The liability aspect of handling personal data - 4% of turnover

It seems that Europe has had enough of companies processing personal data without appropriate consideration and safeguards in place.

Earlier this week wording was agreed for new data protection legislation which is expected to come into force in 2 years.

Key wording is that personal data must be "processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

The agreed wording identifies the types of issues that companies might consider to meet this threshold;

1. Pseudonymisation / encryption of personal data
2. Ability to ensure ongoing confidentiality, integrity, availability and resilience
3. Data restoration post breach
4. Regular testing

The bottom line is that the profitability of data processing will drop as the costs of maintaining a secure digital environment are material and most businesses will face additional compliance costs. As a minimum companies who process personal data will require either in house or as a contractor an individual who can assess digital security risks sensibly and address problems (a data protection officer).

Amusingly the governments have secured broad exceptions to these rules even though they tend to make the greatest howlers in this area - see Edward Snowden.

On that note a clip from Catch 22...............

EU starts to get to grips with the Digital Age - new data protection rules text agreed

Despite a lot of lobbying activity from "big data" the EU has managed to agree the text of a new data protection framework with new rules to come into force in 2018.

The previous directive was established in 1995 which is now a world away in terms of technology and data storage.

The key difference is that companies can be fined up to 4% of turnover for failing to comply and in particular for failing to keep personal data safe.

The chain of liability also extends beyond the data controller to any data processors and third parties involved. The significance of the latest hacks would be much greater and more financially punitive for those attacked and their suppliers if they had failed to adequately protect data.

Other elements are the right to be forgotten (or erasure), the need for a data protection officer, the requirement to report breaches, parental consent for 13-16 year olds to use social media, a single supervisory authority and some rights regarding portability of content.

No doubt much will be lost in translation into local legislation and if the UK votes to exit the EU this will be rather irrelevant.

However hats off to MEP Jan Philipp Albrecht for guiding this through the European Parliament. It is far from perfect but does seem a reasonable attempt to bring legislation up to date with the Digital Age and force companies who harvest our data to take reasonable steps to protect it.

Top Hack of 2015 ? Tesla Model S

In the past I have been referred to as a "bit of a hacker" but that was before Edward Snowden decided to be a hero / villain (delete as preferred) and change the landscape & narrative completely.

Some of the hacks of 2015 can be listed as worthy of mention - here goes - Ashley Madison, V tech, Vodafone, Talk Talk, JD Wetherspoon, Office of Personnel Management, Anthem, Premera, IRS, Slack, the FBI portal, Car Phone Warehouse, Samsung and Hilton. This does not include the long running media company hacks of live feeds by sites such as CricFree.

Without a clear definition of Hack it is very difficult to identify a winner. The OED defines hacker as below

This leaves a lot of room for manoeuvre and does not necessarily suggest that hacking breaks the law.

With that latitude my favourite is the hack of the Tesla Model S by Marc Rogers and Kevin Mahaffey - watch the video below.

Spear phishing cyber attacks successful 17-35% of the time

In mythology mermaids would lure sailors onto the rocks with the beauty of their singing.

Today spear phishers target companies and individuals with custom made malware that provides full system access. This is delivered mostly via email which appears legitimate and entices the receiver to click on a link of some kind in return for information or reward.

Once clicked systems can be completely taken over and valuable IP taken and the reputation of the company trashed.

As the attack is custom made automated detection systems mostly miss the threat as they cannot by definition exist on any previous scanning database

No real surprise then that according to Arun Vishwanath, Associate Professor at the University of Buffalo, these attacks are so successful. In 2014 there were apparently 400 million cyber attacks in the USA so the scale of this threat is huge (a favourite term of that odd man Donald Trump)

The easiest defence against spear phishing  is never to open an email from someone you don't know and most particularly not to click on links of files within that email. It is also necessary to check exact email addresses as spear phishers are keen on email addresses that look very similar to addresses you might know.

That coming awareness will badly damage email marketing and introduce some healthy caution into how companies and individuals manage their digital affairs. Slapping on a free anti-virus and hoping for the best will start to look negligent.

Polestar going down ?

Reports in the Sunday Times over the weekend suggested that the UK's largest newspaper and magazine printer would be insolvent by Xmas. The source of the information was a leaked report provided by Deloittes. Similar businesses like DC Thomson in Dundee have experienced difficulty as everything switches to digital so is this another classic story of creative destruction ?

The main shareholder in Polestar is Florida based SunCapital who have about $8.9 billion of capital under management. Is it possible that there is another angle to this story and that Sun Capital have spotted that if Polestar goes down then a large number of publishers will not be able to get the paper product to the customers. This would leave them facing liability with consumers and advertisers over the vital Xmas period. Digital is of course a route to market but the subscription rates and advertising rates are still wildly disparate between the two areas with old school publishing commanding much higher rates.

This is an extreme negotiating tactic but may force better commercial terms for Polestar from its key customers who cannot survive without them.

Wetherspoons don't notice major hack for 6 months - proposed European legislation could mean fine of £65 million

Hot on the heels of TalkTalk and Vtech being hacked news emerges that over 650,000 Wetherspoons customers have had personal details stolen.

The hack occurred in mid June of this year with Wetherspoons apparently unaware of this until this week. Anyone using the pub wifi or registering with them has probably had details taken.

This suggests that no active monitoring of the network traffic under Wetherspoon's control was occurring or if it was it was ineffective or the results were kept quiet while the gaps were fixed. Time will tell if Wetherspoons have breached the Data Protection Act as the matter has been reported to the Information Commissioner. Maximum fine is currently £500,000 but proposed European Legislation would bump that up to to £65 million maximum if the hack occurred with the legislation in place.

These hacks are popular as personal details can be sold for about £10 each via the dark web and therefore the Wetherspoons hack is worth about £6 million to the  cyber criminals.

In all probability a hacker wandered into a Wetherspoons with a fast WiFi connection, logged onto the network directly, bypassed security and downloaded the database in about 30 minutes - before he or she had finished their pint (or white wine for the lady).

Organisations handling personal data will need to take a more active approach to prevention and monitoring to avoid big fines and reputational damage.

Proposed EU Data Protection regulations grow some serious teeth in the Digital Age

It is amazing what people will do to get noticed as this young lady in Thailand demonstrates. At the other end of the scale the smooth law makers within the EU gently slide obligations towards us almost unnoticed.

The Digital Single Market and the associated Data Protection regulations are scheduled to come into force in December 2017 and bring with them a very different regime for managing personal data. Within the UK the Data Protection Act 1998 requires six core principles to be followed. One of these principles is that personal data is kept safe and secure.

The maximum fine under the DPA is £500,000 and therefore while this is a substantial sum it is possibly less than the cost of required data security for a large organisation such as Talk Talk (just for example).

Under the proposed new regime fines can be between 2% and 5% of turnover up to a maximum of £100 million. Using Talk Talk as an example with a turnover of £1.8 billion the maximum theoretical liability would be £90 million. Possibly worth addressing the SQL injection issues then ?

The guiding principle under the proposed new regime looks to be that companies or individuals handling personal data (which is pretty much anything) need to meet "reasonable expectations of data privacy" and liability follows if they do not.

The suggestion is made that encryption is one potential way to meet this requirement but this is not a given. If an encryption system is found to be flawed or have a back door it presumably does not meet this threshold ? Implementing one encryption system is tricky enough but having to change systems in a hurry is breakdown material if encryption is cracked.

Another aspect to the proposed legislation is the right to erasure. This immediately brings to mind the popular club music duo of Andy Bell and Vince Clarke but this was probably not the aim of the law makers involved. The serious point is that information will need to be actively managed so it does not remain for ever which will impose a layer of further cost.

Massive organisations such as Banks, Telcos and ISP's who hold personal data are looking at chunky liabilities and costs as are the the service providers who manage the data.

Within the SME community this will be even more challenging as the IT systems and suppliers often fit into the cheap and cheerful category and don't have much resource to direct at IP and Cyber protection and data management.

For about 15 years there has been a relaxed attitude to IP protection in the Digital Age but post Snowden, Sony Pictures and TalkTalk this is drawing to a close and regulation (with cost) is on its way.