Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

Warning from Information Commissioner – data security too lax in legal profession

With law firms the seventh most targeted business group according to the Cisco 2015 Annual Security Report, it is probably little surprise that the Information Commissioner, Christopher Graham, has warned the profession to improve its information security practices after 15 reported data breach incidents involving members of the industry in three months.

Christopher Graham commented: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

The Law Society Gazette announced that the ICO investigated 173 UK law firms in 2014 for a variety of incidents that may have breached the Data Protection Act 1998 (DPA).

Solicitors and barristers hold a veritable treasure chest of data including: confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally sensitive information.

The impact for the legal profession is serious.  The penalties for a law firm quite profound.  If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.

Graham warns about data security Principle 7 of the DPA, which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. 

The ICO says he is mindful that there is “no one size fits all” solution, so “…[legal firms] should adopt a risk-based approach to deciding what level of security you need”, in order to mitigate the risk.

The efficacy of ISO 27001 and best-practice cyber security IS that necessary safeguard.  ISO27001 as an ISMS, wraps people, processes and technology with an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces.  This acts as the counterpoint to inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Responsible companies should certainly take heed of his advice and do more to protect their client data.   This may be in the form of gaining the certification directly, or alternatively, outsourcing to a reputable established IT Managed Service Provider which holds this this essential accreditation to properly consult and set about the necessary measures to formally protect clientele, finances and reputation.  What price reputation?


No anonymity when you screw around online – notes from the Ashley Madison fallout

Adulterous subscribers and suspicious partners worldwide waited with baited breath for the fallout after data hackers the “Impact Team’ mass dumped the personal data records of 32 million users from the Ashley Madison database on 15th July 2015.  “It’s full account information,” said Robert Graham, CEO of Errata Security, in a blog post. “That includes full names, emails, phone numbers, addresses and passwords”.  Additionally credit card information and dating information about height, weight, personal information and GPS co-ordinates are included.  Whatever fake accounts some people may have created, there’s so much information leaked that dissecting it and cross referencing it will enable the identities to be verified.

With a further 14 Gigabytes of data with matching encryptions keys dumped yesterday, it is little surprise that the first divorce proceedings about suspected infidelities have started to be listed in the English law courts.  Inevitably the primary beneficiaries of all of this will be the divorce lawyers.  As one quipped today, “September will be like Christmas this year”.  Nice.

The list of global offenders some of whom may have signed up with false names or email addresses is reported to include: business leaders, public figures, government employees, senior politicians, members of the military, police officers and diplomats.  In the US, more than 15,000 of the email addresses are allegedly hosted on US government or military servers using the “.gov” and “.mil” top-level domains, with ties to agencies including the State Department, Department of Homeland Security, as well as the House and Senate.  There is real risk for damaged reputations and of course the prospect of future blackmail threats awaiting some – but for those naughty enough to use the website, it may be years before they are targeted by criminals.

A trigger for the hackers was apparently the flaws in their data protection policy, with leavers being charged a £12 fee to have their details removed permanently.  However, this was not the case, despite assurances from CEO Neil Biderman, as after initial threats from the Impact Team, there were multiple reports of people who had paid this charge whose details still appeared in the exposed data.

Ashley Madison factoids:
• The online dating agency for married people has been running since 2001.
• Subscribers number 37 million members worldwide across 46 countries.
• The organisation states that there are 1.2 million subscribers in the UK alone (representing 2% of the population).
• Ashley Madison’s revenue for 2014 was reported at £77m.
• They are stated to be worth £670 million.

The source code of Ashley Madison is held by its parent company Avid Life, which now faces threat through its other websites and business interests.  The Sword of Damocles now hangs over smug CEO Noel Biderman’s business.  It is highly unlikely it can survive a) the hit to its reputation as a safe place to flirt and b) the cost of lawsuits which are expected to hit its doormat in coming months?

From a legal perspective a breach of privacy may have occurred if personal information has been discovered and published, which could open Ashley Madison to lawsuits.   Mark Watts Head of Data Protection at London law firm Bristows, noted that if a company had a presence in the UK (eg. office or a server) it would be subject to the UK’s Data Protection Act and UK residents would have the right to have their data deleted for free. “You cannot charge for it”, he said.  Our quick check at Companies House shows one Ashley Madison Limited, private limited company, still reportedly active in status terms today, whose nature of business is “other information technology service activities”. They have a registered office in Milton Keynes.

As Luke Scanlon, technology lawyer at Pinsent Masons commented:  “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of a data breach.

“In the case of Ashley Madison… if each were to try to claim for £1000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. Even if claims for distress in this case are modest, the sheer volume of data breached and individuals affected in this attack could have a critical impact on the company”.  A remedy for breach of contract he advises would be complicated, costly, and risk further exposure.  However, this sounds like a Class Act to us.

Unreasonable behaviour certainly from Ashley Madison, a salutary reminder to businesses and organisations that never has it been more important to ensure that they have up to date data security measures in place, accompanied by robust governance policies to ensure best possible defence against cyber threats.

How toxic can the world’s domain controller ICANN get?

An alliance of 47 countries called on ICANN the world domain name distributor back in June 2015, to respect privacy and freedom of expression when allocating top domain names.   Amicus ITS last questioned the rationale and discretion of the company when it released “.sucks” as a domain name back in March 2015 and the squabbling about fee exploitation with its licencee over trademarking in April 2015.  See blog

The Council of Europe (CoE) whilst holding no legal power to force ICANN to change its procedures (ICANN is a body appointed by the US Government), has stated its concern that the personal data of the domain name holders (name and postal address) is publicly available on the WHOIS online database.  Whilst not subject to the European Data Protection Act, ICANN as a US body should, according to the CoE, give due regard and duty of care around the personal data it handles.  In a declaration, the CoE said:  “ICANN, as a private non-profit corporation, should respect international human rights law, notably the UN Resolution 17/4 on human rights and transnational corporations”.  The declaration goes on to note that ICANN should strike an appropriate balance between “…economic interests and those of pluralism, culture and linguistic diversity, alongside the needs of vulnerable groups and communities”.

A requirement for ICANN is to undergo an independent review into WHOIS every three years.  In the last review in 2012, the chairwoman Emily Taylor noted that ICANN staff were obstructive about its compliance function. With further reports noting poor levels of data accuracy in WHOIS records, the organisation was found wanting on its compliance and safeguards policy.

What then to make of last week’s news that ICANN Chairman, Steve Crocker lost the plot during a webinar with a working party from the 2015 review group, as they were assessing how ICANN should handle its database.  When challenged, Crocker was heard to shout: “That is completely unacceptable … I understand you didn’t really want to think hard about it, but this is a destructive and inappropriate thing to do.”  The outburst resulted in silence, followed by a “wow!” from one of the review group members.  Not a response one would expect from the head of the management board.

The organisation appears to be resolute in not acting on any of the previous independent recommendations.  This is alarming as ICANN is about to be handed control of the all powerful ‘IANA contract’ by the National Telecommunications and Information Administration (NTIA) (the arm of the US Department of Commerce responsible for this move).  This would grant ICANN 100% control of the world’s DNS and IP address allocations.  It all sounds messy and unsettling as the transition plan to the new IANA contract is reportedly riddled with flaws.  In addition, ICANN was recently found to have broken its own bylaws when it gave preferential treatment to one or two bidders for the “.africa” top-level domain.  Accusations have allegedly been made of cover-ups by the staff in misleading stakeholders and the public over its actions. It would appear that the organisation is out of control and in denial.

The NTIA meanwhile has opened two review periods for people to make comments on the proposals before it approves the transition, based on four principles:

1.  Support and enhance the multi-stakeholder model.
2.  Maintain the security, stability, and resiliency of the Internet DNS.
3.  Meet the needs and expectation of the global customers and partners of the IANA services.
4.  Maintain the openness of the Internet.

ICANN has chosen to stay silent over accusations by its critics.  Surely, this time of public review is the cue for technology organisations and the internet community on the other side of the Pond to rise up and challenge ICANN to provide evidence that it is fit for purpose to carry out this important role and handle data correctly. Either that, or perhaps it should relinquish the reins in favour of an organisation that can inspire trust?