Category: Personal Data
24. October 2018
As part of a court settlement filed Monday, Yahoo agreed to pay $50 million in damages and to provide two-years of free credit monitoring for services to 200 million people.
Around 3 billion Yahoo accounts were hacked in 2013 and 2014 but the company, which is now owned by Verizon, did not disclose the breach until 2016. Affected are U.S. and Israel residents and small businesses with Yahoo accounts at any time from January 1, 2012 to December 31, 2016. Apart from usernames and email addresses, millions of birthdates and security questions and answers were stolen. Not among the stolen information were passwords, credit card numbers and bank account information.
According to the settlement, the fund will compensate accountholders who paid for email services, who had out-of-pocket losses or who already have credit monitoring services. A refund of $25 per hour will be made for the time spent handling issues caused by the breach. Those with documented losses can ask for up to 15 hours of lost time ($375) whereas those who cannot document losses can ask for up to 5 hours ($125).
A hearing to approve the preliminary settlement is scheduled for November 29.
14. September 2018
After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.
In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.
With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.
The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.
For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.
According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.
5. September 2018
From September 2019, there will be stricter rules for the protection of personal data in Singapore hence the collection, use and disclosure of NRIC numbers of individuals and making copies of their NRIC cards will be illegal for organisations.
In the past years, it was not unusual for shopping malls and other places to collect the NRIC number of a customer for instance when registering for memberships.
From the unique section of numbers and letters of the Singapore National Registration Identification Card (“NRIC”) an individual can be precisely identified. Therefore, the NRIC number is considered personal data. Besides the number, the physical NRIC card contains the individual’s full name, photograph, thumbprint and residential address.
Apart from the prohibition of collecting, using and disclosing of NRIC numbers it will also be generally forbidden to collect, use or disclose individual’s birth certificate numbers, foreign identification numbers and work permit numbers. Exemptions are regulated in the new PDPC guidance (issued 31 August 2018) and will only apply where it is required by law or when it is necessary to verify an individual’s identity ”to a high degree of fidelity” (e.g. transactions involving healthcare).
If an organisation already collected those data they should proof whether they need to retain the numbers or not. In case they need to keep the data they have to ensure that there is adequate protection or they should anonymise the NRIC. The new regulation does not apply to the government or public agencies or organisations acting on its behalf, but organisations can be fined up to $ 1 million for disobeying the act.
3. September 2018
The data protection authority in turkey has announced in his decision 2018/88 starting dates to register as a data controller on VERBIS prior to processing personal data, the online registration system VERBIS can be found on the homepage of the Turkish data protection authority.
Earliest starting date for the registration process will be the 1st of October 2018.
Following start dates have been announced
a) 1st of October 2018 – 30th of September 2019, for data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million
b) 1st of October 2018 – 30th of September 2019, for data controllers established outside of Turkey
c) 1st of January 2019 – 31st of March2019, for data controllers that employ less than 50 employees, whose financial statement does not exceed TRY 25 million, but whose core business includes the processing of sensitive data
d) 1st of April – 30th June, for public institutions and organizations that act as data controllers
Data controllers should take the necessary action and register with VERBIS during the applicable period.
24. August 2018
With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.
However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.
Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.
As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.
The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.
It is expected that the relevant laws will be amended in the first half of 2019.
22. August 2018
A 16-year-old boy from Melbourne, Australia broke into Apple‘s internal computer systems and downloaded 90GB of data, as reported by Australian newspaper The Age. The teenager acquired possession of “authorised keys“ and had access to Apple’s network for approximately a year.
Last year Apple reported the incident to the FBI who then pointed it out to the Australian Federal Police (AFP). They found the sensitive documents in a computer folder named “hacky hack hack“. Apple succeeded to keep this incident out of media until the court proceedings last week.
The 16-year-old boy has pleaded guilty. According to his lawyer, the teenager broke into the network because he is a huge apple fan who wants to work for the company in the future. A verdict is expected at the end of September.
Apple is now trying to reassure its customers. According to a spokesman of the company, no personal data was compromised.
30. July 2018
A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.
Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.
Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”
The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.
According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.
It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.
Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.
27. July 2018
Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.
However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.
For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.
Consequently, there will be situations that contain mixed information on both the deceased and the requestor.
The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.
Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.
The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”
Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.
24. July 2018
A security researcher from the UpGuard Cyber Risk Team detected that various data from carmakers like Volkswagen, Ford and Toyota were exposed. UpGuard is an Australian cybersecurity group that among other things detects data breaches.
The source of the data leak is a small Canadian company called Level One Robotics and Controls. On a publicly accessible backup server of the engineering company were files from more than a hundred companies in business with said company. Belonging to the group of companies affected by the leak are some of the biggest carmakers like Tesla, VW, Toyota, General Motors, Chrysler and ThyssenKrupp.
The 47.000 unsecured files contained inter alia product designs, invoices, bank accounts and contracts. Some of these data are among the industry’s most closely guarded and confidential trade secrets. In addition, a number of non-disclosure agreements explaining the sensitivity of the leaked information formed part of the exposed data.
The researcher issued a leakage warning and since then the accessible information was taken offline within 24 hours.
2. July 2018
According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.
The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.
Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.
To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.
The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.
It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.
