Main cause for data breaches in organizations: data theft by „insiders“

11. August 2016

The Ponemon Institute has recently published a study about security gaps and the protection of corporate data. The study was carried within U.S. and European organizations in France, Germany and the United Kingdom. The study aims at identifying gaps in organizations that may lead to data breaches.

The study reveals data theft by “insiders” as being the main reason for data breaches within organizations. A vast majority of the participants stated that their organization had suffered from such insider theft over the past two years.

Furthermore, respondents of the IT field confirmed that insider theft is twice more likely to compromise corporate information as any other external attack. Regarding this, the study reveals that data breaches by insiders is increasing due to the fact that employees require wide access rights to perform their job and, therefore, they have access to confidential and sensitive information of their organization.

The report suggests that companies should improve their tracking possibilities, in order to identify access and use of data by its employees and to detect in a shorter timeframe the intents of employees to access information and data which they are not authorized to see.

Is there a high risk that the Privacy Shield will be invalidated?

5. August 2016

Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.

Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.

An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”

Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.

Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.

However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.

 

Privacy Shield: the first applications were submitted

4. August 2016

Although companies began submitting their application to join the EU-U.S. Privacy Shield, the U.S. Department of Commerce did not immediately list their compliance.

Among others, Microsoft was one of the first businesses to certify that it complied with the new rules for transferring European Union citizens’ personal data to the U.S.

On its blog Microsoft published a statement by Vice President for EU Government Affairs John Frank saying “We expect it to be approved in the coming days”.  Furthermore, he said “Going forward, any data which we will transfer from Europe to the U.S. will be protected by the Privacy Shield’s safeguards.”

The process for joining the EU-U.S. Privacy Shield includes a self-certification, which is charged by the U.S. Department of Commerce. The fee for processing their annual applications and adding them to the register ranges from $250 for organizations with revenue under US$5 million up to $3,250 for those with revenue over $5 billion.

However, organizations also have to pay in order to join an arbitration service or in terms of data protection authorities dealing with complaints.

 

Category: EU · EU-U.S. Privacy Shield · USA
Tags:

Survey results about the impact of the GDPR and the EU-U.S. Privacy Shield published

Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.

The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.

Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.

Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.

EU-U.S. Privacy Shield operational since August, 1st

2. August 2016

The EU Commission announced yesterday the full operability of the agreed EU-U.S. Privacy Shield as substitute of the former Safe Harbor Framework. The Department of Commerce will verify the privacy policies of the U.S. Companies that sign up the Privacy Shield in order to ensure that they comply with the standards agreed on the new framework.

Furthermore, the EU Commission has also published a citizen’s guide regarding how their rights will be ensured and how to address complaints if they consider that their rights have not been respected. Amongst others, EU citizens have the right to access the data an organization holds about them, to correct their data if this is inaccurate or incorrect, to have access to the different dispute resolution mechanisms, etc.

U.S. Secretary of Commerce Penny Pritzker also made a statement regarding the launch of the new framework: “After more than two years of discussions, it is time to implement the new EU-U.S. Privacy Shield Framework with our partners in Europe and companies on both continents. With the Privacy Shield in place, businesses will be able to protect privacy and truly seize the opportunities offered by the transatlantic digital economy. More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”

The European Court of Justice ruled on the question which Member State’s data protection laws should apply

29. July 2016

As already published the European Court of Justice had to clarify which Member State’s data protection laws should apply to data processing established within the EU but directed at a number of EU Member States.

Yesterday, the European Court of Justice ruled in the case VKI v. Amazon EU that “ (…) the processing of data (…) is governed by the law of the Member State in whose territory that establishment is situated.”

However, the European Court of Justice did not discuss the respective contract between Amazon and its customers stating that “Luxembourg law shall apply.”

Nevertheless, the European Court of Justice came to the conclusion that “It is for the national court to determine (…) whether Amazon EU carries out the data processing in question in the context of the activities of an establishment situated in a Member State other than Luxembourg.”

Which European DPA is in charge of supervising Amazon?

28. July 2016

In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.

This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”

In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.

The Court of Justice of the European Union will probably rule on this matter today.

Microsoft cannot be compelled to turn over customer emails stored outside the U.S.

27. July 2016

Last week the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation cannot be compelled to turn over customer emails stored outside the U.S. to U.S. law enforcement authorities.

The original case addressed a search warrant concerning the contents of all emails, records and other information regarding one of Microsoft’s email users. Although Microsoft generally complied, it refused to turn over the contents of the emails stored on a server in Ireland. Microsoft opinion was that U.S. courts are not authorized to issue such warrants. However, in April 2014 a judge in the U.S. District Court for the Southern District of New York held that Microsoft has to turn over the contents of the emails to U.S. law enforcement in case of search warrant is issued under the Stored Communications Act and although the data is stored outside of the U.S.

The Second Circuit ruled that “Congress did not intend the (Stored Communications Act’s) warrant provisions to apply extraterritorially…(and) the Stored Communications Act does not authorize a U.S. court to issue and enforce an Stored Communications Act warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

Article 29 WP issues statement about the adopted EU-U.S. Privacy Shield

The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.

Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.

A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.

Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.

In order to prepare for the GDPR the ICO advises companies to establish internal data breach procedures

22. July 2016

The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.

Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

Pages: Prev 1 2 3 ... 20 21 22 23 24 25 26 27 28 29 30 Next
1 20 21 22 23 24 30