Red October For EU After Safe Harbour Decision Collapses Pan Atlantic Agreement

Updating our blog of 9th October, the end of January 2016 will mark the date point where EU data protection regulators could start prosecutions for any erroneous transfer of EU individuals’ personal data from Europe to the US – unless a replacement to the Safe Harbour Agreement is rapidly agreed.

The heat is firmly on in Brussels now to find a workable solution and fast, as the ramifications facing up to 4,500 US companies (not just tech firms) in transferring data across the Atlantic to Europe now means organisations could face 20 or more different sets of national data-privacy regulations to replace the Safe Harbour Agreement which had been in place for 15 years.

The NSA’s mass data collection originally highlighted by the Edward Snowden leaks in a case brought by law student Max Schrems against Facebook, prompted the European Court of Justice (CJEU) court ruling on 6th October 2015.  This now looks set to massively disrupt the international eco system for data transfer, legal adherence and sovereign user assurances.  The regulators emphasised that the question of mass and indiscriminate surveillance was central to the CJEU’s decision and a replacement data transfer agreement would have to provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities“.

The main points
•   Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe (Russia recently introduced a new data law demanding data on Russian citizens was stored within Russia).

•   Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.

•   The Irish data regulator (host nation for Facebook and Microsoft’s European data centres), has now agreed they will examine whether Facebook offered European users adequate data protections – and it may order the suspension of Facebook’s transfer of data from Europe to the US if so.

Privacy lawyer Dr Susan Foster of Mintz Levin commented:  “Consent has to be explicit and freely given” — which causes a headache for another key use of Safe Harbour, the transfer of employee data. “In many countries in Europe you can’t rely on consent from employees, because employees are understood not to have free choice.” An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. “A lot of multinational companies with employees in Europe rely on Safe Harbour because they don’t feel they can rely on consent, quite rightly.”

A new dawn awaits data controllers across Europe.  The upshot is likely to be one filled with more model contract clauses and a greater emphasis on risk based analysis surrounding data transfer.  But whatever the outcome, from 1st February 2015, ‘ignorantia juris non excusat’ – roughly translated: ‘ignorance of the law is no defence ‘.  Businesses beware!

SafeHarbor Logo-Lines

This week’s technology news – 27th March 2015

Are you really YOU online?

Cifas have published Fraudscape, their annual survey of 277,000 fraud cases from 245 members spanning a range of UK sectors.  With cyber security issues topping the chart of risks for business in 2014/15, ID fraud is becoming the largest emerging threat as cyber criminals turn their attention to using other people’s identifies or creating new false identities, as increased vigilance by business and consumers has begun a decline in accounts being hacked or taken over.  It is estimated that there are 758 frauds occurring every day at a rate of 31 per hour in the UK (Cifas members alone) and the Department of Health estimates there were an eye watering 30 million cases of prescription fraud in 2014.

The survey findings report:

• 41% of all frauds recorded in 2014 involved criminal abuse of personal data or ID details to impersonate someone or create fictitious ID to steal money.
• 113,839 cases of ID fraud were recorded in 2014, up by 5% on 2013.
• Average victim’s age was 46
• Men are twice as likely as women to have their ID stolen.
• Emerging trend for young adults (21-30) being targeted (up 51% since 2011 to 14,850), reflecting this group’s increased use of financial products.
• The 55+ age group has witnessed a 15% rise in ID fraud victims from 2013 reaching 25,346 in 2014.

Read the full survey at:  https://www.cifas.org.uk/fraudscape_latest

Cifas CEO Simon Dukes described ID fraud as being on an industrial scale, “The frauds we are recording point to increasingly sophisticated, predatory and organised criminals”.  Cifas acknowledge that the stats may be the tip of the iceberg as this is only what has been reported by their members and is on public record.

The true extent is expected to be far greater, as the UK stats which create the starting point for data gathering, are understandably challenging and much goes unreported.  The Department for Business, Innovation and Skills figures records the following baselines:

• There were 5.2 million private sector businesses in the UK at the start of 2014.
• 180,000 charities (England and Wales)
• 560 central government bodies
• 400 local authorities
• 150 NHS Trusts

Then there are the individuals who have suffered fraud.   Collating reports therefore from across 5.4 million organisations and identifying how many out of 60 million people have suffered fraud requires some degree of estimation (and the figures do not include SMEs in the private sector which according to the Federation for Small Businesses accounts for over 99% of all private sector business in the UK and almost 50% of private sector employment).

But the warning bells are there for us all. The last recorded stats from the now disbanded National Fraud Authority (NFA) put the cost of fraud to the UK economy at £15.5 billion in 2013.   The Cifas fraud cases route to the City of London Police. But few of Cifas’ members know the point at which an ID has been compromised which would help target prevention efforts.

WHAT TO DO?  Any organisation which has not taken steps to increase resilience by improving its firewalls, beefing up id authentication, encyption and having sound antivirus and malware software in place could be placing it and its customers at unnecessary risk.  Reporting ID fraud and data breaches as standard has the potential to strengthen national security learning if government and industry can work closer together.  Added to this, education and awareness training amongst employees and consumers is a must as we find ourselves in an ever more cynical world surrounded by criminal intent.

2736833_s

Threat to Safe Harbour Agreement in Euro court

Europe’s highest court, the European Court of Justice’s (ECJ) will shortly be reviewing how European’s data is shared with US companies in a landmark case which questions the effectiveness of the US Safe Harbour Agreement.

Brought by activist Max Schrems off the back of Edward Snowden’s whistleblowing, the lawyer’s complaint is that companies such as Facebook (by being complicit in Prism, an NSA surveillance system), are ignoring privacy practices and that the Safe Harbour Agreement should be scrapped in favour of local regulators acting to protect European’s data.

The Safe Harbour agreement (in place since 2000), allows US firms to collect data on their European users and store them in US data centres as long as certain principles around storage and security are upheld (eg. Giving notice to users and advising them on how the data can be accessed and by whom).

UK data regulator Ofcom are reported to have said at the hearing that scrapping Safe Harbour would “risk disrupting trade that carries significant benefit for the EU and its citizens”.

If upheld, the decision would have severe repercussions for any US firm dealing with Europeans’ data, including giants such as Twitter, Google, Microsoft and Yahoo.   Twitter commented they would be forced to build datacentres in Europe to hold separated info.  Facebook has not responded formally, although the BBC has quoted that the social media behemoth would welcome an update of the Safe Harbour rules post Snowden.

For UK organisations where the issue of sovereignty is important, let alone the level of data protection required, the issue is likely to drive them to seek to preserve and protect their customers data by having it only reside in various UK datacentres to avoid the risk of losing control of the data at any time and having to deal with local regulators and data laws.

275994_s

Microsoft’s future career as a carrier

Microsoft has been delivering text, voice and video services for many years to both consumers and businesses across phones, tablets and PCs. Their current offerings are Skype and Lync, with the latter soon to be rebranded Skype for Business.   Currently over 100 million people now use Lync to communicate at work. This week Microsoft announced that Skype for  Business would include an enterprise-grade PSTN connection to Office 365 Skype for Business.

Microsoft’s strategic partners (including AT&T, BT, Colt, Equinix, Level 3 Communications, Orange Business Services, TAT Communications, Telstra, Verizon and Vodafone) will be working together with Microsoft to deliver secure and direct connections to Office 365 Skype for Business customers through Azure ExpressRoute for Office 365.   Azure ExpressRoute leverages partners’ networks to provide a private, dedicated and high bandwidth connection that bypasses the internet – essentially making Office 365 an extension of your on-premise environment whether you’re on site or not.

Skype for Business can handle all an organisations’ communications and with Azure ExpressRoute and their partners providing a direct connection rivalling traditional communication companies, Microsoft is essentially placing themselves into the carrier business.

This will offer businesses a one-stop-shop for a secure communication package, which is where Microsoft is aiming this offering – for now. In principle this technology could be used on a commercial device. The user, instead of buying a phone, minutes and texts from a high-street carrier, could order a Windows 10 phone with a subscription to Office 365 that includes minutes and texts through Skype direct from Microsoft.

Whether Microsoft does or doesn’t tie these devices and services together in such an offering, its potential does highlight the importance of Microsoft’s strategic partnerships which benefits all – not just Microsoft going forward.

Skype-for-Business-logo-FI

Troublesome domains

When browsing the internet – or even securing your own website, you will likely only worry about a few TLDs (top level domains), with the most common being .com, .net and .org.    In recent years there has been an explosion of new TLDs with the number now available rising to over 650.

One of the most recent TLD’s ”.sucks” has been stirring up trouble.   It’s easy to see how this new domain could be a serious nuisance as all it takes is for someone to take your company’s name and register the new “.sucks” domain and they have the perfect, virtual home in an ideal location to poke mischief and maliciousness at your brand, with the potential of you losing big business.

The initial answer for most will be simple; to buy the domain before anyone else can and cause trouble, but this is where it gets ugly.  The group who purchased the rights to sell “.sucks” called Momentous is charging astronomical fees of $2,500 for ”.sucks” domains.   To major organisation, this could be small change and amount to no more than regular IT admin housekeeping, however for SMEs or professional individuals, the cost is extortionate – and every business will need to calculate the risk of a 3rd party taking over this domain and the potential cost of damages to its brand in doing so.

ICANN, the international body that supervisors all things internet, including the creation and approval of new TLDs clearly decided that “.sucks” was fit for purpose.  Whether ICANN is fit for purpose itself in thinking that such a domain name could be positive in any way for business is risible.

Organisations are now left with a wholly unnecessary headache and unwanted financial outlay if they are to insure against potential negative outcomes.  Hopefully a sharp backlash from disapproving businesses will make ICANN recognise their folly – and in future only permit the release of sensible domain names that add value to the internet.

1280px-ICANN_svg

 

This Week’s Technology News – 24h November 2014

3D Printing – refreshing the parts other printers cannot reach
The 3D printing sector has seen interesting advances over 2014 with this growing technology in use on earth and in space.  The International Space Station (ISS) has installed its first 3D printer. Before the installation, start up company Made in Space tested the printer in zero-gravity on an airplane. With the printer on-board, astronauts will be able to print physical parts themselves without needing to commission them from earth and get rocketed into space (both costly and time consuming).     Printed parts in theory will be able to replace faulty parts or maintain certain equipment in the ISS.

In parallel, researchers from the University of Oslo have designed bots that can already adapt to unforeseen problems and 3D-print new parts for themselves (ie. self healing manufacture) and apply intelligent best adaptation to its environment.   The options are limitless the scientists believe, based on a few limited instructions ie. what to do, how fast to go, its size and energy consumption.  The ingenuity for an autonomous computer being able to consider thousands of options simultaneously and 3D-print parts to create a new model, creates an intriguing possibility perhaps for ‘3-D Printing as a Service’ for MSPs?

 

Is business ready to accept ‘Facebook at Work’?
Although not formally announced, ‘Facebook at Work’ has been heavily rumoured to be used internally at the company, with a worldwide launch for business imminent.    Apparently, it is distinct from its current consumer model by barring personal details and helping overcome being blacklisted by organisations which disallow social media engagement at work. With the rise of social networking and collaboration, Facebook is cleverly poised through its dominant position with over one billion Facebook accounts, to try to take on the likes of LinkedIn and other corporate-focused social networks like Microsoft’s  Lync and Skype.   The diversification opportunities deepen, as collaboration leads to online storage where users upload and collaborate on documents with other users of the service.

The real question is whether, despite all their canny commercial plans, and even accounting for proper security and governance procedures, will the sheer name of ‘Facebook’ simply scare off a lot of companies?   Ultimately, the scale and impact of social networking cannot be ignored, but overcoming assumptions about the brand and how it will advocate its handling of public and private information will be the largest hurdle facing Facebook as it stares out from this mirror of opportunity.

Facebook

Dictat to go digital in healthcare – or warning NHS funding will be pulled
NHS England’s National Director for Patients & Information, Tim Kelsey, has announced the publication of its ‘Personalised Health and Care 2020 Strategy’.  This paper confirms NHS England’s intention to go paperless by 2018-20, or face having its funding pulled.

At its heart, patient care records must be available across urgent care services by 2018 and throughout all NHS organisations by 2020 to create joined up practice amongst professionals, speed and efficiencies and avoidance of errors (ie. in prescriptions).  Only 4% of records are currently accessible online.

The technical challenge around IT remains that many of the NHS’s PCs are still running the soon to be defunct Windows XP.  If as stated, financial resources will be made available to assist healthcare organisations, this will come as good news for IT teams and MSPs to help support any such migration to make the NHS fit for digital.  However, it must remain an integrated and secure approach.  The BMA’s GP Committee Chair Chaand Nagpaul concluded that “..the most critical aspects to get right beforehand are the safeguards, confidence and trust of patients”.   Added to this, should be the strict management of patient data to prevent it being sold unknowingly to third party commercial organisations for private profit.

Following errors on the Care.data scheme debacle earlier in 2014 which failed to have appropriate data privacy safeguards in place, this is a very valid point, but should not stop  future rollout if armed with correct good practice and security and governance policies. Hopefully, with National Data Guardian Dame Fiona Caldicott now on board, this will no longer be an issue. The key obstacle instead will be how much money healthcare organisations can secure to cover the necessary IT ‘fit for future’ upgrade investments.

NHS

NHS kitemarks for apps
In a separate move, with the rapid increase in health-related apps for mobile phones and other personal devices available in the market, NHS chiefs are backing a “kitemark” for health-related smartphone apps to validate those deemed as safe to use by patients to help them manage health conditions.  It also includes an e-version of the red book recording baby’s immunisations and development to be online from 2016, to counter the loss of key info if the actual book goes missing and the child requires vaccination, review or emergency treatment.

BSI-logo-strap-and-Kitemark

 

Facebook utilises Blu-rays in new low-powered storage solution

Hi-definition movies often come to mind when thinking about Blu-rays, not so much data centre storage solutions. Facebook however has announced exactly that, prototyping a system capable of storing 10,000 disks, making up 1 petabyte of data per cabinet. They also have plans to increase this to 5 petabytes. Cost savings appear to be the driving factor, with 50% savings in costs and 80% in energy usage compared to hard-disk based cold storage. The other factor is lifespan, traditional disks usually last about 5 years but this Blu-ray solution is quoted at 50 years. There is a clear advantage here and the opportunity for a new revenue stream for the Blu-ray Disc Association (BRDA). If BRDA was to collaborate with a hardware manufacturer such as HP or Dell, this would be advantageous to both delivering to the corporate market.

Amicus ITS – Our views on this week’s new

Apple’s profits – The Bigger Picture

Research firm, Statisa have announced Apple’s profits amount to more than Google, Microsoft, Amazon, Facebook, eBay and Yahoo combined.  Their $47.1 billion profits are primarily thanks to the popularity of their well-designed, fashionable, mobile devices and the growing impact on the work environment.  Whilst we love the iPad and the iPhone, can Apple maintain this lead by using their design and phenomenal budgets to drive consumers to the next big thing?

The end of XP

This week saw the start of the 500 day countdown for the end of XP support, giving Windows 8 a fighting chance in gaining significant sales figures.  Although Windows 8 has so far seen a slow start, we think Microsoft’s big gamble will pay off.  As mobility grows, organisations will look to the best solution to meet their OS needs and we think Windows 8 will come up trumps.

Windows Phone anyone?

Microsoft is placing all bets on the new Windows 8 ecosystem to push sales of its phone division.  The new device comes with a similar look and feel to its desktops, tablets, Xbox and phones, in the hope that users will enjoy the experience on one device and try another. We think this is a smart move for Microsoft and predict that by the end of 2014, we may see the market share spilt between Apple, Microsoft and Google.

Security breaches enhance corporation’s awareness

In recent months, hacking has increased.  Many big names are currently in the firing line; Google, Yahoo and Microsoft becoming the latest.  As industry leaders succumb to security breaches, the rest of the world becomes increasingly concerned as to how secure their IT infrastructure really is.  Organisations need to step up their game and will look to managed service providers for help.