Microsoft moved to build new EU datacentres

In response to the collapse of the Safe Harbour Agreement of 2000 on 6th October 2015, and following meetings and conversations between EU and US regulators, Microsoft has announced it will invest $2 billion in infrastructure development across Europe. This is addition to confirming the completion of the latest phase of improvements to its existing data centres in Dublin and the Netherlands.

This new investment will enable Microsoft to provide secure commercial cloud services for its customers and address the sovereign issues of data transfer and compliance that the lapse of legal reference created by the scrapping of Safe Harbour created on 21st October 2015.

Once the new datacentres are up and running (planned to open late 2016), Microsoft will be able to replicate data within the UK for backup and recovery (vs the current failover of data going to the US from Europe).  General Manager of Microsoft UK, Michael Van der Bel said, “This will help meet demand from those who want their could systems based in the UK and now they can meet the strict regulations of the banking, financial services and public sectors”.

It is good news for compliance within Europe, but the EU and US still need to work assiduously to thrash out a legal plan before the end of January 2016 when fines will kick in for non-compliance, to ensure that transatlantic business data can still traverse fluidly and securely across the Pond, avoiding nation fragmentation and an MSP administrative mess.




Is it easier and better sometimes to pay a ransom on demand?

Following Talk Talk’s moment ‘hackus horribilis’ on 21st October 2015, details are emerging not of foreign extremists potentially being behind the attack, but rather a growing cabal of youngsters aged 14-16 have been arrested and released on bail by the British police after questioning over the incident. The latest advisory from TalkTalk is that only 4% of their customer base (157,000 customers and around 15,600 accounts) were actually affected by the breach of security (though obviously if you were one of that number, you wouldn’t care about the low percentages).

TalkTalk are not on their own though:  M&S had some of its users’ details accidentally shared with other customers online last week. This followed what was described as an internal error. The website was pulled down for 2 hours whilst the problem was fixed. Nonetheless, personal data including names, dates of birth, contacts and previous orders could be seen. Meanwhile, Barclays suffered problems with customers complaining of difficulties with ATM transactions during the weekend of 21st October. This incident was put down to a “network problem” resulting in a “tech outtage” by Barclays.

And in an interesting discussion at the 2015 Cyber Security Summit in Boston, the FBI’s Assistant Special Agent in Charge of CYBER and Counterintelligence Programmes, Joseph Bonavolanta advocated that sometimes it really might pay off the criminals in ransomware attacks, where a CryptoWall infection has breached a company’s IT systems. Often this advice is because the infected organisation has no way of recovering the files.  Often, the cause of failure is due to a lack of recovery options and the company has no back up, or one that is too old to be commercially useful.  Ransomware has been gathering traction since 2013 and much of the difficulty for government security agencies is that no two Ransomware attacks are the same.

Meanwhile, the Deputy Director of the US National Security Agency (NSA), Richard Ledgett commented last week in an interview with the BBC, that as the world becomes more connected and more vulnerable, nation states have to identify their red lines which cannot be crossed by other nation sabotage (eg. the Sony attack) and that where this happened it should lead to consequences. There should be a three prong plan:  build our defences, build offences against threat in others’ networks and “have a build up of international diplomatic regimes” through which the threat of sanctions could be levied.

Post the Edward Snowden leaks, he said real damage had been done, as the disclosures had led to changed behaviours in cyber attackers targeting many organisations.  He added “Several terrorist organisations and one in particular had a mature operational plot directed against western Europe and the US“. This had hampered the NSA’s ability he said to do their job.  Arguing the rights and wrongs of surveillance in a data-filled world, Ledgett said: “I think that the way the discussion (the Snowden leaks) came about was wrong. You hear claims that he was a whistle-blower and that he tried to raise things. Those are just not true…He didn’t try.”   On the subject of transparency, Ledgett advised that it was good to have a public discussion about what the authorities are and can do, but it got harder if it involved specific operations and specific targets.

With Teresa May updating the UK Government’s powers on mass surveillance there is a difficult path to tread for those who keep us safe, and those who would have liberty at the forefront of the argument.

(Pix below Richard Ledgett Deputy Director of the NSA).


How on target is the NHS to going paperless in 2018?

Health Secretary Jeremy Hunt has been seeking a paperless records target of 2018 for the NHS since 2013.   In a recent focused healthcare survey of 67 members of the Health CIO Network and CCIO Leaders Network of clinicians and digital health IT leaders, there remains a mixed response:

•  67% stated they were ‘quite confident’ or ‘extremely confident’ their organisation will be paper-light by 2020.
•  14% stated they are ‘not at all confident’ or ‘not very confident’ of achieving the target.

However, on the question of having “integrated health and care records, enabling effective co-ordination of health and social care, by 2020” there was less certainty:

•  56% said they were ‘extremely confident’ or ‘quite confident’ of achieving this, but a quarter (24%), said they were ‘not at all confident’ or ‘not very confident’.
•  28% said they were confident of giving patients read/write access to their records, while 53% said they were not confident.

The top priorities for most of those involved focused on:

  • moving to paperless working – 73%
  • improving quality of services – 68%
  • supporting new models of care – 67%

When asked about their next major IT project, these were reported as:

1.  Top ranking for personal health records and patient portals, to give patients access to their medical record and test results, plus services such as appointment booking and email consultations.
2.  Next were shared record initiatives
3.  Third were e-prescribing and medicines management.
4.  In fourth place finally, one-third of respondents said Electronic Patient Records (EPR) – suggesting many are perhaps already some way down the line with this already?

Not surprisingly, with all the other cutbacks facing the NHS, this drive to go paperless might have a lot of goodwill in the sector to deliver, but the barriers facing NHS providers can be summarised by two principle points of feedback:

  • lack of adequate resource (73% affirmed that their IT budget was insufficient)
  • lack of staffing resource

With the breakup of the NHS from a truly national health service to a regional health service, primary and secondary healthcare organisations around the country will need to start showing they are making this work and that we are benefitting.  Then, we may wonder why it took so long when other major data institutions such as banks and industries such as insurance groups have managed to do this.  After all a 100-1 shot just won the Melbourne Cup.


Are we sailing into a new Safe Harbour soon?

Our post on 22nd October 2015 discussed the fallout issues following the demise of the 2000 Safe Harbour Agreement.  The issue has prompted great anxiety in UK Government corridors.  Conversative minister for intellectual property, Baroness-Neville-Rolfe recently commented:  “There is an important principle here that companies must be able to transfer data to third-party countries with appropriate safeguards and we are concerned about the uncertainty this judgement creates”.  She has expressed the Government’s desire for the European Commission and US authorities to conclude negotiations swiftly on a revised agreement.

This may be on the cards soon, if the assurances of US Secretary of Commerce Penny Pritzker are to be believed.  At meeting in Frankfurt on 29th October, she commented to journalists that “a solution was in hand”.   She said: “The solution … is Safe Harbour 2.0, which is totally doable.”  Pritzker is cited as saying: “We had an agreement prior to the court case I think with modest refinements that are being negotiated we could have an agreement shortly”.

This will be welcome news indeed as long as it is true, as British business, which since the announcement at the start of October, has been getting very nervous about the implications of legal action companies may face if found to be in breach at the end of January 2016.

The Information Commissioner’s Office (ICO) has sought to provide some comfort, stating they are “… hopeful that the Safe Harbour 2.0 will emerge and “provide a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US.”  It all sounds rather dry and distanced considering negotiations for Safe Harbour 2.0 have been going on for nearly two years now.   But with a deadline around the corner and Santa’s prezzies just being wrapped, it might just go to prove the adage that there’s nothing like staring at a  cliff-face to focus the mind, event at this eleventh hour – or so we hope…

SafeHarbor Logo-Lines