Data Regulators Reflect On the First Months Of GDPR*:
- Speaking at the IAPP Data Protection Intensive 2019 conference in London, a panel discussion on the first year of GDPR and “What Actions Have Been Taken?” explored how over €55m has been handed out in fines, although the majority of that was the €50m levied at Google.
- The last year has also seen data protection authorities more than double their head counts.
- Moderator Vivienne Artz, chief policy officer of Refinitiv, reflected on data relating to investigations, reports and financial penalties since GDPR came into force.
- She said that in the UK, 206,326 total cases had been reported, of which 94,000 were complaints and 64,000 were data breach notifications. Of these, 52% had been concluded.
- Stephen Eckersley, director of investigations at the UK Information Commissioner’s Office, said that the ICO had increased staff numbers from 380 to 700, while Jay Fedorak, information commissioner of the Jersey Channel Islands, added that staff had increased from four to nine people.
- Eckerlsey explained that teams were added to deal with “the cyber problem” of breaches and state sponsored attacks, while teams were investigating “criminal breaches of the Data Protection Act and Freedom of Information Act” and regulating the NIS Directive.
- Fedorak, who was formerly an assistant to current UK information commissioner Elizabeth Denham, said that there were ambitions of growing beyond 60 people for the 110,000+ population of the Channel Islands.
- Eckersley said that a lot of the work since May 25 2018 had been on “legacy cases” and he acknowledged that issuing fines was “not only way to regulate,” but it was investigating: gathering evidence, reacting quickly and dealing with reports from data controllers and from the media.
- Explaining how an investigation comes together, he said that an investigating team finds evidence and speaks to the data controller, looks for policy and procedures and it “all ends up in the same place – enforcement action.”
- This team then pulls the case together, which goes to the delegated authority, and a regulatory panel determines the size of the fine.
- He said: “There were five bands under the 1998 DPA, and we are considering our options of continuing that approach or working with our colleagues in The Netherlands and Norway, and harmonizing the calculation of fines.”
- Appearing via video link, Mathias Moulin, director of rights protection and sanctions directorate at the Commission nationale de l'informatique et des libertés, said that prioritization with colleagues was important, and regulation was pushing that as it was a “natural” expectation of GDPR to prioritize European cooperation for complaints “as we have a limited time limit to handle complaints.”
- Commenting on the shift from data loss to other types of privacy breach (94,000 to 64,000), Moulin said that there is “still room to improve the processes of contact.”
- Asked by an audience member if there is a problem of over reporting, Ecklersley said that the ICO recognized that it needed a dedicated team and in the first month of GDPR, 1700 breaches were reported and while it has levelled to 380-400 a month, “it more and more clarifies what GDPR is saying.”
*Source: Infosecurity Magazine, March 14, 2019
Netherlands Premieres First Fining Policy in The EU*:
- The Dutch Data Protection Authority just released its GDPR fining policy, being the first country to do so.
- GDPR allows for a maximum fine of 4 percent of global revenue or €20 million, whichever is higher, but little has been said about how to determine the exact fine amount and what the scale is
- The new GDPR fining policy sheds light on this as it introduces a four category system, giving various examples depending on company size and maximum fine.
- For example, if a company’s maximum fine is €10 million, it might face the following fines for less severe violations:
- Category I: €0 to €200,000
- Category II: €120,000 to €500,000
- Category III: €300,000 to €750,000
- Category IV: €450,000 to €1 million
- While the Dutch Data Protection Authority doesn’t explicitly state how it’ll categorize GDPR violations, it does share a list of “relevant factors” for determining a severity of a violation.
- Factors include the duration of the infringement, the number of data subjects (people) affected, how quick the company reacts, and what type of personal data is involved.
- Arnoud Engelfriet, IT lawyer and partner at Dutch firm Legal ICT, says the policy brings some much needed clarity to GDPR enforcement.
- While the GDPR doesn’t strictly require a detailed policy, it does require a fine to be evaluated according to many criteria, so issuing a clear policy like this helps in Engelfriet’s opinion.
- Introducing categories does, however, make it easier for companies and the general public to understand how GDPR will be enforced.
- Engelfriet is happy with the introduction of the new policy and says the fine system is set up so that ‘simple’ offenses can be managed with a relatively light fine, thus reducing the number of appeals and making the whole process smoother.
- But if something big happens, they can bring down the full GDPR hammer and fine €10 or €20 million, or 4 percent of worldwide turnover.
- And this is definitely so for the general rules of GDPR: transparency, easily available rights, and above all, clear documentation on every step you took to become compliant.
- Because if you’re GDPR compliant but you have no documentation, you’re not GDPR compliant.
- And that’s a €20 million fine for you then.
- Many have been waiting for GDPR‘s ‘real’ impact, as there wasn’t much enforcement in 2018.
- Experts predict that it will change in 2019, with various investigations coming to a close in the following months, accompanied with the first GDPR fines.
*Source: TheNextWeb, March 15, 2019
Australian Man Arrested For Selling $200K Worth Of Stolen Spotify and Netflix Passwords*:
- A 21-year-old man living in Sydney, Australia was reportedly arrested on Tuesday for having over one million stolen Netflix, Spotify, and Hulu passwords on his website WickedGen.com.
- Australian police estimate that he made approximately $211,000 over the course of the two-year scam.
- The FBI initially informed the Australian Federal Police (AFP) of Wicked Gen in 2018, given the 120,000 paid members the site reportedly had.
- The two entities then collaborated in a joint international cybercrime investigation to pinpoint the man responsible.
- Although the perpetrator was based out of Australia, the users who subscribed to the site were based across the globe, including the U.S.
- After obtaining a search warrant and arriving at the premises, the AFP seized, "electronic materials and various amounts of cryptocurrencies."
- According to the AFP, the man accessed the account information by "credential stuffing," which involves the attacker compiling a list of previously compromised usernames and passwords, usually due to a breach, and then selling them for profit.
- As most people reuse the same password again and again, once account information has been obtained, it will likely provide details to access other accounts.
- The AFP confirmed that they are working with Netflix, Spotify, Hulu and all other companies implicated to address the issue.
*Source: Complex, March 14, 2019
5 Intranet Security Tips In The ERA of Data Breaches*:
- You see articles with these headlines seemingly constantly now: “How I hacked hundreds of companies through their help desk” or “How I hacked 40 websites in 7 minutes.”
- A common theme of the modern digital world: Hackers can easily access a company’s resources and begin wreaking havoc.
- Many are familiar with the more-publicized data breaches of the last few years, such as Marriott in 2018, where the data of 500 million people were exposed, or the data of 143 million individuals being compromised in the Equifax breach of 2017.
- Hackers are game to find any vulnerability in a company’s potential attack surface.
- Oftentimes, the first point of attack for a shady suspect is the company’s intranet.
- HR-level data often resides there, and because it’s not always a top company priority, its security can fall to below-average, making it an easy path to exploit.
- You need to have an intranet for increased collaboration and productivity, but it absolutely must be safe, secure, and compliant.
- Get Specific on those permissions:
- Multi-tiered security is often construed in terms of permissions, i.e., Brad from sales should not be able to view executive team meeting minutes.
- While permissions are a crucial aspect of multi-tiered security, it goes beyond that.
- Every user and content item within an intranet needs specific viewing, editing, and creation rights.
- Consider Google Docs and Drive. Anything you produce in Google Docs, you can set specific security permissions relative to who you’re sending the end link to.
- Intranets need to function the same way, both to protect proprietary internal information and reduce susceptibility to hacks.
- Authenticate like and enterprise boss:
- Authentication needs to be unified across all business applications, which means internally and with any apps hosted in the cloud.
- This is relevant, as many organizations are deploying an average of 935 cloud-based applications that employees may need to access at least once in a work year.
- With that many touch points on the attack surface, you need to make sure your authentication is robust.
- The best practice here is to use Security Assertion Mark up Language or SAML. It’s ultimately an XML-based mark up language for security assertions or statements that service providers use to make access-control decisions.
- Active Directory Authentication:
- This helps keep information consistent and up to date.
- The basic principle of Active Directory ties to permission-setting and multi-tiered security.
- Everyone has a way to log in to the main system/database they need access to.
- What they can actually see once there is based on permission control.
- Once a directory service for Windows servers, it now more commonly refers to a broad range of directory-based, identity-related services.
- The best practice here is for employee profiles to be self-managed, which prevents the need for manual syncing of information. Manual sync periods can be more easily exposed to hackers.
- Must read compliance
- GDPR is here to stay, and we’re even starting to see the first financial repercussions of GDPR compliance not being met, with Google being hit with a $57 million fine from France.
- As privacy laws become more common, it’s crucial for organizations to make sure their intranet is compliant with local regulations.
- Organizations should be setting up a security policy and/or GDPR group policy on the intranet that all employees should read and accept as having read and understood.
- This provides compliance for your business that all your employees understand their obligations.
- Anonymous Data:
- Data-masking hides data elements that users of certain roles should not see and replaces them with similar-looking fake data, which are typically characters that will meet the requirements of a system designed to test or still work with the
- Data encryption involves converting and transforming data into scrambled, often unreadable, cipher-text using non-readable mathematical calculations and algorithms.
- Data encryption is often used to protect data that is transferred between computers or networks so that it can be later restored.
*Source: HR Technologist, March 11, 2019
Data Breach Compromises Information Of More than 600,000 in Michigan*:
- The information of more than 600,000 Michiganders may have been compromised by a data breach sustained by Detroit-based Wolverine Solutions Group.
- Those compromised include customers of Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health and North Ottawa Community Health System.
- Wolverine Solutions Group has mailed letters to all impacted individuals.
- According to the company website, exposed information could include names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers and medical information.
- he company says it does not believe personal information was extracted.
- Wolverine is offering two levels of identity protection to individuals affected by the breach
- They are also offering a free credit monitoring service to those affected by the breach.
*Source: WXYZ Detroit, March 11, 2019
Hackers break into systems that houses college application data*:
- Last week hackers broke into a system that houses prospective students' application data, then promised students access to their files — for the price of a single Bitcoin.
- More than 900 colleges and universities use Slate, owned by Technolutions, to collect and manage information on applicants.
- Three colleges were affected by the breach: Oberlin College in Ohio, Grinnell College in Iowa, and Hamilton College in New York.
- Prospective students were sent emails promising access to confidential information, including comments from admissions officers and tentative acceptance decisions, upon payment of a Bitcoin.
- Later emails offered limited subsets of student files for $60.
- No other universities were affected by the breach, Technolutions said.
- Oberlin, Grinnell, and Hamilton advised prospective students not to pay the attackers and said they are working with law enforcement on the case.
*Source: Dark Reading, March 11, 2019