Tag Archives: GDPR

The Times They Are A Changin – So Says GDPR

The EU’s high court – the Court of Justice of the European Union – said this week that web sites including search engines must ask users to opt in to sharing of their data.

Web sites such as Google know that if users have to actively do something for the sole purpose of allowing Google to sell their data, that some percentage will not do it.  That is why in the US, the best that you might get from a web site is the ability to uncheck a box, which again, most users will not do.

But in Europe you have to deal with GDPR.

This particular case started in Germany when a local web site pre-checked a box that allowed them to use cookies.

I am not sure what these folks were thinking, but I had no doubt that doing what they did would violate GDPR.  Likely these folks will face a  big fine.  Then they should uncheck the box.

I think this is a precursor to this happening in the US, starting with California’s privacy law AB375.  It is not clear what web sites will need to do about cookies because clearly a user can opt out of data sharing and depending on how cookies are used, that could be a problem.

I see a huge number of web sites that have a banner on the home page that says that they are using cookies and the only option that users have to click on is OK.   THIS IS VERY LIKELY A VIOLATION OF GDPR and may well be a violation of laws like CCPA (AB375).  GDPR specifically says that you cannot refuse service if users do not allow you to sell your data and CCPA says that you have to give equal service whether users opt out of data sharing or not.

While companies love collecting data, they love paying large fines somewhat less, so now is the time to understand what is allowed and what is not allowed. Source: Politico

Facebooktwitterredditlinkedinmailby feather

In Case You Thought GDPR Was Overblown – Its Not

When GDPR first went into effect in May 2018, people talked about horror stories of fines to the tune of 4% of a company’s total global revenue.

Then reality hit and there were no fines or tiny fines.  Or so it seemed.

The problem with regulators is that it always takes them a while.

Legitimately, you do want them to make sure that they only issuing fines when appropriate.

This week we have two big fines on the horizon.

The UK Information Commissioner’s Office (ICO) has decided to fine Marriott 99 million Pounds Sterling or roughly $125 million for the Starwood breach.  While not the end of the world for a company like Marriott and it is even possible that they have insurance to cover some or all of that,  Marriott is fighting it.  (Source: BBC).

Also in the UK, The ICO decided to fine British Airways 183 million Pounds Sterling or about $225 million for a website breach that affected about a half million people.  That represents 1.5% of their global revenue for 2017. Source: BBC.

Some people were hoping that the various data protection authorities were going to be all bark and no fine, but reality is a little different.

We have already seen many smaller fines.  But it is all relative.  A Polish taxi cab company was fined 160,000 Euros for failing to delete data that they could not justify why they retained it.  160,000 Euros for a taxi company might be harder to swallow than 183 Pounds for BA.

And from the scuttlebutt, what we hear is expect many more fines during 2019 and 2020 as the authorities ramp up their staff and complete investigations.  As of January of this year, authorities had received about 60,000 complaints (Source: Law.com).  Helen Dixon, the Irish Data Protection Commissioner, had 29 people on her staff in 2015 – before GDPR.  Ireland is where companies like Facebook have their European HQs due to tax reasons.  Helen has a staff of 133 right now with 30 openings and is anticipating adding more staff in 2020.

Companies big and small should not plan on flying under the radar because even if one of the data protection authorities don’t single you out, if your users are among those 60,000 complaints — you still could wind up being investigated.

Facebooktwitterredditlinkedinmailby feather

GDPR Regulators Getting Their Game On

Poland’s data protection regulator made an interesting decision affecting a Swedish based digital  marketing company named Bisnode.

Poland’s regulator, the national Personal Data Protection Office (UODO in Polish), fined Bisnode 220,000 Euros for failing to comply with Article 14 of GDPR.

Article 14 requires a data controller to inform a person when it collects data about that person from another source. In addition, you have to tell them the purpose that you are collecting the data for and give them the option to object.

Bisnode’s business model is to collect data from public records of various types and then, we assume, sell that data.

Bisnode apparently understood that obligation to notify people because of the 6 million records they scraped, they sent out notices to the people for whom they had email addresses.  That represented about 90,000 businesses.  Of those 90,000, about 12,000 or 13% responded back saying that the company did not have their permission to use this data for the purpose stated.

For the rest of the people, even those for whom they had a phone number, they opted not to notify them at all.

Instead, they put a notice on their web site.  Of course, those 6 million people had no reason to look at the company’s website and besides, I am guessing that they did not include a list of 6 million names on the web site, but maybe they did.

Bisnode objected to having to notify people because they said it would be too expensive to send everyone a registered letter.  Of course an email is not equivalent to registered mail, actually closer to a postcard, and they could have  sent 6 million postcards for a whole lot less than the cost of 6 million registered letters.

There is a lot more information in the source article linked below, but for now the point is that businesses that depend on scraping other people’s data and selling it should be wary about their business model.

At a bare minimum, they need to consider the notification requirements and understand that each distinct purpose the data is being used for requires its own notification (if you know now that it will be used for, say, 3 purposes, you can include all three purposes in one notice, but if you decide next month that you have  new purpose, you have to renotify.  And, the notice cannot be generic in nature like “we are going to sell your information to folks who are going to do stuff with it, like spam you”.

The Polish DPA also required them to notify the 5.9+ million people that they didn’t notify.  Bisnode is thinking about deleting the data instead, but even if they do, will that relieve them of their notification obligation?

Assuming Bisnode does appeal, hopefully that appeals decision will improve the clarity of the rules under GDPR, but given what I  have seen in the past, Bisnode is unlikely to get a free pass in this situation.

So for businesses that depend on the ability to take data from third parties and use it in a way that the consumer did not anticipate, anticipate that you could be on the wrong side of a DPA decision and then will need to decide if you can afford to fight.   Not being able to do that freely may make the business not viable, so either way, those businesses have a problem.

Source: TechCrunch.

Facebooktwitterredditlinkedinmailby feather

What is Going to Happen in Europe Regarding Privacy?

Well, we certainly DO live in interesting times.

The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.

The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years.  For folks with large operations in the UK, that could be a problem.

The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years.  For those hoping for relief, do not count on it.

He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”.  He said that Privacy Shield is an interim instrument.  He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.

Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story.  That, once approved, will be another set of rules for companies to adopt.

When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years.  Of course, in the US, there is no limit on retention.  He did, however, like the German approach, which allows retention for weeks, not years.

Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts.  Stay tuned.  Source: IAPP (membership may be required to view).

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending February 1, 2019

GDPR Gone Crazy

I think we’re gonna need a bigger boat!

According to the European Commission, Europe’s data protection regulators received more than 95,000 complaints about possible data breaches in the first 8 months of GDPR.

At the same time businesses reported over 41,000 breaches.

But regulators only opened 255 investigations.

Many of the complaints were related to email marketing,  telemarketing and video surveillance.  Source: Bleeping Computer.

 

1987 and 1999 DNS Standards to be Enforced Soon

We often think about things moving at Internet speed.  Except when it comes to Internet standards.

On or about February 1, 2019, many major DNS resolver vendors are going to release upgrades that will stop supporting many DNS band-aids that have been implemented over the years to allow non-compliant DNS software to work – albeit slowly.  Major DNS providers such as Google, Cisco, Quad 9, Cloudflare and others have all agreed to rip off these band-aids in the next few weeks.  If your DNS vendor does not operate a fully 1987 or 1999 compliant DNS service, your web site will go dark to users of these major DNS resolvers.

You can test your DNS service provider by going to www.DNSFlagDay.Net and entering your domain name.  If it passes then there is nothing to worry about.  If it fails, talk to your DNS provider ASAP.  Source: DNSFlagDay .

 

Alastair Mactaggart Says He Thinks CCPA Will Survive

Alastair Mactaggart, who is the reason that the California Consumer Protection Act was passed, says that he believes that the CCPA will survive the attacks by telecom companies and the tech industry.  After all, with all of the negative news about tech companies, Congressional investigations, etc., the tech companies need to watch out for negative press.  Also, people are getting used to Europe’s GDPR.  Stay tuned – it doesn’t mean that they won’t try. Source: The Recorder.

 

Russia Targeting Robert Mueller’s Investigation Directly

Prosecutors revealed this week that The Kremlin sent reporters a trove of documents supposedly leaked from the Mueller investigation.

In reality, the Kremlin mixed documents that had actually been leaked or filed with the courts with fake documents that they created in an attempt to change the narrative around the investigation.

The reporters were very excited to receive the trove of documents but equally disappointed when they figured out that they were being targeted by a Russian disinformation campaign.

Obviously, the Russians have not given up their old ways and will continue to try and create disinformation if it works to their best interest.   Source: NBC.

 

FBI is Notifying Victims of North Korea Joanap Malware

The FBI and the Air Force have gotten the U.S. courts approval to infiltrate a North Korean botnet to create a map of Americans whose computers are infected.

While the malware is very old and can be detected by anti virus software, there are still large numbers of infected computers.

The FBI is using the map to get ISPs to notify users of infected computers and in some cases is directly contacting the infected users to clean up their computers.  Source:  Ars Technica.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending January 25, 2019

Oklahoma Government Data Left Unprotected

The Oklahoma Department of Securities left data going back to at least 1999 unprotected online.  Data exposed included state agency passwords and login information, data on FBI investigations, information on thousands of securities brokers and other information.  The state says it was unprotected for “a limited duration”.  They are investigating.  Source: The Hacker News.

 

NOYB Files More GDPR Complaints

None of Your Business, the non-profit founded by Austrian privacy activist, lawyer and Faceboook-thorn-in-their-side has filed 10 complaints with the Austrian Data Protection Authority.

They say that companies are not fully complying with the requirements of GDPR in providing data to requestors and some companies didn’t even bother to reply at all.  For the most part, they said that companies did not tell people who they shared data with, the source of the data or how long they stored it for.

Beware, this is only the beginning of challenges for companies that have built their business models on selling your data.  The press release also shows the MAXIMUM potential fine (not likely), which ranges from 20 million to 6.3 billion Euros.  Source: NOYB .

 

Another Zero Click WiFi Firmware Bug

Security researcher Denis Selianin has released the code for a WiFi firmware bug he presented a paper on last year.  The code works on ThreadX and Marvell Avastar WiFi driver code and allows an attacker to take over a system even if the device is not connected to WiFi.  Affected devices include the Sony Playstation 4, Microsoft Surface, Xbox One, Samsung Chromebook, Galaxy J1 and other devices.  All it takes is for the device to be powered on.

I am not aware of a patch for the firmware of WiFi devices to fix this and likely, for most WiFi devices, the risk will remain active until the device winds up in a landfill or recycling center, even if a patch is released.  Source:  Helpnet Security.

 

Apple Releases Patches For iPhone, Mac and Wearables

Apple has released patches for the iPhones (and other i-devices) that include several remote code execution bugs (vulnerabilities that can be exploited remotely) including FaceTime, Bluetooth and 8 bugs in the Webkit web browser.  The iOS kernel had 6 vulnerabilities patched that allowed an attacker to elevate his or her privilege level.

The macOS had similar patches since much of the same software runs on the Mac, but there were Mac unique bugs as well.

Rounding out the patch set were patches for the Apple watch and Apple TV.

At one time Apple software was simpler and therefore less buggy, but over time it has gotten more complex and therefore more vulnerable.  Source: The Register.

Data Analytics Firm Ascension Reveals 24 Million Mortgage Related Documents

Ascension, a data analytics firm, left a stash of 24 million mortgage related documents exposed.  it is not clear who owns the data belonging to tens of thousands of loans, but it appears that the originators of the loans include Citi, Wells, Capital One and HUD.  Ascension’s parent company Rocktop, owns a portfolio of 46,000 loans, but we don’t know if these are theirs.

While they think the loan documents were only exposed for a few weeks, that is certainly enough time for a bad guy to find them.  After all, a researcher found them. Now Ascension is having to notify all of the affected parties and I am sure that the lawsuits will begin shortly.

If this isn’t a poster child for making sure that your VENDOR CYBER RISK MANAGEMENT PROGRAM is in order, I don’t know what to say.

This could be a third party cyber risk problem *OR* it could be a fourth party cyber risk problem.  In either case, if your vendor cyber risk management house is not in order, it will likely be YOUR problem.  Now would be a good time to review your program.  Source:  Housingwire.

Facebooktwitterredditlinkedinmailby feather