Ticketmaster Sued Over UK Data Breach *:

 

  • A law firm in Widnes has filed a lawsuit against Ticketmaster in relation to the security breach that occurred on the Live Nation ticketing firm’s UK sites last year.
  • It’s thought up to 40,000 people could have been affected by last year’s data hack, while law firm Hayes Connor says that its legal action – which seeks damages of up to £5 million – is on behalf of over 650 Ticketmaster customers.
  • Ticketmaster UK confirmed it had identified a major security breach on its system in late June last year.
  • At the time the company said the breach was caused by malicious software on a third-party customer support product it used hosted by tech company Inbenta Technologies.
  • That product was immediately disabled across the firm’s websites and all the customers who may have been affected were contacted.
  • Digital bank Monzo subsequently revealed that it had spotted the breach several months earlier, adding that it had alerted the Live Nation company to the problem on 12 Apr, more than two months before the ticketing firm alerted customers to the issue.
  • Although it was never confirmed exactly how many customers had their data stolen during the breach, it’s thought the hack could have affected up to 40,000 people, mainly in the UK, who had bought tickets from the main Ticketmaster UK website – or sister sites TicketWeb or Get Me In! – between February and June last year.
  • Customer data potentially accessed during the hack included addresses, phone numbers, payment info and login details.
  • Hayes Connor, a law firm that specialises in data protection, has been encouraging any Ticketmaster customers affected by breach to get in touch. 
  • It now has over 650 claimants on board and has filed litigation with the High Court in Liverpool

*Source: Complete Music Update, April 05, 2019

 

UK Government Praises GDPR as Cyber Security Breaches Fall, As Top Lawyer Issues Warning*:

  • According to new statistics from the Department for Digital, Culture, Media and Sport, 32% of businesses identified a cyber security breach or attack in the last 12 months – down from 43% the previous year.
  • That may seem like a reason to celebrate, but then the data also reveals that among organisations that were attacked, the median number of cyber security breaches has risen from four to six.
  • It seems cyber security breaches and attacks are getting more concentrated.
  • The cost has gone up too, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180.
  • So it seems the headline figures about fewer organisations falling victim to attacks hides behind a thin veneer.
  • The government says that GDPR is one of the reasons for the fall.
  • Maybe that is right, but the stats also show that 48% of businesses and 39% of charities who were breached or attacked, identified at least one breach or attack every month.
  • Mark Deem, who heads the cyber team at legal practice Cooleysaid that “businesses are still failing to detect both threat actors and how their networks have been compromised in a first attack; whereas a victim will generally be able to identify subsequent attacks with greater ease.”
  • He also suggested that GDPR could partly explain why cybersecurity breaches are getting more expensive.
  • He also argued that it may be “too soon to determine whether recent legal and regulatory changes have driven the much-needed behavioural and cultural shift of businesses towards robust information security, or whether this trend is likely to be short-lived.
  • Tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.

*Source: Information-Age, April 04, 2019             

 

Legal and IT Departments Team Up for CCPA, GDPR Privacy Procedures*:

  • Data privacy laws are changing fast, and legal departments can’t bring companies up to speed alone.
  • surveyfrom Integris Software released this week found around half of privacy budgets are concentrated in information technology departments.
  • Out of more than 250 respondents, around 90 percent said they were involved in IT operations.
  • Nearly 70 percent were also involved in legal decisions, and more than 85 percent worked with risk and compliance.
  • Privacy lawyers said they’ve seen legal departments work closely with IT to design and implement procedures related to the European Union’s General Data Protection Regulation, which went into effect in May 2018.
  • Only around 36 percent of Integris survey respondents said their companies were “fully prepared” for GDPR.
  • Lydia de la Torre, a privacy law fellow at Santa Clara University School of Law and former in-house privacy lawyer for Axiom and PayPal, said that’s because many companies are still working out data processes.
  • While in-house counsel may have drafted GDPR-ready privacy policies, enacting procedures that adequately handle and store user data or allow companies to respond to user requests can take more time.
  • She said some legal teams may not have worked with IT to automate these processes for data across all systems.

*Source: Corporate Counsel, April 04, 2019

 

Save Money and Improve Network Security Through Automation*:

  • When an agency’s network is attacked, the security response is often a manual process.
  • A team of analysts collect information from several separate tools to contain, divert and investigate the attack.
  • This process takes time and resources and, ultimately, costs the agency a great deal money.
  • Agencies can improve their network security and, at the same time, increase efficiency and cost-effectiveness by automating their security responses.
  • Reduce Down Time:
    • Connecting several security tools with a policy engine so they work as a unified whole is a good step toward automating network security.
    • For example, when a vulnerability scanner detects an issue, the policy engine would take that vulnerability report and act on it by inserting a firewall rule or isolating the infected device.
    • Then a security agent can investigate and identify the compromise and the attack vector and remediate the device.
    • This automated response will kick in at any time, even if an attack occurs at 3 a.m. 
    • The automated system reduces the response time from hours or days to minutes or seconds, minimizing the damage of an attack.
    • A shorter response time leads to a more stable network with less down time, which in turn saves money.
  • Save Money Through Consolidation:
    • Another way automating network security saves money is by allowing agencies to consolidate tools that perform similar functions.
    • With a cloud migration, legacy tools may no longer be viable or valuable, and automated processes and controls might be required.
    • As technology evolves, features and functions that were once unique services are getting rolled into core devices.
    • In the past, for example, a security network might have had a firewall, an intrusion prevention system, a proxy, server and anti-malware and virus detection software.
    • In today’s firewalls, all those capabilities are included as core functions.
    • As a result, many of these separate resources can be eliminated, and the maintenance, licensing, and investment can be redirected into additional controls or processes that are more relevant.
  • Maximize Investments in People
    • An automated response also increases accuracy by removing the risk of human error. 
    • Humans make mistakes — machines don’t.
    • A consistent policy across all devices will provide the same response every time instead of a different level of action based on who is responding.
    • An automated response can also generate consistent reporting of steps taken and their results — information that can help increase efficiencies in the future.
    • Replacing humans with machines for some tasks will certainly reduce the risk of error, but people are still a vital part of any agency.
    • Attracting and retaining the best team members will save an agency the cost of turnover, training and other human resources-related expenses.
    • Finding skilled security professionals can be a challenge in today’s market, so it’s important to get the most out of each team member. 
    • Automating security responses can free up employees who are currently installing security policies and controls and put them into more forward-thinking, proactive roles.
    • This reallocation will provide a greater return on investment, and it will give team members work that is less repetitive and more meaningful.
    • Moving to an automated security system can be daunting.
    • It takes time to properly set up the policies and consolidate tools, but agencies don’t have to do it alone.
    • A partner can help with policy generation, the outline of a customized automation process and building a secure migration strategy.
    • A network security partner can also ease the transition by building in a monitoring phase to show how automation will operate before implementation.
    • This allows security administrators some time to get comfortable with the process and understand how those changes would impact the network.
    • And, as a final step, agencies must implement measurement and reporting processes to understand the impact automation has made on the stability of the environment and, ultimately, their mission.

*Source: GCN, April 05, 2019

 

polish DPA issues the first fine for a violation of the gdpr*:

  • On 25 March 2019, the Polish data protection authority announced the imposition of the first GDPR-related fine in Poland.
  • A data controller was fined approximately PLN 1 million (approx. EUR 230,415 ) for a failure to comply with the information obligation set forth in Article 14 of the GDPR.
  • Although the regulator decided not to disclose the name of the entity on which the fine was imposed, the description of the factual background was sufficient to quickly identify the company.
  • Based on all circumstances it was almost sure that the entity subject to the fine was Bisnode, a Polish company providing entity verification services.
  • Moreover, Bisnode quickly published an official statement on its website in response to PUODO’s decision, while an interview with its CEO appeared in one of the biggest Polish newspapers just two days later.
  • Bisnode is a company that aggregates personal and other data from publicly available documents and registers, such as the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS).
  • It then uses the data it collected in order to prepare reports, summaries, etc., which it offers to clients as part of providing company-verification services.
  • The personal data referred to in PUODO’s decision was the data of people conducting business as sole traders, including those who are currently active and those who have conducted business activity in the past or have suspended it, as well as the personal data of people who are shareholders or members of the boards of companies, foundations and associations.
  • Bisnode holds a total of more than 7.5 million records of data relating to natural persons.
  • The company fulfilled the individual information obligation in relation to 682,439 people, where it had their e-mail addresses as part of the database record, by sending an e-mail.
  • However, with reference to almost 200,000 people, Bisnode only had their mobile telephone numbers, and in relation to almost 6.5 million people, it only had their postal correspondence addresses (of which almost 3 million records related to inactive businesses).
  • The company decided not to fulfill the information obligation stemming from Article 14 of the GDPR towards these data subjects on the basis that doing so would constitute a “disproportionate effort” as specified in Art. 14 5(b) of the GDPR.
  • However, it should be noted that Bisnode also took action to fulfill its information obligation by posting a statement on its website, in a tab entitled “Data and privacy” / “Information on the processing of personal data”.
  • The information in this tab was compliant with the requirements of Art. 14 par. 1 and par. 2 of the GDPR.
  • In the justification of its decision, PUODO presented the following reasoning: first and foremost, it claimed that the mere inclusion of information required under Art. 14 par. 1 and par. 2 of the GDPR on the company’s website, in the situation where the company had the address data (and sometimes also the telephone numbers) of natural persons operating as sole traders (currently or in the past), enabling the traditional mailing of correspondence containing information required by this provision (or communicating it by telephone), cannot be considered as sufficient fulfillment by the company of the obligation referred to in Art. 14 par. 1-3 of GDPR.
  • Further, PUODO disagreed with Bisnode’s understanding of the notion of “disproportionate effort” and rejected it as a valid reason for the company’s not fulfilling the information obligation towards some of the data subjects.
  • Namely, PUODO stated that sending the information referred to in Art. 14 of the GDPR by post, to the address of a natural person running a business, or by telephone, is not an “impossible” activity and does not require a “disproportionately large effort” in the situation in which the company had a database in its IT system containing the address data of natural persons acting as sole traders (currently or in the past), and also – in relation to some of these people – their telephone numbers as well.
  • PUODO explained that Bisnode’s argument concerning disproportionate effort could apply to the personal data of people who are shareholders or members of company bodies and other legal persons, since there are no contact details of these people in public registers (in particular in the National Court Register), and therefore the company would have to search for this data in other places.
  • According to PUODO, only this could be classified as a disproportionately large effort for the company; however, this argument was not valid in relation to other data subjects.
  • We are now eagerly awaiting Bisnode’s appeal to the administrative court and the court’s judgment, hoping that the proceedings will provide a forum for a more satisfactory legal analysis and higher quality conclusions.

*Source: DLAPiper, April 02, 2019

Share This