Disaster for Three Mobile as huge data hack is disclosed

three-logo

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

UK will be implementing the EU General Data Protection Regulations in May 2018

_90944246_elizabethdenham

Elizabeth Denham the UK Information Commissioner confirmed on 31st October 2016 that the UK would be implementing the EU General Data Protection Regulations.

She reported that The Secretary of State Karen Bradley MP announced the decision at the Culture, Media & Sport Committee meeting on 24th October 2016, confirming the following:   “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Elizabeth Denham confirmed, “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.  The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
 
Citizens want the benefits of these digital services but they want privacy rights and strong protections too.  Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.
 
The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing. Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance”.

As Amicus ITS reported in our blog on 14th October 2016, the Information Commissioner’s Office is committed to helping UK businesses and public bodies to prepare to the meet the requirements for GPDR ahead of May 2018 and beyond.  It’s 12 point plan for business is published and all organisations are urged to review it against their current data protection measures.

Elizabeth Denham added:  “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.  We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”.

The ICO advise they will be publishing guidance on different areas over the next six months.  Amicus ITS will ensure that we share these with you as they arise so you can best prepare your organisation for the tighter regulations, responsibilities and accountability.

Wake up call on cost estimate to UK business from EU GDPR

eulaw

The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018.  Many businesses have not started to take countermeasures to review their data protection.

Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015.  If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.

Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.

These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation.  Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.

The message is clear – businesses cannot afford to dally.  Whatever the size, all organisations need to start their preparations now.  Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat.  Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.

Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation introduces crucial data protection requirements for companies with data subjects in the European Union. This page offers a breakdown of the key provisions that will come into force May 2018.

Final text
The final text of the EU General Data Protection Regulation (GDPR) is now available and has been approved by the European Parliament.

Penalties
The Regulation will enforce tough penalties: breached organisations can expect fines of up to 4% of annual global revenue or €20 million, whichever is greater. Fines will be imposed within two years of the Regulation being ratified.

Below is a breakdown of the key changes introduced by the Regulation:

1. If your business is not in the EU, you will still have to comply with the Regulation
Non-EU organisations that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

2. The definition of personal data is broader, bringing more data into the regulated perimeter
Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

3. Consent for Children’s Data Processing.
Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.

4. Changes to the rules for obtaining valid consent
The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

5. The appointment of a data protection officer (DPO) will be mandatory for certain companies
Article 35 of the GDPR states that data protection officers must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”

6. The introduction of mandatory privacy risk impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.

7. New data breach notification requirements
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.

8. The right to be forgotten
Data subjects have the “right to be forgotten”. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.

9. The international transfer of data
Since the Regulation is also applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

10. Data processor responsibilities
Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.

11. Data portability
Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.

12. Privacy by design
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required, to protect data subject rights.

13. One-stop shop
A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.

Organisations should take action NOW to implement appropriate measures for improved data security.

teaserbox_53378034