Tag Archives: data compliant

Data Protection Weekly Round-up: PECR breaches, ransomware research and Facebook on security

Two large corporations fined for PECR breaches; Google study reveals ransomware profits, and Facebook urges people-led changes to security methodology

In the blog below, you’ll note how the Information Commissioner’s Office is taking a hard-line approach to PECR.  If an organisation uses electronic channels to re-permission its database in time for GDPR enforcement in May 2018, it must comply with PECR. Moneysupermarket.com is the latest in a series of big names to fall foul of email regulations.

You’ll also see an analysis of ransomware profitability, which helps explain its continued growth;   the final story summarises Facebook’s views on data security.

The ICO issues fines amounting to £160,000 for Provident Personal Credit and Moneysupermarket.com

The Information Commissioner’s Office has issued civil monetary penalties of £80,000 each for Provident Personal Credit, a Bradford-based sub-prime lender, and Moneysupermarket.com, a leading brand comparison site, on the 17th and 20th of July respectively. In both cases the fine was  for breaching the Privacy and Electronic Communications Regulation (PECR).

Text confused person

Unsolicited texts annoy prospects and customers

Quick-loan credit firm Provident Personal Credit, a brand operated by Provident Financial, was fined £80,000 for sending out nearly 1 million nuisance text messages in the space of 6 months.

The company employed a third party affiliate to send the unsolicited marketing for loans provided by a sister brand, Satsuma Loans.

Text messages may not be sent if the recipients have not consented to receiving marketing texts, so this activity was in breach of PECR.

emails out of laptop

Beware of sending “service” emails which are actually “marketing” emails

A few days later, the price and brand comparison website Moneysupermarket.com was fined for sending 7.1 million emails over 10 days updating customers with its Terms and Conditions, despite these customers having explicitly opted-out of receiving this type of email. This offence is almost identical to the breaches for which Morrison’s, Honda and Flybe were fined last month.

One of the key problems was the section “Preference Centre Update” which said: “We hold an e-mail address for you which means we could be sending you personalised news, products and promotions. You’ve told us in the past you prefer not to receive these. If you’d like to reconsider, simply click the following link to start receiving our e-mails.”

In a previous blog, we explained the ambiguity between ‘service’ emails and ‘marketing’ emails when implicitly emailing or communicating marketing content to individuals who have opted out. This is in breach of regulations (which will only get stricter after the General Data Protection Legislation comes into force in May 2018).

Google research leads to fears of proliferating ransomware

ransomware 2

Ransomware encrypts and scrambles victims’ computerised files. The files will not be decrypted until after a ransom is paid

Research carried out by Elie Bursztein, Kylie McRoberts and Luca Invernizzi from Google has found that cyber-thieves have made $25m (£19m) in the last two years through the use of ransomware. The research suggests that this type of malware regularly makes more than $1m (£761,500) for its creators.

The two strains of ransomware that have seen the most success are ‘Locky’ and ‘Cerber,’ which have collected $7.8m (£5.9m) and $6.9m (£5.2) respectively. But fears have arisen that due to the profitability of ransomware, new and more expansive variants will emerge amid the increasingly competitive, aggressive and “fast-moving” market for cybercrime weaponry. Mr Burszstein warns that ‘SamSam’ and ‘Spora’ are variants that seem to be gaining traction.

The research collected reports from victims of ransomware but also from an experiment wherein thousands of ‘synthetic’ virtual victims were created online. Mr Bursztein and his colleagues then monitored the network traffic generated by these fake victims to study the movement of money. More than 95% of Bitcoin payments (the preferred currency for ransom payments) were cashed out via Russia’s BTC-e exchange.

The lucrative nature of ransomware has led the Google researchers to conclude that it is “here to stay” and may well proliferate among the many syndicates and crime networks around the world. At a talk at the Black Hat conference, one of the world’s largest information security events, Mr Bursztein warned, “it’s no longer a game reserved for tech-savvy criminals, it’s for almost anyone.”

Facebook’s security boss argues that the industry should change its approach

facebook

Hitting the data security balance: user issues vs. tech solutions

At a talk at this year’s Black Hat, Facebook’s Chief Information Security Officer, Alex Stamos, has criticised the information security industry’s over-prioritisation of technology over people.

Advocating a ‘people-centric’ approach to information security, Mr Stamos stated his belief that most security professionals were too focused on complex ‘stunt’ hacks involving large corporations and state organisations, and tended to ignore problems that the majority of technology users face.

He told the attendees, “we have perfected the art of finding problems without fixing real-world issues. We focus too much on complexity, not harm.”

He explained that most Facebook users are not being targeted by spies or nation states, and that their loss of control over their information are from simple causes with simple solutions in which, he claims, the security industry takes no interest. He criticised the industry in general for lacking ‘empathy’ with less tech-savvy people, citing the often-expressed thought by security professionals that there would be fewer breaches and data losses if people were perfect.

He used the example of the widespread criticism from cyber experts that the security team for Facebook subsidiary Whatsapp faced after their decision to use ‘end-to-end’ encryption for the popular messaging app, which was heralded by some as sacrificing security for the sake of usability. Such a sacrifice did not manifest, but Mr Stamos was keen to emphasise the fact that it simply did not occur to security experts that usability was worth pursuing.

Mr Stamos advocated the diversification of the industry by working with less technically minded people who could empathise with the imperfections of tech-users, thus helping to develop more straightforward tools and services that would benefit a larger amount of people.

Facebook has also committed half a million dollars to fund a new project to secure election campaigns from cyber attack.  The initiative will be run by the Belfer Center for Science and International Affairs, a think-tank affiliated to Harvard University.  This is timely, given the scandals around the cyber- attack on French President Emmanuel Macron’s recent election campaign, and the Russian hack of the Democratic National Committee during the US elections last year.

If you have any data privacy compliance, governance or security concerns which you’d like to discuss with Data Compliant, please email dc@datacompliant.co.uk.

Harry Smithson   20th July 2017

GDPR is here – Data Protection is Changing

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.

 

It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

ISO 27001 Certification – who needs it?

It’s becoming an increasingly essential part of due diligence that a data controller, when appointing a data processor, will ask one simple question:  “Do you have ISO 27001 Certification?”  Given that data controllers are the liable parties for any data breaches or lack of compliance, they need to be certain their data is to be processed safely.  So if the answer is “no”, the processor is unlikely to win the contract unless they have some other extraordinary and unique competitive advantage.

I was going to write a blog about why ISO 27001 certification is so important.  Then I thought it would be simpler just to show you.  It’s all about protecting your business from potential breaches.

2014 global breaches infographicFrom the stats above, taken from  the 2014 Year of Mega Breaches and Identity Theft, it’s clear to see:

  • the US is clearly the largest target, but UK has second largest number of breaches
  • retail organisations suffered the greatest volume of data loss in 2014
  • only 4% of data breaches involved encrypted data – an astonishing statistic which tells us:
    • encrypted data is harder to breach
    • given the critical nature of encryption in data protection, the sheer volume of unencrypted data is staggering – too many organisations are simply not taking the most basic of steps to help keep their data secure

ISO 27001 is an international standard for data security management, providing a risk-based approach to data security that involves a data governance standard that is embedded throughout the business covering processes, technology, employees and training.

In the past, obtaining ISO 27001 certification has been a time-consuming, arduous and costly exercise.  Now, however, the whole process of creating the gap analysis, providing robust policies and procedures, and obtaining certification can be made much simpler.

If you’d like to know more about getting ISO 27001 quickly, simply and cost-effectively, please get in touch on 01787 277742 or email victoria@datacompliant.co.uk – we’ll be happy to have a chat and answer your questions

Services at December 2014

Phishing, e-commerce and retail

phishing

Britain is targeted by up to 10,000 cyber attacks per hour, making it a business imperative for organisations to strengthen their data security systems and processes.

Retail and financial services websites are at the highest risk from attack, and Christmas – with a projected online spend of £17.4bn** – is the most popular time of year for cyber criminals.

A Google study from a couple of weeks ago made an astonishing statement:

Phishing stats 45%

This is a particularly worrying statistic given that data security breaches carry a huge cost – both to reputation and financially.

phishing stats Nov 2014

The costs of a breach increase every year, and will inevitably continue to rise as new legislation comes in with greater powers to the ICO.

So it’s time for retailers to make sure their staff don’t fall into the 45% of successful phishing attacks, and understand how to minimise security risks to the business.

Christmas Offer

25% Christmas Discount

Data Compliant  provides data security training workshops for companies who want their employees to understand how to keep their data secure.

2-hour security workshops for up to 10 attendees per session are available from January 5th 2015.  The usual cost is £1,100*.  Within the workshop, we’ll demonstrate how to recognise and avoid phishing attacks.

Any organisation making a firm booking for a data security workshop before 23rd December will receive their 25% discount – ie a reduction in cost from £1,100 to just £825.*

For more information or to book your workshop, call 01787 277742 or email victoria@datacompliant.co.uk

* Stats taken from UK 2014 Information Security Breaches Survey – Department for Business Innovation and Skills

**stats from internetretailing.net

* Costs exclude VAT and expenses.

 

CCTV Data Protection Guidelines from ICO

drone delivering parcelClearly surveillance has both benefits and drawbacks, and the level of public interest and debate about both is increasing. Technology is advancing swiftly, and surveillance cameras are no longer simply passively recording and retaining images. They are now also used proactively to identify people of interest, to keep detailed records of people’s activities both for social (eg schooling, benefits eligibility) and political (eg terrorist) reasons.

There’s a real risk that, despite the benefits, use of CCTV can be very intrusive.

The ICO’s new CCTV code of practice continues its focus on the principles that underpinned the previous code of practice. However, it has been updated to take into account both the changes in the regulatory environment and the opportunities to collect personal data through new technology.

There is some fascinating information in the guidelines – specifically around some of that new technology, where three of the key recommendations are:

  • Privacy Impact Assessments – a requirement that involves ensuring that the use of surveillance systems is proportionate and addresses a pressing need (see the
  • Privacy Notices / Fair processing – a key issue for many of the new technologies is finding creative says of informing individuals that their personal data is being processed – particularly where such processing is simply not obvious.
  • Privacy by design – for example, the ability to turn the recording device (audio and / or sound) on and off as appropriate to fulfil the purpose; the quality must be high enough to fulfil the purpose; the use of devices with vision restricted purely to achieve the purpose

The new technology specifically covered in the guide includes:

Automatic Number Plate Recognition (when to use it, data storage, security issues, sharing the data and informing individuals that their personal data is being processed – something of a challenge needing some creative thinking);

Body Worn Video (warnings against continuous recording without justification; the use of BWV in private dwellings, schools, care homes and the like – and, again, the thorny issue of informing subjects that they are being recorded);

Unmanned Aerial Systems drones are now increasingly used by businesses as well as the military (Amazon has stated its intention to use drones to deliver parcels …). Some of the key issues are privacy intrusions where individuals are unnecessarily recorded when the drone has some other purpose; the distinction between domestic and commercial use; providing justification for their use; the ability to switch the recording system on and off; the whole system of data collection, storage, accessibility, retention periods and disposal requires compliance.

Automated recognition technologies are increasingly used commercially to identify individuals’ faces, the way they walk, how they look at advertising and suchlike. Again, the issues of fair processing, degree of accuracy of images and their identification, storage, retention, transfer, disposal and security are all key to compliance.

If you are using surveillance devices to view or record and / or hold information about individuals, then it’s worth noting that such use is subject not only to the Protection of Freedoms Act (and its Surveillance Camera Code of Practice), and the Data Protection Act, but you also need to consider your obligations under The Freedom of Information Act 2000 and the Human Rights Act 1998.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Surveillance Camera Code of Practice – 12 Principles

security cameraDo you use a surveillance camera system within your organisation?  If so, it’s worth noting that the Surveillance Camera Code of Practice must not only comply with the Data Protection Act and its 8 Principles, but also provides its own 12 guiding principles:

  1. Purpose: Use of a surveillance camera system must always be for a specified purpose in pursuit of a legitimate aim, and necessary to meet an identified pressing need
  1. Privacy Impact: Use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
  1. Transparency: There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  1. Accountability: There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  1. Policies and procedures: Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
  1. Relevance and Retention: No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
  1. Access to retained images and information should be restricted. There must be clearly defined rules on who may gain access for what purpose; the disclosure of images and information should only take place where it is necessary for such a purpose or for law enforcement purposes
  1. Standards: Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose, and work to meet and maintain those standards
  1. Security: Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  2. Audit: Effective review and audit mechanisms should be in place to ensure legal requirements, policies and standards are complied with in practice.  Regular reports to be published.
  3. Public Safety: When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  4. Accuracy: Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

If you have any concerns about your data compliance in general or your surveillance camera compliance specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services

Smartphone Security

SmartphoneSmartphones are becoming cleverer by the day. I use mine as an address book … to read books … listen to music … search the internet … look at emails … find my husband … use social media … keep track of the news … take pictures … and so much more. I even use it to make and receive calls and texts.

But from a security point of view, smartphones can be leaky, and increasingly it’s down to the user rather than the provider to take responsibility for their own protection. Here is some simple guidance and some references for those who’d like more information:

Smartphones – as important as your wallet and credit / debit cards

Ofcom advises that you treat your smartphone as carefully as your wallet or a bank card, and that’s excellent advice. Losing your smartphone is inconvenient at best and a disaster at worst. There’s the potential expense of any charges that a thief might run up before you report it as lost. And, unless it’s insured, the cost of replacing a smartphone can be horribly expensive.

Not only that, but any confidential information is at risk – your contacts, your emails, even your bank account. And it’s no longer just your own data at risk. If you use your smartphone for business, losing it may have potentially serious implications for you and your company in the event of a data breach.

What to do before you lose your smartphone

  • Set and use a pin or password both on your phone and your SIM for secure access
  • Make sure you know your IMEI number – if you haven’t already done so, just type *#06# into your handset and it should flash up. If not, look behind your phone battery and you’ll find it there. Make a note of it and keep it somewhere safe.
  • Have a look at Immobilisewhere you can register your phone and may then stand some chance of being reunited with it in the event of loss or theft. All UK police forces and various other lost property offices and agencies use it as an online database to trace owners of lost and stolen property.
  • If you are registered with Immobilise, mark your phone as being registered – it just may help deter opportunistic theft
  • Download an app such as findmyiphone or findmyphone. Not only will this help you trace your phone if it is lost or stolen, but it will also allow you to wipe details from it remotely to allow you at least to minimise theft of your data.

How to keep your data safe

  • In the same way that you’d keep your computer data backed up, you should do the same for your smartphone – keep it backed up, either in the cloud or on some other device. That way you stand to lose the minimum amount of data.
  • Keep up-to-date with your operating system – accept updates as they become available as they will include any fixes to security vulnerabilities within the previous software.
  • Use antivirus software to protect your phone from attack by virus or spyware. I use Lookout, but there are various other excellent options.
  • Make sure your apps are only downloaded from trusted sources. Check them out before you download them – read the reviews and check their privacy policies.
  • Keep you apps updated when updates are offered.
  • Bear in mind that a rogue app may allow access and control rights to a hacker who can then make calls, download content, send or intercept messages using your phone without your knowledge. You also run the risk that your smartphone becomes the entry point to other devices to which it may be connected.
  • Check the permissions you grant when you download an app – for example, it may request to use your current location, or to access your photos etc. Make sure that you only provide the data that you require the apps to have, and ideally only provide the information the app needs in order to work.

What to do if you lose your smartphone

  • If you lose your phone, contact your provider and (if you are insured) your insurer immediately.
  • Get your phone blocked – to do this you’ll need to give your provider your phone’s IMEI number, make and model number.

What to do when you get rid of your phone

Before disposing of your smartphone, make sure that you:

  • Erase any apps
  • Erase any data held on it, including media cards
  • Then go into your Settings menu and reset to Factory settings

Above all, smartphones should be treated as the valuable assets they really are, and kept safe to protect both personal and company assets data and assets.

If you have any concerns about your data security in general or your smartphone security specifically, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services