Thursday 19 January 2017

The limits of consent to the use of personal data

When does yes really mean yes ? That is a very broad subject but it becomes very specific in the context of data protection.

The areas of data protection, cyber security and IP protection in the Digital Age generally are very much in the news. They are a slightly splintered area of law falling variously under the Data Protection Act 1998, the Computer Misuse Act 1990, Investigatory Powers Act 2016, Freedom of Information Act 2000, Human Rights Act 1998  and the Copyrights, Designs and Patents Act 1988 as amended and updated by various WIPO treaties.

A key tension is the balance between an individual’s right to privacy and protection of their personal data and IP balanced against the often quoted desire of the state to keep us safe. The rapid growth of the internet, computing power and increased storage capacity allow for unprecedented data collection and processing.

Generally hackers make the news and highlight security shortcomings leading to the Information Commissioners Office becoming involved. However serious breaches of Data Protection law occur without a hacker anywhere to be seen through the illegal use of data provided voluntarily.

In the case of the RSPCA (until recently taking some very aggressive positions in respect of private prosecution) they were collecting personal data from donors who were presented with the following notice;

“The RSPCA may allow other organisations whose aims are in sympathy with our own or whose offers will benefit animal welfare to contact our supporters, if you do not wish to hear from them please tick the box”

It seems that the RSPCA then decided this was carte blanche to use the data collected very broadly indeed and participated in a data sharing scheme called “reciprocate” without knowing who the other parties in the scheme were. They also provided data to wealth screening companies and participated in data matching and telematching schemes. On a few occasions they also released data on individuals who had opted out.

This was brought to the attention of the new Information Commissioner Elizabeth Denham via the press and unsurprisingly after a 9 month investigation serious breaches of the Data Protection Act were identified. A monetary penalty was issued of £25,000 but criminal charges could have been brought.

The Data Protection Act has at its heart 8 key principles of Data Protection with the first 2 being that personal data must be processed fairly and lawfully and that, crucially in this case, shall be obtained for a specified purpose and used consistently with that purpose. Generally to be lawful consent must have been obtained in respect of the purpose.

The Commissioners view was that the initial notice was too vague and ambiguous and did not provide data subjects with sufficient information. Consent must be freely given, specific and informed. Just ticking any old box does not do it.  Therefore the data subjects had not consented and therefore the data processing was illegal.

The Data Protection Act covers all personal data (with certain limited exemptions) which includes names, addresses and even IP addresses. Generally consent must be sought to process that data so everybody is going to need to take great care when collecting data to ensure proper consent has been obtained and also that if the person collecting the data (the data controller) decides to use the data for another purpose to seek fresh consent.

The world of big data is going to struggle a bit with this but perhaps has consoled itself that currently the maximum fine from the ICO is capped at £500,000. Fatal for an SME probably but merely a deduction for a large corporate. However new legislation proposes a fine of 4% of turnover.

Of the 8 principles of Data Protection only 1 is directly concerned with security of data (principle 7). Organisations and individuals need to devote resources to ensure the legal collection and management of personal data as well as making sure appropriate security is in place to avoid substantial fines and potential criminal prosecution.


Personal data collected which requires consent can only be lawfully used in ways which derive directly from the consent given. It has been said that personal data is like money and if so when you provide your personal data to a third party it is analogous to a loan on specific terms for a specific purpose.

Friday 6 January 2017

2016 - how secure do you feel (about your data) ?

With thanks to Lewis Morgan, blogger in residence at IT Governance, for putting together a list of breaches in 2016 that he was aware of. Notable by it's absence is the alleged hack of the US Elections which was possibly the Russians, or possibly the Democrats or possibly Elvis Presley from beyond the grave.

In any event it certainly shows that the hackers look to have the upper hand at the moment.

2016 Cyber Attacks & Data Breaches

US health insurer Centene loses 950,000 people’s records

Asda website leaves customer details vulnerable for 677 days

Etihad Airways investigating data breach dating back to 2013

Wendy’s Probes Reports of Credit Card Breach

Bitcoin Worth $USD 6 Million Stolen

Hackers have stolen €50 million from an aerospace parts manufacturer

Linux Mint hacked – lone attacker creates botnet

Lincolnshire Council forced to use pen and paper after ransomware attack

@ChileanCrew Hacks, Leaks Details for 300,000 Chilean Citizens Looking for State Benefits

9000+ Department of Homeland Security staff have their details leaked by hacker

3,000 Tidewater Community College workers victimized in W-2 scam

Attacker compromises information of 250K in Bailey’s data breach

Cyber criminals steal $25 million from Russian banks via phishing attack

Rosen Hotel chain was hit by credit card-stealing malware for 17 months

Minecraft community lifeboat suffers data breach affecting seven million members

CoinWallet Bitcoin Trader Shuts Down Following Data Breach

93.4 million Mexicans at risk after voter database breach

BeautifulPeople.com Leaks Very Private Data of 1.1 Million ‘Elite’ Daters — And It’s All For Sale

ShapeShift loses $230,000 in bitcoin data breach – ex-employee to blame

Trump Hotel chain suffers data breach again

MySpace and Tumblr hit by ‘mega breach’

117 million hacked LinkedIn email addresses and passwords put up for sale

Kiddicare customers at risk after data spills from test server

EPISD employee accounts hacked, money stolen

Payroll vendor employee falls for phishing scam, all clients’ W-2 data involved

1.4 Billion Yen Stolen From 1,400 Japanese ATMs

154 million voter records exposed, revealing gun ownership, Facebook profiles, and more

77K accounts of Financial Giant, State Farm, leaked due to DAC Group Hack

Muslim Match dating website hack exposes more than half a million intimate messages

45 million records from over 1100 Verticalscope.com domains and communities hacked and leaked

51 Million iMesh Passwords Dumped Online

Personal info on 7.93 million people feared leaked

King’s counselling department breaches students’ privacy

Athens Orthopedic Clinic to begin notifying patients of hack

WikiLeaks Put Women in Turkey in Danger, for No Reason

10 million customer’s data leaked from online shopping site

‘Warframe’ Hacked, Details on 775,000 Players Traded

Illinois online voter registration portal hacked, information compromised

Omegle, the Popular ‘Chat with Strangers’ Service Leaks Your Dirty Chats and Personal Info

Data for 6 Million Minecraft Gamers Stolen from Leet.cc Servers

SCAN Health Plan notifying members of unauthorized access to their information

Dominican Hospital notifies patients whose PHI was sent to wrong health plan

Epic’s forums hacked again, with thousands of logins stolen

Turkish Hackers Launch Second Cyber-Attack on Killeen’s Website

Defense university computers hacked, ‘information secure’

Olympics: Hackers attack Russian whistleblower’s doping account

Florida Bar Association hacked, members’ data leaked

6.6 million plaintext passwords exposed as site gets hacked to the bone

Russian hackers leak Simone Biles and Serena Williams files

Russian internet giant Rambler.ru hacked, leaking 98 million accounts

Login details for 800,000 Brazzers users leaked

MarsJoke ransomware targets the government and K-12 educational sector

A single ransomware network has pulled in $121 million

Medical marijuana patients’ personal information found in trash pile

Security Firm Tries Desperate Solution to Alert Company of Data Leak

Hacker grabs over 58 million customer records from data storage firm

Hutchinson Community Foundation falls victim to data breach

DDoS attack against DNS provider knocks major sites offline

Whoops: Pro-Donald Trump super PAC publishes donor credit card numbers

Hackers stole credit card data from Republican website for 6 months

Department of National Defence investigating possible hack of its recruiting site

Over 412 million ‘adult’ accounts exposed – including 15 million deleted ones

Ransomware attack targets Seguin dermatology practice

Report holds Hitachi responsible for debit card data theft

Thieves Use Skimmers on ATMs in Four NYC Hospitals

Madison Square Garden Company Alerts Customers of Payment Card Data Breach

Data of 34 million Keralites leaked in massive breach

85 million login details stolen from Dailymotion

Joan Jett’s BlackHeart Records leaks thousands of files online

KFC warns 1.2 million Colonel’s Club loyalty scheme members of data breach after website hacked

Japanese hosting company Kagoya hacked; credit card data stolen

ThyssenKrupp secrets stolen in ‘massive’ cyber attack

Yahoo’s billion account database for sale on the black market