Garreth Cameron, of the Information Commissioner’s Office (ICO), highlights the importance of preparing for GDPR.
There’s a big change coming to data protection law next year – and all businesses need to be preparing for it, if they’re going to be ready in time.
New legislation, called the General Data Protection Regulation (GDPR), will come into force in May 2018, both in the UK and across the EU, bringing a more 21st-century approach to the processing of personal data.
This will mean more protections for consumers, and more privacy considerations for organisations.
So, what do businesses need to do?
The new legislation will require businesses to look carefully at the way they do things. GDPR places more obligations on companies to be accountable for their use of personal data. Specific new obligations include duties about reporting data breaches, and transferring data across borders.
Consumers will have more rights in certain areas, such as being better informed about what businesses are doing with their data, and having greater access and control over their data. For example, having the right to request that data about them is erased.
This is more than just legislative box-ticking – businesses must get this right. GDPR means bigger fines for those organisations that get it wrong; failure to comply can cost businesses both financially and reputationally.
But getting it right can really benefit a business. Good information handling makes good business sense, and some will thrive in this changing environment. They’ll be the ones that look at the handling of personal information with a mindset that appreciates what consumers want and expect.
This means moving away from looking at data protection as a compliance issue, to making a commitment to managing data sensitively and ethically, because it’s just as much a part of good business practice as honest pricing or good customer service.
We’re pleased that the government recognises the importance of data protection and its central role in technological innovation and trust in the digital economy. We look forward to offering our view on how the UK can continue to ensure its strength in this area.
Some of GDPR will have more of an impact on some organisations than others. I’d encourage your business to map out which sections of the new legislation will have the most impact on your business model, and plan how you’re going to get ready.
Originally published on GDPR.Report
A lack of accountability and investment in cyber-security measures has been blamed for the recent Wannacry virus that hit NHS IT systems last month, a report released today by The Chartered Institute for IT has found.
The report comes following a similar, but more limited attack that hit UK based companies yesterday.
Whilst doing the best with the limited resources available, the report suggests some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose.
The healthcare sector has struggled to keep pace with cyber-security best practice and with a systemic lack of investment, ultimately, the Wannacry attack was an, ‘inevitability’, David Evans, Director of Community & Policy at The Chartered Institute for IT says.
Mr Evans continued: “Patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world.
“Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the Wannacry ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future.”
The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack. Top of the list is ensuring there are clearly laid out standards for accrediting relevant IT professionals. NHS board are being urged to ensure they understand their responsibilities, and how to make use of registered cyber security experts. And the number of properly qualified and registered IT professionals needs to be increased.
Almost 50 NHS Trusts were hit last month by the Wannacry cyber-attack. It meant computers were encrypted and unusable in many areas of the health service, with hackers threatening that valuable files would be lost forever unless a ransom was paid. It led to operations and appointments being cancelled, and patients were still being diverted from accident and emergency departments six days later.
Originally published on GDPR.Report
Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the Information Commissioner’s Office (ICO).
An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.
Sally Anne Poole, ICO enforcement manager, said:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.
“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”
She added: “Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”
The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.
The ICO’s investigation found:
“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”
The ICO has a range of guidance available to help businesses ahead of the implementation of GDPR on 25 May 2018. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations.
Originally published on GDPR.Report
With a tsunami of regulation coming into full force, businesses can be forgiven for feeling rather overwhelmed, particularly those within the financial services space. With one year to go before we see the implementation of the EU General Data Protection Regulation (GDPR), there is a focus on the lack of preparation from firms to be ready. It is of paramount importance that all affected organisations spend the time until May next year getting GDPR-ready and compliant. Ignorance will not be viewed as an excuse for non-compliance.
The ever-changing landscape of data usage means an update to the previous Data Protection Directive is understandable; to bring legislation into line with the way businesses and people currently use their data. In terms of financial impact, any regulatory breach could be accompanied by potentially eye-watering penalties; firms will be fined up to 4% of their annual global turnover should they be found to be in breach of GDPR.
However, despite the inevitable costs in compliance, both in terms of time and money, GDPR will allow businesses to gain a better understanding of their data and how it can be used for potential benefits and efficiencies. Indeed, according to the EU, having a handle on compliance matters could save businesses £2.3 billion a year*. We therefore believe the conversation should turn away from the cost of compliance and instead focus on why investing in GDPR will ultimately benefit businesses.
With GDPR around the corner, it has never been more important to root respect for privacy within the culture of a business. The capabilities of what data can achieve are often severely underestimated. Curating a culture where a business can at least start to understand what these capabilities may be, will not only help safeguard data, but allow businesses to cultivate it to its own advantage. Because of this, and the potential magnitude of costs for non-compliance, GDPR needs to stay firmly on the C-Suite agenda.
Ultimately companies which view GDPR as an opportunity to empower their business and leverage the value of their data, rather than simply more red tape, will be well placed to develop a competitive edge over those which only see GDPR as a pure cost burden.
By Ruaraidh Thomas Managing Director, Applied Analytics, DST
This week’s Queen’s Speech has confirmed that data protection policies will remain high on the Government’s agenda and will continue to be a key priority for UK businesses in the months and years to come. Centre stage of these policies will be the new general data protection regulation (GDPR), due to come into force in May 2018.
As it stands there is still quite a lot of confusion as to whether, post-Brexit, GDPR will apply in the UK. Recent research by Crown Records Management found that 44% of UK businesses do not believe the general data protection regulation (GDPR) will apply after the UK leaves the EU. The simple fact is that the government has made it clear that GDPR will be the law in the UK both before and after Brexit.
All business will be impacted by GDPR. Take the humble contact centre. Currently, there are more than 6,200 contact centres in the UK, and more than 4% of the country’s working population are employed at contact centres, with that number increasing annually.
The new, stricter set of rules around how data is captured and stored will place much tighter regulations around call recording and archiving, as well as the efficacy of the platforms used to achieve compliance. Most businesses either directly operate a contact centre, or outsource contact centre requirements to a third party. Businesses will need to be thinking about the regulatory impact on every contact centre touch point, from customer services and technical support to sales and marketing.
The key impact for contact centres is the GDPR definition of personal information. Whereas previously data protection requirements have been narrowly defined, GDPR covers any data that can be used to identify a person – either on its own or in combination with other data.
Under GDPR, all personal data is protected. Businesses will need to think about how they store and recall their customer data. Individuals will have the right to make reasonable requests to access their personal data without incurring costs. Businesses will be obliged to share any personal data held within the contact centre, without delay and within one month. Customers will also be able to request a copy of their data in a structured, digital and commonly used format from the controller. Contact centres must question whether they have the correct infrastructure to process these requests. How will they check the status of any such requests?
The GDPR suggests that self-service is a best practice approach to providing this. Customers should be able to access their personal information directly and edit what is stored if they wish. Many businesses will need to question their current capabilities, and in many cases upgrade their systems. They will need a platform that archives data in a cohesive, organised manner and enables instant recall.
More importantly still, individuals will have the right to have all of their personal data erased. Known as the ‘right to erasure’, organisations have to comply without undue delay if the customer makes a request. Businesses will need to think about how and where their call recordings are stored, ensuring it is identifiable, accessible and if necessary erasable. This will apply to any recording or record that includes a customer’s personal information.
Will it be fine?
One of the most discussed aspects of GDPR is its explicit mentioning of fines. Whereas the Data Protection Directive simply stated sanctions had to be defined by the Member States, GDPR exactly details what administrative fines can be incurred for violations. The maximum fines depend on what ‘category’ the violation occurs in: for less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%.
Under existing data protection rules, the Information Commissioners Office (ICO) can fine organisations up to £500,000 for the most serious data breaches. As such, it was possible to consider these as a cost of doing business. GDPR raises the stakes to a whole new level. Businesses outsourcing contact centre operations will remain responsible for their customer data. They will need to question the capability of third parties and the platforms they are using. What are the risk assessment considerations of outsourcing operations when the new legislation comes into force?
Securing your contact centre data
The new legal framework aims to address an urgent issue that currently threatens to undermine the digital economy. More than 4.8 billion data records have been exposed since 2013, with identity theft being the leading type of data breach accounting for 64% of all data breaches. Unlike previous generations of data legislation, the consequences of being part of the problem can no longer be counted as the cost of doing business. The mismanagement of customer data will matter considerably, both to the bottom line and to reputation.
Organisations need to ensure the call recording and archive platforms they choose have all of the tools at their disposal to help meet ever aspect of GDPR requirements. While these requirements are many, one important example can be found in the ‘integrity and confidentiality’ clause of Article 5. It states that data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Businesses should look for platforms that store and transmit customer personal data on infrastructure that is compliant with international security standards, such as ISO27001 (information security management systems), BS10008 (evidential weight and legal admissibility of electronic information) and Payment Card Industry Data Security Standards (PCI DSS). Multiple controls will be needed to achieve this standard, including: encryption of data in transit and at rest; database segregation; firewalls and network segmentation; intrusion detection and prevention systems; privilege access control; logging and auditing of changes; regular malware and vulnerability testing and backup and restore testing of critical data and system configurations.
A positive outlook
GDPR will change the way organisations and their customers engage, and its impact will undoubtedly improve standards around privacy and data protection. Technology will play a vital role in the governance and management of the new requirements, and much of what is currently used in contact centres will need to be upgraded to become GDPR compliant.
How GDPR will actually work in practice still remains unknown. The way in businesses decide to craft their GDPR strategy will be key in the success of the legislation. With less than 12 months to go, however, organisations need to be preparing now.
By Matthew Bryars, CEO, Aeriandi
Photo Credit: www.jisc.ac.uk
The UK parliamentary emails have been compromised over the weekend in a “sustained and determined cyber attack” with over 90 email accounts affected.
British security services suspect that another state was behind the cyber-attack, with the Russian government being the top of their list of suspects. Other potential suspects include North Korea, China and Iran.
The breach has raised concerns that potential blackmail attempts could occur, meaning that officials were forced to lock MPs out of their email accounts as they tried to minimise damage.
The affected network includes the prime minister, Theresa May, including her cabinet ministers.
A parliamentary spokesperson said:
“We have discovered unauthorised attempts to access accounts of parliamentary networks users and are investigating this ongoing incident, working closely with the National Cyber Security Centre.
Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network.
As a precaution, we have temporarily restricted remote access to the network.
As a result, some Members of Parliament and staff cannot access their email accounts outside of Westminster.
IT services on the Parliamentary Estate are working normally.
We will continue to keep Members of both Houses of Parliament and the public updated as the situation develops.”
According to the Guardian,, An NCSC spokesperson said: “The NCSC is aware of the incident and is working around the clock with the UK parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions.”
Britain’s National Cyber Security Centre (NCSC) played a key role in the investigation of the WannaCry malware that affected organisations across the world, including the NHS in May. Working with America’s National Security Agency (NSA) they have concluded that North Korean hackers were most likely to be the culprits.
Originally published on GDPR.Report
Almost half of UK-based organisations still do not understand what the upcoming General Data Protection Regulations (GDPR) are, according to research from Nexsan, a global leader in redefining unified storage. With the legislation coming into effect from May 25th 2018, organisations have less than a year to prepare, or risk fines of up to 4% of their global revenue.
Despite awareness efforts, a recent survey of over 100 respondents revealed that almost half (48%) did not know what GDPR is. The new legislation is set to replace the EU data protection directive and will hold organisations responsible for any personal data they retain. In addition, when asked about business preparations, only 40% could confirm that their organisation is actively working towards compliance. The statistics revealed a clear challenge in the market and the difficulty appears to be in educating businesses about the new legislation.
Whether organisations keep data on-site, in the cloud or outsource to a third-party service provider, the fundamental responsibility for safeguarding this information lies with the data owner. IT professionals need to put measures in place to safeguard data, especially with the recent rise in ransomware attacks. Part of the new legislation requires all organisations to report certain types of data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Depending on the nature of the data breach, in some cases organisations will have a duty to report it to the individuals affected. GDPR covers a wide range of areas and if organisations are storing any amount of consumer data it’s critical they educate themselves in preparation to comply.
Geoff Barrall, COO at Nexsan, commented: “Businesses need to start taking measures to ensure they will meet GDPR regulations. Interestingly, the survey noted an almost equal split in the market, which may suggest that those potentially vulnerable organisations are the ones still unaware of the new legislation. Whether cloud-based or physically onsite, it’s key to ensure that the storage solution used provides the required security in addition to traditional criteria such as performance, expandability, and flexibility. There are simple steps businesses can take to remain compliant within the context of their data management and security and here at Nexsan we’ve been delivering solutions to these problems for years. "
Originally published on GDPR.Report
The Information Commissioner’s Office (ICO) has issued a £50,000 fine to MyHome Installations Ltd for pursuing people who had specifically opted out of telephone marketing.
The ICO received 169 complaints concerning the calls to phone numbers listed on the Telephone Preference Service (TPS), the UK’s official opt-out of telephone marketing register.
The complaints from members of the public involved receiving unwanted calls about electrical surveys and home security from the Maidstone based company.
An ICO investigation discovered that MyHome Installations bought data over 18 months from third party companies in order to market its services. These companies told the security business that the personal details had been screened against the ‘no call’ register.
But MyHome Installations said it was unable to provide any evidence of consent due to a previous marketing manager historically buying the data and adding it to their call lists without any reference to its source.
Steve Eckersley, ICO Head of Enforcement said:
“The Telephone Preference Service exists to protect the public from the scourge of unwanted, nuisance calls.
“This company blatantly ignored its responsibilities. It did not carry out the proper due diligence checks on its suppliers to make sure they were operating within the law and despite initial warnings from us, still didn’t resolve the problem.”
The Privacy and Electronic Communications Regulations (PECR) set out the rules around telephone marketing and clearly state it’s against the law to call people who have registered their phone number on the TPS list unless they state otherwise.
Mr Eckersley added:
“We think the complaints we received were just the tip of the iceberg.”
People said they felt ‘pestered’ by the company and pointed out to call operators they had no wish to receive the calls because their phone numbers were on the TPS.
One complainant commented: “Callers asking about my home security are of concern to me, as they maybe sounding out the property prior to crime.”
Another said: “They wanted to carry out an electrical survey of my home and propose changes. I said no, I didn’t want to participate and then another girl phoned back half an hour later to pester me into getting a quote and insisted that I would be putting my home at risk if I didn’t”
The ICO has published detailed guidance for firms carrying out direct marketing by phone, text, email, post or fax.
Originally published on GDPR.Report
The 2017 Trustwave Global Security Report reveals the top cybercrime, data breach and security threat trends from 2016. The report demonstrates both good and bad news in the world of cybersecurity as intrusion detection and breach containment times were relatively better, but other threats like malvertisements became cheaper and malicious spam saw increases.
Key highlights from the report include:
· Intrusion detection gets better, especially when breaches are self-detected: The median number of days from an intrusion to detection of a compromise decreased to 49 days in 2016 from 80.5 days in 2015, with values ranging from zero days to almost 2,000 days (more than five years). For internally detected incident the median was 16 days, while 65 was the median number of days for externally detected incidents.
· Once detected, victims contain breaches relatively quickly: The median number of days from detection to containment was 2.5 in 2016 with values ranging from −360 days, meaning the intrusion ended 360 days before detection, to 289 days. In cases where containment occurred after detection, the median duration was 13 days from detection to containment.
· Intrusion containment remains stagnant: The median number of days from an intrusion to containment of a compromise stayed relatively the same at 62 days in 2016 compared to 63 days in 2015.
· North America and retail lead in data breaches: Similar to previous years, 49% of data breaches investigated by Trustwave were in North America, while 21% were in Asia-Pacific, 20% in Europe, Middle East and Africa, and 10% in Latin America. The largest single share of incidents involved the retail industry, at 22%, followed closely by the food and beverage industry, at nearly 20%.
· POS breaches increase: Environments most breached in 2016 again consisted of corporate and internal networks, at 43%. Incidents affecting POS systems increased to 31% in 2016, from 22% in 2015, while incidents affecting e-commerce environments fell to 26% from 38%. Incidents involving POS environments were most common in North America, which has been slower than much of the world to adopt the EMV payment card standard.
· Payment card data most at risk: More than half of the incidents investigated targeted payment card data: Card track (also called magnetic stripe) data, at 33% of incidents, primarily came from POS environments. Card-not-present (CNP) data, at 30%, mostly came from e-commerce transactions. Financial credentials, including account names and passwords for banks and other financial institutions, accounted for 18% of incidents, followed by other targets.
· Attackers seek stiff prices for their zero-day vulnerabilities: In 2016, Trustwave discovered an alleged undisclosed Windows zero-day vulnerability and accompanying exploit code on sale for an initial price of $95,000.
· Exploit market disruption: The most common exploit kits in the world — Angler, Magnitude and Nuclear — disappeared or went private in 2016, leading to a shakeup of the exploit kit market.
· Malvertisements get dirt cheap: In 2016, the estimated cost for cybercriminals to infect 1,000 vulnerable computers with malvertisements was only $5 — less than $.01 per vulnerable machine. Malicious advertising remains the number one source of traffic to exploit kit landing pages.
· Malware tries to hide itself: 83% of malware samples Trustwave examined in 2016 used obfuscation, while 36% used encryption.
· Malware-laden spam creeps up: In 2016, 35% of spam messages contained malware, up from 3% in 2015. Meanwhile, 60% of all inbound email was spam, up from 54% in 2015.
· Database flaws increase: Database vendors patched 170 vulnerabilities in the most common database products in 2016, up from 139 vulnerabilities in 2015.
· Applications are almost always vulnerable: 99.7% of web applications Trustwave application scanning services tested in 2016 included at least one vulnerability, with the mean number of vulnerabilities detected being 11 per application.
Trustwave Chief Executive Officer and President Robert J. McCullen said, “Cybersecurity in 2016 had both highlights and lowlights. As our data breach investigations and threat intelligence show attackers continue to evolve their tactics and focus on extreme paydays as cybercrime becomes more like genuine businesses. Meanwhile security skills and talent remain scarce. As an industry, we must continue to focus on key areas like threat detection and response, security scanning and testing and cloud security services that provide meaningful layers of protection from constantly evolving threats.”
Trustwave experts gathered real-world data from hundreds of breach investigations the company conducted in 2016 across 21 countries. This data was added to billions of security and compliance events logged each day across the global network of Trustwave Advanced Security Operations Centers, along with data from tens of millions of network vulnerability scans, thousands of web application security scans, tens of millions of web transactions, tens of billions of email messages, millions of malicious websites, penetration tests, telemetry from security technologies distributed across the globe and industry-leading security research.
Originally published on GDPR.Report