Category: General

NIST released guidelines on cybersecurity for internet-connected devices

18. November 2016

The National Institute of Standards and Technology, NIST, just released guidelines on cybersecurity for internet-connected devices. These guidelines are called Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”

One of the main topics is the fact that the guidelines imply the importance of engineering Internet-connected devices in a way that security systems are directly built into the design and manufacturing processes. Furthermore, the guidelines describe the whole engineering process in order to improve cybersecurity, and reduce risk by implementing “trustworthy secure systems capable of protecting stakeholder assets.”

On top of this the guidelines state that the “objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.”

Category: General

ICO announces that Facebook agrees to suspend disclosures of personal data from WhatsApp’s users

8. November 2016

After WhatsApp announced in August changes in its privacy policy, several EU DPAs announced monitoring activities in order to ensure the proper use of WhatsApp user’s data. One of these changes on the privacy policy, involved disclosure of personal data of WhatsApp users to Facebook in order to fight spam and improve both, WhatsApp and Facebook’s services.

The EU DPAs had requested WhatsApp not to carry out such disclosures until an adequate level of data protection could be ensured.

On Monday, ICO announced that Facebook agreed to suspend these disclosures. ICO already remarked that consumers were not adequately protected and in most cases a valid consent was not in place. Moreover, it has requested both companies to undertake in writing to inform users about the purposes for which their data will be used. Until now, none of the companies has signed such committment.

If enforcement action takes place, huge fines may be imposed. This is especially relevant upon the applicability of the GDPR from May 2018.

Other EU DPAs, such as Spain, will contact Facebook regarding WhatsApp’s privacy policy.

On the other side, Facebook stated that it only collects the data necessary to offer their services and only a part of this data is shared with Facebook. A Facebook spokeswoman confirmed that WhatsApp’s update complies with applicable law, including UK law and that they will continue the conversations with the ICO regarding the questions raised on the Privacy Policy.

How to be prepared for the GPDR in 13 Steps

26. September 2016

Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.

The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:

  • Awareness: Instruct the relevant persons about the upcoming changes.
  • Internal Records: Document the stored data, where it came from and to whom it is transfered.
  • Privacy Notice: Review and update the Privacy Notice.
  • Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
  • Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
  • Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
  • Consent: Review how consent is collected and recorded.
  • Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
  • Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
  • Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
  • Data Protection Officer: Appoint and review the Data Protection Officer.
  • International: Check which Data Protection Authority will be responsible for you.
  • Existing Contracts: Review the current contracts.

Concerns about the PNR Agreement between Canada and the EU

12. September 2016

Last week, Paolo Mengozzi, Advocate General of the Court of Justice of the European Union, released his opinion on the draft agreement between Canada and the European Union concerning the transfer of passenger name record data, which is also known as the PNR Agreement, due to concerns about the compatibility with the EU Charter.

The respective Agreement allows that the data collected from passengers – including information about passenger travel habits, payment details, dietary requirements and information containing sensitive data about the passengers health, ethnic origin or religious beliefs – for the purpose of reserving flights between Canada and the EU, has to be transmitted to the respective Canadian authorities in order to prevent and detect not only terrorist threats but also other serious transnational criminal offenses.

Although the EU signed similar agreements with the U.S. and Australia having the approval of the European Parliament before, the European Parliament now decided to give the Agreement with Canada to the European Court of Justice due to concerns about the compatibility with the EU Charter as they worry about privacy and and data protection issues.

In his opinion Paolo Mengozzi stated that certain provisions of the draft were not compliant with the EU Charter such as:

  • Canada’s ability to process the collected data beyond what it is strictly necessary to the original purposes of the Agreement,
  • the processing and retention of sensitive data by Canada and
  • a lack of safeguards and oversight mechanisms for the transfer of data collected for this Agreement to other foreign authorities.

Paolo Mengozzi explained that the draft should be reviewed so that it includes:

  • a clear definition of the categories of data included within the scope of the Agreement,
  • an exclusion of sensitive data from the scope of the Agreement and
  • limiting the number of ‘targeted’ persons individuals being suspected of participating in a terrorist threat or a serious transnational crime on a reasonable level.
Category: General

AIG: first insurer offers standalone primary coverage caused by cyber attacks

15. August 2016

One of the biggest US-American insurance companies namely the American International Group just declared that it will be the first insurer to offer standalone primary coverage for property damage, bodily injury, business interruption and product liability caused by cyber attacks.

Due to the fact that “Cyber is a peril [that] can no longer be considered a risk covered by traditional network security insurance product[s]” AIG released the new product CyberEdge Plus.

AIG commented on the new product as followed:

“CyberEdge can provide companies with protection against the following:

  • Third-party claims arising from a failure of the insured’s network security or a failure to protect data. Insurance also responds to regulatory actions in connection with a security failure, privacy breach, or the failure to disclose a security failure or privacy breach.
  • Direct first-party costs of responding to a security failure or privacy breach by paying costs of notifications, public relations, and other services to assist in managing and mitigating a cyber incident. Forensic investigations, legal consultations, and identity monitoring costs for victims of a breach are all covered.
  • Business interruption caused by a network security failure by reimbursing for resulting lost income and operating expenses.
  • Threats made against a company’s computer network and confidential information by an outsider attempting to extort money, securities, or other valuables. Coverage includes monies paid to end the threat and the cost of an investigation to determine the cause of the threat.
  • Liability faced by companies for content distributed on their website. Coverage is provided for numerous media perils including copyright infringement, trademark infringement, defamation, and invasion of privacy.”

Furthermore, the coverage has a limit of up to $100 million.

 

Category: General

Main cause for data breaches in organizations: data theft by „insiders“

11. August 2016

The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.

The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.

Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.

The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.

Microsoft acquires LinkedIn: privacy issues arise

16. June 2016

Early this week, Microsoft announced the acquisition of LinkedIn, a professional network with more than 400 million users. This makes LinkedIn to be one of the largest databases worldwide. The acquisition will allow Microsoft to have access to the professional profiles of LinkedIn users.

According to Microsoft´s CEO, Satiya Nadella, this operation will make possible that, for example, LinkedIn´s newsfeed shows articles related to the project the user is working on and on the other hand, Office may suggest professionals in LinkedIn who are experts in the task that is being completed at the time.

However, privacy related issues have aroused upon the acquisition, especially regarding the amount of personal data that LinkedIn processes. Dimitri Sirota, CEO of BigID, a customer data protection company, states that Microsoft should show that this acquisition “can enrich the software offerings from Microsoft in areas such as CRM, communication, productivity, etc.” He also remarks the importance of personal data management, so that there is no infringement of local data privacy legislations.

Software companies, such as Microsoft, gain marketing, sales and intelligence value through these kind of operations, but they also have to deal with privacy risk and compliance legislation.

In this scenario, LinkedIn should continue handling personal data as stipulated in its terms of service. This does not prevent Microsoft from signing a data transfer agreement with LinkedIn in order to have access to the data. Such access would allow Microsoft to analyze the personal data received.

Several IT-Security experts agree on the fact that data privacy and data protection should stay at the foreground.

Uber must pay a total over $1 million

14. June 2016

Accoring to the New York Times, Uber was fined €800,000, about $900,000, plus court fees, which adds to a total over $1 million, for running an illegal transport service and breaking privacy laws in France.

Half of those sanctions that Uber has to pay are “suspended sentences,” which means that Uber only needs to pay 50 percent of the fines as long as there are no further breaches of the law.

On top of that, Uber’s EMEA director Pierre-Dimitri Gore-Coty and Thibaud Simphal, the French company’s boss, were fined €30,000, about $34,000, and €20,000, about $22,500. The two men were detained for questioning by French authorities a year ago.

 

Category: General
Tags: , ,

Twitter: 32 million accounts may have been hacked and leaked

9. June 2016

Hackers may have used malware in order to gain more than 32 million Twitter login-data that are now presumable being sold on the dark web. However, a Twitter spokesman said that “We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

LeakedSource, a site with a search engine of leaked login credentials, says that the respected data of Twitter contains 32,888,300 records consisting of email addresses, usernames and passwords.

Due to the provided information included in the respected data, for example the fact that passwords are displayed without encryption, LeakedSource stated that the data was collected by malware that has infected internet browsers rather than stolen directly from Twitter. In order to verify that the leaked data is valid, LeakedSource asked 15 users to verify their passwords. All of them confirmed that the passwords were correct.

However, Twitter stated that the hacking of accounts belonging to celebrities was due to the re-use of passwords that were leaked in the LinkedIn and Myspace breaches. A spokesman said that “A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter”.

Whether or not the leaked data is valid, it is recommended to change passwords, not only when using the same password for several accounts.

Belgian court ruled on “right-to-be-forgotten”

3. June 2016

The Belgian Court of Cassation confirmed the broad interpretation of the “right-to-be-forgotten” by a Belgian Court of Appeal.

The case was initiated by a person who fought against a Belgian newspaper because it did not comply with a request to remove an article from 1994 from its online archives regarding a car accident causing the death of two persons in which the individual was involved.

The Court of Appeal ruled that disclosing the name of the individum in the article was not in public interest and that is why it was damaging the reputation of the relevant individual. Therefore, it ordered the newspaper to anonymize the online version of the article.

However, the newspaper contested the Court of Appeal’s judgment and brought the case before the Belgian Court of Cassation.

The Court of Cassation decided that the publication of articles in newspapers’ online archives can be considered as a new disclosure of facts of an individual’s judicial past, which could potentially infringe the individual’s right-to-be-forgotten. Furthermore, the Court of Cassation confirmed that the online publication of the non-anonymized article years after the accident could have caused damages to the individual’s reputation. Therefore, the Court of Cassation decided that the right to privacy of the relevant individual could justify an interference with the newspaper’s right to freedom of expression and that in this case the newspaper has to remove all references to the individual from the article in its online archives.

Pages: Prev 1 2 3 ... 22 23 24 25 26 27 28 29 30 31 32 Next
1 28 29 30 31 32