08-14 February 2016

 

Canada

CA – OPC Wants Info on Agency Tracking Peaceful Protests

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests. Privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent. The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure. But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006. Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women. In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country. The revelations drew the ire of the Liberals while in opposition. [The Star]

CA – Premier’s Office in Nova Scotia Broke Law, Privacy Czar’s Report Finds

The office of Nova Scotia Premier Stephen McNeil broke privacy laws when chief of staff Kirby McVicar publicly released sensitive medical information about a former cabinet minister, the province’s privacy commissioner says. McVicar resigned Nov. 24 after stating in several media interviews that Andrew Younger had a brain tumour and had been diagnosed with post-traumatic stress disorder. In a report released Thursday, privacy commissioner Catherine Tully concluded that McVicar violated provisions of the Freedom of Information and Protection of Privacy Act. “The report finds that the disclosure is a breach of the privacy rules,” the report says, though there is no mention of penalties or further investigation. McNeil, speaking after a cabinet meeting, challenged Tully’s main conclusion, saying his office was not to blame because McVicar took sole responsibility for his actions. [Source] [CBC: NS OIPC rules premier’s former chief of staff violated law]

CA – Ontario Professionals Obligated to Share Info About “At Risk” Children

The Information and Privacy Commissioner of Ontario has issued a guide for disclosure of information to child protection workers. Individuals with reasonable grounds to suspect a child is need of protection must immediately report the suspicion to a children’s aid society even if the information is confidential or privileged and despite provisions of any other act; institutions and custodians are protected from liability if they act in good faith and do what is reasonable under the circumstances. [IPC ON – Yes You Can – Dispelling the Myths About Sharing Information with Childrens Aid Society]

E-Mail

WW – Gmail Now Warns Users When They Send and Receive Email Over Unsecured Connections

Google is introducing new authentication features to Gmail to help better identify emails that could prove to be harmful or are not fully secure. The company said last year that it would beef up security measures and identify emails that arrive over an unencrypted connection and now it has implemented that plan for Gmail, which Google just announced has passed one billion active users. Beyond just flagging emails sent over unsecured connections, Google also warns users who are sending. Gmail on the web will alert users when they are sending email to a recipient whose account is not encrypted with a little open lock in the top-right corner. That same lock will appear if you receive an email from an account that is not encrypted. Last year, Google said that 57% of messages that users on other email providers send to Gmail are encrypted, while 81% of outgoing messages from Gmail are, too. Another measure implemented today shows users when they receive a message from an email account that can’t be authenticated. If a sender’s profile picture is a question mark, that means Gmail was not able to authenticate them. Authentication is one method for assessing whether an email is a phishing attempt or another kind of malicious attack designed to snare a user’s data or information. [TechCrunch] [Google Gmail Help]

Encryption

US – Lawmakers Seek to Loosen Encryption on Smartphones

A fight over encryption-protected smartphone data is heating up in California and New York where lawmakers and law enforcement groups are pushing bills to enable investigators to unscramble data to obtain critical evidence in human trafficking, terrorism and child pornography cases. The bills seek to loosen the powerful encryption tools major cell-phone manufacturers have put in place to protect a smartphone user’s privacy and guard against hacking. Supporters argue law enforcement needs access to data that can help them prove or solve criminal cases, while technology and privacy groups are concerned the legislation would put a user’s personal information at risk. [SF Chronicle] [Sen. Feinstein Says Terrorists Only Need The Internet and Encryption To Attack] [US Congress locks and loads three anti-encryption bullets] [Bill Would Ban State Efforts to Weaken Encryption]

US – New Bill Aims to Stop State-Level Decryption Before It Starts

Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend. California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level. We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree). [WIRED]

WW – Report: A Worldwide Survey of Encryption Products

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. “Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead.” [Schneier] [ArsTechnica] [The Register] [NBC News]

EU Developments

EU – WP29 Lays Out 2016 Action Plan for GDPR Implementation

Last week, the Article 29 Working Party published the group’s action plan for the implementation of the General Data Protection Regulation. The Privacy Advisor shares commentary from Falque-Pierrotin during last week’s presser and looks into the official release by the WP29 of its four action plan items, which include the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR. [IAPP]

UK – Snooper’s Charter Given Thumbs Up by UK Parliament Report

The UK parliament has published a joint committee report that only feebly challenges the government’s draft Investigatory Powers Bill. In contrast to the scathing report by the Intelligence and Security Committee report published earlier this week, the joint committee accepts nearly all the arguments of the government and intelligence services for wide-ranging and intrusive surveillance powers. In response to the controversy and criticisms of the proposed Snooper’s Charter, the report simply says: “The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.” In the main, the joint committee calls for only minor tweaking of the plans, but does recommend that a post-legislative review of the Snooper’s Charter should be made five years after it has been enacted. It also wants it to be illegal to ask foreign agencies like the NSA to undertake surveillance that UK intelligence agencies are not authorised to undertake themselves. [Ars Technica] [UK politicians green-light plans to record every citizen’s internet history But recommend that no encryption backdoors should be installed] [Parliamentary Watchdog Savages Snoopers’ Charter: ‘Inconsistent and largely incomprehensible’]

EU – Facebook Ordered to Stop Tracking Non-Users in France

In a 16-page ruling issued this week, France’s CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with “Like” buttons. “While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge.” The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to Facebook.com without first obtaining their consent. Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing Facebook.com. In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions. The CNIL also said in its ruling that Facebook can’t send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized. [MediaPost] [French data privacy regulator cracks down on Facebook]

UK – UK and US Negotiating on Wiretap Orders and Warrants

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK. [The Register] [Wash Post]

Facts & Stats

UK – Data Breaches led 3 Million Brits to Switch Service Provider

In the UK, three million Brits have changed service providers as a direct result of data breaches, according to new research a by Privitar. Concerns over how personal data is stored, used and ultimately protected have led to growing discomfort among consumers, with findings suggesting that perceptions about how well organizations safe-guard their data is a significant consideration when customers are choosing a service. Despite this, more than half (52%) of the 2018 adults surveyed admitted that they struggle to find out how their data is stored and used by companies. With the GDPR due to be implemented across the industry in the coming months it appears companies are faced with the challenge of acting on data privacy and protection to win customer trust, thus avoiding customer churn. After all, 83% of respondents said they would look to switch to another service if they felt it could manage their data better.  [Infosecurity]

Filtering

EU – Google to Scrub Web Search Results More Widely to Soothe EU Objections

Google will start scrubbing search results across all its websites when accessed from a European country to soothe the objections of Europe’s privacy regulators to its implementation of a landmark EU ruling, a person close to the company said. To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google’s website, including Google.com, when the search engine is accessed from Germany. [Reuters] [New York Times] [Google to honor RTBF requests worldwide, for European users]

Finance

UK – National Financial Crime ‘Taskforce’ Launched

The UK’s largest retail banks have joined forces with the Home Office, Bank of England and police to develop a coordinated approach to tackling fraud. Project Sunbird, a collaboration between the Western Australian Police and Western Australian government’s Department of Commerce, is able to analyse international transaction data to detect patterns consistent with fraud and pro-actively reach out to individuals who may have been victims. The new Joint Fraud Taskforce’s early work will focus on improving intelligence-sharing between the financial sector, government and law enforcement, in order to prevent fraudsters from exploiting gaps and vulnerabilities. It will also help to raise public awareness through a list of the 10 ‘most wanted’ fraudsters, and work to establish “a much richer understanding of how fraud happens, and what can be done to stop it”, according to the UK home secretary. Members of the taskforce include the City of London Police, National Crime Agency, the Bank of England, fraud prevention body Cifas, from Financial Fraud Action UK (FFA UK) and the chief executives of the major banks. The new taskforce will report to the Home Office, as well as publishing public updates, the home secretary told MPs. [Source]

Genetics

CA – Senate Bill Prohibits Employers from Taking Disciplinary Action for Employee Refusal to Disclose Genetic Test Results

Bill S-201, An Act to Prohibit and Prevent Genetic Discrimination has received second reading and been referred to the Standing Senate Committee on Human Rights. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

Health / Medical

CA – Insurance Company Offers Rebates for Healthy Lifestyle

A Canadian insurance company is set to offer a new insurance program that rewards policy holders for healthy lifestyle choices such as regular exercise, getting an annual health screening or a flu shot. Ontario-based insurance giant Manulife is partnering with Vitality Group to bring the program to Canada, after rolling out similar systems in parts of Africa, Asia and the United States. The company said sign-up process is similar to many insurance policies, in that applicants take an online test to determine their level of overall health and then are offered a premium. Policy holders who enroll in the program receive personalized health goals and can log their activities using online and automated tools, which are integrated with the latest wearable fitness-tracking technology such as Fitbit, Manulife said. Officials at the Office of Canada’s Privacy Commissioner said while they have not studied the insurance product offered by Manulife, they would encourage people to carefully consider the potential implications before sharing any personal information – especially sensitive information. [Source]

US – Privacy Advocates Left Out Of NHS Care.Data ‘Oversight’ Board

Privacy advocates have been secretly expelled from the NHS’s care.data discussions group, while lobbyists backed by biotech corporations have kept their places at the table. The care.data Advisory Group was established in March 2014, after the scheme’s first collapse, as part of a process to get care.data – which intends to centralise patients’ health and social care data so it can be packaged and sold to private corporations – up and running again. A recent study into the scheme carried out by the University of Cambridge found that care.data was “launched in a contradictory regulatory landscape” and wracked with “unrealistic expectations” regarding the potential for patient health and social care data to be sufficiently anonymised when shared. [The Register]

US – Administrative Law Judge Affirms OCR Authority to Enforce HIPAA

An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor. The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure. In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records. An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.” OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI. [Source] [Press Release | Notice of Proposed Determination | Decision]

Horror Stories

CA – Thermal Imaging May Lower Power Bill, But Raises Privacy Concerns

The City of Vancouver is beginning a new program that uses thermal imaging to identify older homes that are using excess energy. WATCH: Thermal imaging has been helping homeowners figuring out where they’re losing heat, so they can reduce their power bill, but it’s also adding concerns about a possible invasion of privacy. Beginning in April, the plan is to take images of up to 15,000 homes and then work with about 3,000 homeowners to make their spaces more green, by offering consultation and incentives. Higgins says the cameras can only detect heat, and the photos will only be shared with the homeowner. Once the 18-month pilot project is over, the images will be destroyed. [Global News]

US – Thieves Steal Tax Information from the IRS

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically. The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft. [Source]

Internet / WWW

UK – Privacy Watchdog Warns That IoT Devices Can Track People

The UK ICO has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them. Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data. There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant. [Source] See also: [IoT Could Be Used To Spy, Admits James Clapper] and [US intelligence chief: we might use the internet of things to spy on you]

WW – Data Security Concerns Remain Top Obstacle to IoT Initiatives

Despite the rapid growth of the Internet of Things, concerns over data security remain the number one obstacle to further development. That is the conclusion of a recent study by TEKsystems on the state of Internet of Things (IoT) initiatives. More than 200 IT and business leaders were polled by the Hanover, MD-based firm on project ownership, implementation status, risks, required skill sets and organizational preparedness. The purpose of this survey was to gain a better understanding of how organizations are being impacted by IoT, steps they are taking to prepare, resource barriers and challenges, as well as long-term IoT objectives. Key findings from the study are:

  • While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact
    – just 22% of IoT initiatives have progressed to the implementation stage.
  • Information security and ROI are cited as the biggest hurdles to address
    – and information security experts are cited as the most difficult skill set to find.
  • Leadership of IoT initiatives still mostly reside with IT.
  • Two-Thirds expect IoT projects to be handled with internal staff, yet most organizations are not highly confident in their “in-house” preparedness [Source]

WW – IoT from “Sensor-to-Insight” to “Sensor-to-Action”

A few months ago, we passed an important milestone: For the first time in history, the mobile network traffic between machines had a higher volume than the mobile network traffic between humans. Imagine that… Internet-of-Things traffic surpasses the traffic generated by selfies, pictures of cute cats, text messages as well as all voice traffic in our mobile networks! Internet-of-Things has been a hot and exciting topic for quite a while, but now we see an important development that accelerates the IoT revolution: For a long time, the most common application for IoT has been to collect data. Sensors on various devices and machines have generated data, we have used clever technology to gather this data, send it to some central system and make sense of it. Let us call it “from Sensor to Insight”. What we see now is that we still gather data from remote devices and sensors, but the data can be used to trigger action. To execute business processes. Or influence already running processes. The focus of Internet-of-Things is moving, from “Sensor-to-Insight” to become “Sensor-to-Action”. [Source] See also: [FTC in no rush to regulate Internet of Things] See also: [Visceral data: After heartbreak, IoT devices give us ‘something to show’ ]

WW – GSMA Unveils IoT Security and Privacy Guidelines

The GSMA released guidelines designed to promote secure Internet of Things (IoT) service development and deployment, a sign that the mobile industry acknowledges a growing cybersecurity threat, as well as burgeoning consumer wariness around data privacy and IoT. The document was developed through consultation with the mobile industry. The rapid growth in IoT take-up increases the possibility of potential vulnerabilities, according to the GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.” The guidelines have been designed for all participants in the IoT ecosystem including service providers, device vendors and developers. As well as helping providers to build secure services from the outset, the guidelines also establish the need for assessing the risk of all components in an IoT service to ensure they are designed for secure data collection, storage and exchange. The guidelines went through a consultation with academics, analysts and other industry experts. [Mobile World]

Law Enforcement

US – New Report Shows the Limits of Police Body Cameras

The Brennan Center has just completed a study of the body camera policies in the 24 police departments around the country [PDF version] that have so far implemented them. Of the 24, 9 programs are still in the pilot stage. For comparison, the Brennan Center also included three model programs from the ACLU, the International Association of Chiefs of Police, and the Police Executive Research Forum. The authors of the study then broke the policies down into several charts, “Recording Circumstances,” “Privacy and First Amendment Protections,” “Accountability,” “Retention and Release,” and “Security.” [Wash Post] See also: [Survey: Almost All Police Departments Plan to Use Body Cameras] and [A separate effort by the Leadership Conference on Civil and Human Rights, a coalition of different advocacy groups, is tracking implementation of recommended body camera polices across 25 police departments].SEE ALSO: [Missouri Bill Permits Access to Recordings from Law Enforcement Body Worn Cameras: House Bill 2344, relating to body worn cameras and amending Missouri Revised Code in relation to public records, is introduced and read for a second time]

US – Nebraska Bill Permits Govt Use of ALPR Systems Subject to Restrictions

Legislative Bill 831, the Automatic License Plate Reader Privacy Act, is introduced and referred to the Judiciary Committee. Captured license plate data may only be used by specified law enforcement agencies for specified purposes (e.g. traffic violations, missing persons, stolen vehicles, criminal investigations, electronic toll collection, and controlling access to secured areas); law enforcement may only process privately held plate data no more than 14 days old and subject to a criminal warrant or court order. [Legislative Bill 831 – Automatic License Plate Reader Privacy Act – 104th Legislature of Nebraska]

Other Jurisdictions

WW – Privacy Bar Section of the IAPP Unveiled

IAPP has announced the launch of its Privacy Bar Section, which aims to serve the lawyers that compose more than forty percent of IAPP’s membership. In conjunction, the IAPP has also applied to the American Bar Association to have its privacy certification officially recognized as a legal specialty. [IAPP]

Privacy (US)

US – Obama Establishes ‘Cyber Czar’ and New Privacy Board

President Barack Obama is asking Congress to devote $19 billion to cybersecurity and is issuing new executive orders geared at the protection of both government and private computer networks. In one executive order, Obama directed agencies to implement the Cybersecurity National Action Plan. The CNAP is the broad plan that includes establishing the office of a federal chief information security officer, making budget requests and focusing on training opportunities. The federal chief information security officer marks the first time a senior official will be dedicated solely to developing, managing and coordinating the government’s cybersecurity strategy across multiple agencies, a “cyber czar” of sorts. A separate executive order will create the Federal Privacy Council, which is a multi-agency task force charged with coming up with policies to help the government fight hackers or identity thieves, while also protecting the privacy of individuals. The privacy council will report directly to the president. [The Blaze] [White House Executive Order on Privacy Falls Short]

US – ACLU, Tenth Amendment Center Take on Student Data Privacy

In consultation with the center — a think tank that advocates strict limits on federal power — the ACLU wrote model legislation that both organizations are urging legislators around the country to support. Parts of the bills aimed at bolstering student-privacy protections were written to ensure that “schools don’t become a Constitution-free zone,” and that companies that want to collect student data must first get explicit permission. Over the past two years, 32 states have enacted some sort of data-privacy law, according to the Data Quality Campaign. Some of those laws have been sweeping, such as California’s Student Online Personal Information Privacy Act, which has drawn particular praise from privacy advocates. Other laws are much weaker, experts say. To work around a lack of movement at the federal level over data-privacy protections for students, the activists and lawmakers working with the two organizations are calculating that if they get enough states to adopt a stricter slate of privacy expectations for vendors, companies will have little choice but to raise their standards to a level nationally that would allow them to work in any state. Tthe proposed legislation focuses on stepping up safeguards in four specific areas:

  • Parental or student consent to release student data for noneducational purposes or to third parties;
  • Limits on information that can be gleaned from computing devices loaned to students;
  • Protections from warrantless searches of students on campus; and
  • Restrictions on access to student postings that are behind privacy settings on social media.

The model legislation also calls for professional development to help teachers familiarize themselves with basic student-data-privacy concepts. The Future of Privacy Forum — a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data — offered a measured endorsement of the provisions in the ACLU’s model bill. [Source] See also: [Senate Bill 2171 – Student Privacy in Take-Home Technology Programs – State of Rhode Island General Assembly]

US – ACLU publishes updated privacy guide

The ACLU of Southern California announced its publication of the third edition of “Privacy and Free Speech: It’s Good for Business,” the organization reports on its website. The guide includes “more than 100 case studies and cutting-edge recommendations on everything from privacy policies to security planning to community speech standards,” the report states. “By following some pretty simple steps to incorporate privacy and free speech protections into products, businesses can make their services user friendly and avoid costly mistakes,” the report continues. “As the primer illustrates, doing so is not just good on principle — it’s good for business, too.” The primer is available for free online. [ACLU]

Privacy Enhancing Technologies (PETs)

WW – Britain’s First Anonymous Search Engine

Oscobo is the only UK-based Privacy Search Engine that does not track or store users’ data. The company was founded on the belief that personal data should remain just that, personal, and has set out to turn the tables to favour the Internet user instead of serving interests of big companies. This article will highlight the importance of understanding how user data is being tracked and used by search engines, and how using an anonymous option has clear benefits. [Source]

Security

EU – NIS Directive Establishes First EU-Wide Cyber Security Rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive, establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. [FieldFisher Privacy Law Blog]

WW – Firms Feel More Confident In Ability to Thwart Data Breaches: Study

A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year. Why the seeming disconnect? A growing number of organizations are investing in more advanced security solutions and are ramping-up end user training around data security best practices. Those are among the findings of the recent study “Battling the Big Hack“ from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations. The study found that while 80% of organizations experienced a security incident in 2015, 71% of IT professionals expect their organizations to be more secure in 2016. There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73% of IT professionals are enforcing end-user security policies and 72% are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted. [Source]

WW – Infosec Pros Still Pressured to Release Unsecure Projects: Survey

Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren’t fully secure, according to an international survey. The survey, paid for by Trustwave, showed that 77% cent of respondents in five countries — and 7% of Canadians — felt either frequent or periodic pressure to roll out IT projects that weren’t security ready. The good news is that the majority agreed it was once or twice rather than frequently. However, if a bug slips by that could be once too many. Released this week, the survey questioned 1,414 in-house information security professionals from around the world including 210 from Canada. Others were in the U.S., Britain, Australia and Singapore. [IT World Canada]

WW – Removing Administrator Rights Mitigates Most Windows Vulnerabilities

According to a recent report, 85% of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action. [ZDNet] See also: [2009 report states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems] and [this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue. [TechNet] [Technet]

US – DHS, FBI Employee Data Exposed

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account. [CNET] [DarkReading] [The Hill] [The Hill] [ComputerWorld] [vice.com]

Smart Cars

EU – European Multi-Stakeholder Group Releases Connected Vehicles Report

In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data. [Source]

Surveillance

US – Dstillery Uses Iowa Caucus Data to Paint Voter Picture

In a Marketplace report, “data intelligence” and targeting ad firm Dstillery CEO Tom Phillips discusses how the organization employed data analysis technology to find correlating voter traits from participants in the Iowa caucus. “We watched each of the caucus locations for each party and we collected mobile device ID’s,” Phillips said. “It’s a combination of data from the phone and data from other digital devices.” The result? “NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.” While Dstillery has only taken a look at Iowa voters, it “anticipates compiling voter data in other primaries” depending on candidate interest, the report states. [Source]

US Government Programs

US – White House Plots Privacy Updates for 2016

Marc Groman, who advises the White House on privacy issues, is focusing on delivering fundamental changes to privacy policy in government operations, including IT, in the next 11 months before President Barack Obama leaves office. “Privacy is not a subset of cybersecurity or IT,” said Groman, senior adviser for privacy at the Office of Management and Budget, during a Department of Homeland Security Data Privacy and Integrity Advisory Committee presentation on Feb. 8. “It has to move with those, but it needs its own council.” He was referring to the Federal Privacy Council, which was announced in December 2015 by OMB Director Shaun Donovan. It will be modeled on the CIO Council and will seek to bolster privacy best practices and operations in the federal government. The council will also try to capitalize on individual agencies’ advances in privacy policy, transform those strategies from reactive to proactive and “professionalize” privacy roles in the federal government, Groman said. “We want to shift from an environment of one-time compliance to one of ongoing risk-based” management that incorporates continuous reevaluation of privacy plans, he added. [FCW]

US Legislation

US – Senate Passes Privacy Bill Key to Two International Agreements

The Judicial Redress Act, which gives EU citizens the right to challenge misuse of their personal data in U.S. court has long been a stated requirement of the umbrella agreement, which would allow the U.S. and EU to exchange more data during criminal and terrorism investigations. Its role in the final approval of so-called Privacy Shield, struck last week, is murkier. The deal replaces a 2000 agreement that permitted some 4,400 U.S. firms to legally handle European citizens’ data, struck down by the EU high court in October over privacy concerns. The bill is also a prerequisite of a law enforcement data-sharing “umbrella” agreement reached last fall. [The Hill] See also: [Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations] [Senate, House OK Judicial Redress Act, send to Obama to sign] [Laws to give EU citizens right of redress in the US over data handling move closer]

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: