Tag Archives: GDPR

None Of Your Business

Max Schrems – the same Max Schrems that battled Facebook and won and the same Max Schrems that got the Court of Justice of the European Union to strike down Safe Harbor – that Max Schrems – has a new mission.

The General Data Protection Regulation, the new privacy law that takes effect in the European Union next May, allows for “Group Actions” – kind of, sort of, like class actions.  Max’s new organization – NOYB for None of Your Business, plans to take on companies that are not following the GDPR law and make their life miserable.  Ask Facebook.  He is very tenacious.

His plan is to raise a half million Euros between now and May and then go on the attack.

GDPR allows for people to sue, but it is complicated and expensive.  What if an NGO existed solely for the purpose of collecting these people, aggregating their claims and going after the offenders?  It now exists and it is called NOYB.

Schrems has been pretty successful in the past, so I would not under estimate him.

If I were a company operating in the EU, I would definitely keep Schrems and NOYB on my radar screen.

In the mean time I would be working very hard to be in compliance with the regulations.

May 2018 is only 6 months away and the requirements of the GDPR may mean that you have to change data collection, data processing, data storage and data transmission practices as well as hiring a data protection officer.  Those are only some things that are required.

Stay tuned.  If history is any indication, Max could be trouble.

Information for this post came from the IAPP.

Facebooktwitterredditlinkedinmailby feather

New EU Privacy Law Could Bankrupt Your Company

The European Union has passed a new privacy law called the General Data Protection Regulation and it goes into effect in May of 2018.

For companies that do not do business or have customers in Europe, this regulation may not effect you.   However, if you have customers in Europe, even if you do not have offices in Europe, you are still bound by the regulation.

There are a number of things about the regulation that are very different than the way U.S. companies treat your data and mine.

What is unclear is whether multi-national companies will operate differently in different countries.

For example under GDPR, a company has to get express permission to collect, store, use and transfer data that they have about you.  Will Facebook, for example, have a different user agreement for customers in Europe than in the United States?  This is still unclear, but given their appetite for stealing our data, it would not surprise me if they did treat the two groups of users differently.

On the other hand, for smaller companies who do not make a lot of money from your data, it may be easier to treat everyone uniformly.

Other requirements of the regulation include –

  • Companies must report breaches within 72 hours of realizing it.  In the U.S., things are much looser.  You must report breaches sorta, kinda, reasonably quickly.  In many states what that means is undefined.  In other states it might be 30 to 90 days.  It is not 72 hours in any state for a general business.  Effective January 1, 2018, defense contractors will have to report breaches to the DoD within 72 hours and financial institutions in New York will have the same reporting requirement with a bunch of exceptions, but those two groups represent a tiny percentage of the total population of businesses.
  • The definition of personal data is way broader than any definition in the U.S.  For example, the Internet address (IP address) you are using is considered personal data.  So is your genetics.
  • Probably the biggest change is the potential fines.  The EU could fine a company up to 20 million Euros or 4 percent of their annual global revenue, WHICHEVER IS GREATER.  For a large company, that could be billions of dollars.  For a small company, the fine alone could bankrupt the company.

In addition, there are a number of other conditions that the law requires.

There are plenty of businesses in the United States that have European customers and many of them will be totally unprepared for the changes that come about in less than a year.

Obviously, the place for all businesses to start is to inventory what data the company collects, where it is stored, what it is used for, how long it is kept and who it is shared with.  That, by itself, is a huge challenge for most businesses.  This does not just apply to “corporate”.  If some department collects data and doesn’t have the proper consent, the company could be fined.  If that department shares the data with a third party and that was not disclosed, again the company could be fined.

This would include data that is stored on laptops, in the cloud and on home PCs.  Most companies will not be able to figure that part out.

If you share data with a third party – a vendor or supplier, you have to be able to prove that they are following the rules as well.

For British citizens, even though Great Britain is leaving the E.U., the government says that they are going to implement the same law.

For businesses that are subject to this law and who have not already started planning for this, there is not a lot of time to get caught up.  There is a lot of work to be done.

Information for this post came from the BBC.

Facebooktwitterredditlinkedinmailby feather

Banks and Consumers Differ How Secure Their Data Is

According to a study by the mega-consulting firm Capgemini, only 21% of banking and insurance executives were highly confident in their ability to detect a breach, never mind defend against one.  On the other hand, 83% of consumers trust their bank’s and insurance company’s ability to protect their data.   So 4 out of 5 consumers think their bank has security handled, but only 1 out of 5  banks think their bank has security handled.

One out of four banks say that they have been hacked but only 3 percent of consumers think their bank has been hacked.  That is a pretty big gap.

In Europe, the general data protection regulation (GDPR) goes into effect next year.  At that point, banks will have 72 hours to disclose any breach.  That might change perception dramatically.

Almost half of consumers won’t use the online services that banks and insurance companies offer due to security fears.

Almost three-quarters of consumers would switch banks in the event of a data breach.

While reality might differ from how these people answered the survey, the fact that 47% of consumers say they won’t use low cost (to the banks and insurance companies) online services and 74% of them say they would switch providers if there was a breach should be a concern to service providers.

At least in Europe, service providers will soon have a lot less leeway to sweep breaches under the rug.  That means that they might want to consider “upping” their ability to both detect and defend from cyber attacks.

For U.S. entities, while they may not have the same “force of law” that GDPR will provide, at least some hackers seem to enjoy “outing” companies whom they have breached.  Sometimes that is preceded by attempting to extort money from the companies that they have breached, but sometimes the hackers are on a mission and just want to hurt the companies – that is the motivation for the hack in the first place.

U.S. entities that think that the soon to be in force GDPR regulations won’t effect them may be wrong.  According to the regulation, any bank (or other business) world wide that does business in the E.U. falls under this regulation.  That means that a U.S. based bank, for example, that has a branch in Munich or Paris, would need to disclose any breach within 72 hours.

At least for multinationals, the bar regarding cyber security is going to be raised next year.  A lot!

Under GDPR, the worst case maximum fine a company could face is 4% of their annual global turnover (AKA global revenue) or 20,000,000 Euros, WHICHEVER IS GREATER.  That should be a strong incentive for anyone who falls under the rule of GDPR.  Lets say that the authorities want to be nice and only fine a company 1% of their global revenue (remember this is revenue, not profit) or maybe 1,000,00 Euros.  Sounds like a bargain, huh?

Given that it will take most institutions have a long way to go to truly secure their enterprises, now would be a jolly good time to start that project.  May 2018, when GDPR goes into effect, is only 15 months away.

Information for this post came from Info Security Magazine.

 

Facebooktwitterredditlinkedinmailby feather

E.U. Safe Harbor Deadline Nears – What Will Happen?

As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen.  My guess is not much, but stay tuned.

The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else.  Or else what?  Not really clear.  What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops.  I don’t believe that will happen.

There are a lot of negotiations happening behind the scenes.

One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in  U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee.  Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction.  Do I think this will get signed by January 31?  No.

On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill.  Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA.  Oh, wait, companies share it with Homeland Security.  Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.

The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR.  It is actually much stricter in terms of provisions than the old law.

I think February could be very interesting.

Information for this post came from The Register and Dark Reading.

Facebooktwitterredditlinkedinmailby feather