position back in October 2017, but cannot begin negotiations without the member states. MORE ABOUT THE NCC STUDY
Security Principle of GDPR
Eight months after the introduction of GDPR, the European Commission reports that regulators have received more than 95,000 complaints about possible data breaches. What is certain is that the pattern of cyber-attacks and insider-led data breaches shows no signs of declining.
It is crucial for organisations to keep abreast of serious threats to their cybersecurity, and the insider threat is one that cannot be ignored. Given its significance, organisations need to implement “appropriate technical or organisational measures” to prevent, detect and respond to the insider threat.
According to the ICO, the sixth GDPR principle known as the “security principle”, is the “integrity and confidentiality” principle outlined in Article 5(f) and requires that organisations use “appropriate technical or organisational measures” to process personal data in a manner that “ensures appropriate security of the personal data and protects against both its unauthorised or unlawful processing and its accidental loss, destruction or damage”.
What is “appropriate technical or organisational measures” meaning? This should be understood to include maintaining an information security policy and taking steps to make sure that policy is in place.
While many organisations have basic cybersecurity measures in place, such as protection against malware, backups for data, and password protected systems, often these methods are focused on protecting against external cyber intrusions. But it’s also essential for organisations to evaluate whether their “technical and organisational” measures are up to snuff with respect to cyber threats that originate from within company firewalls. Insider threats occur when someone with authorised access to critical information or systems misuses that access and breaches data security, either intentionally or accidentally.
The most famous insider threat is the story of Edward Snowden. Recent research conducted by Ponemon Institute (The Costs of Insider Threats, 2018) research indicates that data breaches caused by negligent and malicious insiders have increased by 26% and 53% respectively in the past two years and the cost of the insider threat to individuals and businesses has only risen. As insider threats become progressively more common and damaging, organisations need to factor the insider threat into their information security measures in order to avoid falling foul of the security principle.
The security principle expressly acknowledges that both the security measures were taken and the level of security for processing personal data should be appropriate to the particular circumstances at hand, bearing in mind the risks that processing poses and the costs-versus-benefits of the security measures taken.
Preventative measures can include employee cybersecurity training and clear organisational policies that set out the security precautions and restrictions employees should abide by.
Detecting insider threats can be challenging, but solutions that provide full visibility into activity, with real-time alerting of suspicious activity, go a long way to identifying questionable behaviour and stopping data loss before it happens. Importantly, such tools can be implemented without infringing on employee privacy. ORIGINAL ARTICLE HERE
What will be the impact Protection
If the UK exits the EU UK on 29 March 2019 without a deal the UK would still be subject to the GDPR but as of 30 March 2019, the UK would become a “third country”.
One of the ways in which personal data can be lawfully exported to a third country is by what is called an an ‘adequacy decision’ from the European Commission.
Argentina, Canada, Switzerland and many other countries already have been recognised as providing adequate protection but there is little chance that UK will have been deemed ‘adequate’ by the European Commission by 30 March 2019. The Information Commissioners Office (ICO) has said; ‘an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.’ SOURCE GDPR REPORT
Tech giants join forces to support US GDPR
Apple chief executive Tim Cook’s call for the US to introduce GDPR-style legislation is gaining momentum among the technology giants, with Cisco and Microsoft the latest firms urging the US to follow in the footsteps of the European Union.
The company told the Financial Times that it wants US politicians to devise and implement their own version of the European regulation in the coming months despite criticism that the legislation is too harsh on businesses and overly broad.
Cisco’s chief legal officer Mark Chandler explained to the FT that GDPR has been successful in Europe and now is the time for the US to adopt a similar policy. “We believe that the GDPR has worked well, and that with a few differences, that is what should be brought in in the US as well,” said Mark Chandler
Microsoft chief executive Satya Nadella has also given his backing to new US legislation and actually gone one further by calling for a ‘global GDPR’ to be drafted: “One of the things we do not want to do is fragment the world and increase transaction costs, because ultimately it’s going to be born in our economic figures. I hope we all come together, the United States and Europe first, and China. All the three regions will have to come together and set a global standard.” SOURCE DATAIQ
Child smartwatch as possible serious risk
The European Commission has ordered the recall of a smart watch aimed at kids that allows miscreants to pinpoint the wearer’s location, posing a potentially “serious risk”.
The commission uses its Rapid Alert System for Non-Food products (Rapex) to send out alerts to other nations in the European Economic Area about dangerous products in their markets.
The latest weekly report includes German firm Enox’s Safe-KID-One watch, which is marketed to parents as a way of keeping tabs on their little ones – ostensibly to keep them safe – and comes with one-click buttons for speed-dialling family members.
According to an article published by The Register, the commission said the device does not comply with the Radio Equipment Directive and detailed “serious” risks associated with the device. “The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data,” the directive said. READ HERE THE ORIGINAL ARTICLE