ICO reports security failures across all sectors as fines continue to ramp up in 2019

Since May 2018 when GDPR kicked, the ICO has been progressively investigating data breaches identified to them and no-one has been spared in their enforcements.  From local Government officials illegally accessing personal data, to public bodies (including HMRC for data harvesting), to the Metropolitan Police (responding to Subject Access Requests), the NHS (for illegally accessing medical records), to regulated industries and small businesses carrying out unsolicited communications by email or telephone (affecting up to 4.5 million unsuspecting contacts).  Even in one extraordinary case, a Council employee shared unredacted data about alleged gang members profiled on a police intelligence ‘Gang Matrix’ database to other Council staff and external organisations. This ended up on social media and was then used by the gang members themselves.  Unbelievable, but sadly true.

Amicus ITS Director of Technology, Security & Governance, JP Norman commented:  “The ICO are striking a balance between the severity of a breach individually, the volume of data affected and the harm and distress caused by the breach of security and lack of protocol.   We can see from the  enforcement notices published across 2018-19, the huge variety of cases that the ICO have dealt with in the last 18 months and ultimately this illustrates data responsibility is in the hands of every individual, with fallout picked up by the organisation/company directors”.

Big headliner fines this Summer featured the £183.4m fine published to British Airways following the 2018 cyber incident where users logging in to BA’s website were diverted to a fraudulent site where their personal details, payment information and travel plans were harvested.  This represented 1.5% out of a total possible fine of 4% of global turnover.  Plus, the £99.2m fine to Marriott International hotels group for a data breach whereby 339 million guest records globally were exposed over several years following a merger and lack of due diligence and security measures being adopted.  Both organisations are seeking to defend their position. Other big names included: Equifax (£500,000), Uber (£385,000), and Yahoo! (£250,000) for cyber security failures.

Against this backdrop, the ICO Annual Report for March 2018-19 published in July 2019 recognised that 82% of personal data breaches investigated had been closed with no further action, as corrective measures to avoid a repeat had been taken or were being acted upon, which we should take as positive news as organisations learn to manage their data more responsibly.

JP Norman adds:  “All organisations face the same responsibilities around data management and data security.  At the heart of good practice is education and staff training. This can identify what is appropriate when sharing data and that if approved, it is done lawfully and safely.   Organisations, institutions and businesses of any size must have a Data Protection Officer (DPO), who may also be the Data Controller if appropriate. These representatives need ready access to policies and guidance around data security and measures to be taken in the event of any breach, which can be evidenced and practised as part of a smart Business Continuity Plan.  This can be intimidating for businesses of even medium size to get to grips with and act confidently so we often see the DPO function outsourced”.

Amicus ITS recognises the challenges organisations face and earlier this year published our new Virtual Data Protection Officer service on G-Cloud 11 for public sector customers.  Notably, this service is equally available to SMEs.  Any organisation that is unsure if it has the right security policies and security measures in place can contact Amicus ITS in confidence.  If the service is taken up, this security consultancy could not only save you £000s but also help protect against reputational damage which can be priceless.  Call our Sales team today for a free initial discussion on +44 2380 429429.

Amicus ITS’ privacy policy can be found here

French regulators throw the first big GDPR punch at Google with £44m fine

Google has fallen foul of the French data regulators with the announcement yesterday of an impressive £44m fine against the global search engine giant.  In a move that has sent the tech industry chattering, this marks the first major European penalty since the rollout of GDPR on 27th May 2018.  It was going to happen sooner or later, it was just a matter of who first?

Google’s blunder was their covert process of gathering data to personalise ads without ‘sufficiently’ informing user, burying the detail in terms and conditions and using pre-ticked boxes (contrary to new legislation).

CNIL, the French equivalent of the UK’s Information Commissioner’s Office filed two complaints as soon as GDPR came into effect.

Commenting on the severity of the fine, CNIL advised that the action was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

The fine announced on Monday is far lower than the maximum penalty under the European privacy law, which is 4% of global revenue. For Google, that would be more than $4 billion!

The response has been largely welcomed in the wider MSP community as a prompt to improve better marketing processes, echoed by Amicus ITS.  Like many others today, Amicus ITS uses Account Based Marketing, so the lawful consent required is applied directly with the customer.

The news is a salutary reminder for vigilance with firms to ensure they comply with GDPR and offer flexibility in providing services through different marketing channels that create the variety and correct routes for data capture through websites and other means (which these days is translated as the increase in companies offering AI chatbots when communicating services or offering information with 3rd parties).

Are you surprised by the fine?  Who do you think is going to be next up for punishment?  Give us your thoughts.

How trusting are local authorities today with the cloud?

Cloud computing is a necessary direction for all in the public sector as directed by central Government.  In 2017, leading industry body TechUK issued a peer paper called ‘Building Local Government Trust in the Security of Cloud’.   In this, the widely held concern around security of cloud services was addressed, providing information, advice and specific messaging for local authorities.

The drivers of the shiny digital future underpinned by cloud computing were identified as:

• Internet of Things (IoT)
• Mobile applications
• Big data analytics
• Artificial Intelligence (AI)

The opportunity of cloud adoption is to enable ready access to computing platforms, ‘on demand’, creating efficiency and cost savings, with flexibility to allow for greater innovation, productivity and operational effectiveness.

A GovNewsDirect survey of 2016 did quote a growing concern over security of data in the cloud.  The counter was for organisations to use the cyber security tools, solutions and educational initiatives to introduce secure cloud computing and inform the user.

General Data Protection Regulations (GDPR)
Added to this, GDPR in May 2018 made all organisations sit up and take notice around effective management and processing of data for EU citizens. With penalties of 4% of global turnover or €20 million for any breach, a more thorough and diligent approach has added to the configuration considerations for cloud architecture and storage.

Accepting a half-way house to cloud?
For many public sector organisations, a full blown ascent to cloud migration is not feasible, often because of complexity around their legacy apps or workload types and the cost implications as the ROI for cloud is poor.  In this scenario, we are seeing and hearing greater noise around the hybrid cloud format, Hyper Converged Infrastructure (HCI) solution.  This on-premise hybrid solution has garnered advocates in the public sector, as being a viable and desirable way forwards as part of their digital journey, better suited for workloads with higher GB volume where performance is needed.

Digital vision, a budget to transform – mixed with a healthy dose of reality
For even the most progressive Councils in England, the drive to digital transformation comes with various challenges.  Glyn Peach, Director of Digital Services & Corporate Programmes at Swindon Borough Council, commented to us: “As part of our Transformation Programme, Swindon has evolved a highly effective Software Defined Data Centre and we’ve made solid progress on front end citizen services, moving many services online and providing self-service capability.  But true end-to-end user integration is still a little way off.  We are seeing great opportunity in data analytics and assistive tech.  This is starting to have an impact through our ‘Community Navigators’ programme supporting Adult Social Care and using preventative technology which can identify the risk of isolation and spot abnormal behaviour that may indicate a problem for the elderly in our care homes in Swindon.  If we can more broadly implement interoperability opportunities and open systems, this will ultimately pave the way for common standards that in the long term will bring down the costs of new tech and save money for the tax payer”.

Helpful tools

Cloud journey checklist
• Ensure your cloud service meets your organisations’ needs aims and objectives securely.
• Understand what type of data is involved and what levels of assurance are required.
• Work with cloud providers who have their own independently audited compliance framework standards (eg. ISO27001, Cyber Essentials Plus etc.)
• Use the latest cloud security technology to solve issues or business problems (ie around remote working or revenues and benefits)

Is it safe?  What information do you want to share with the cloud?
The levels of data privacy and security from different providers will differ depending on the type of information you are sharing when using a cloud service.  Amicus ITS has a Cloud Services Framework for helping organisations determine their own path. Take a look at our Cloud Assessment

Glyn Peach added:  “While the IT department may not handle the physical infrastructure or management of Shadow IT applications and services, IT does carry the burden of ensuring security and compliance for the corporate data that employees create and transmit through Shadow IT sources.  This creates mixed feelings toward Shadow IT, as some enterprises are willing to embrace the innovation and increased productivity it can deliver, while others aren’t as willing to look past the increased risk of security and compliance complications of Shadow IT”.

~~

Councils moving their infrastructure to cloud is a positive first phase.  Embarking on the path of true digital transformation is a second, far larger project which requires input from everyone and requires a re-examination of the entire way of doing business.  It is exciting though and with both parts of the journey, relies on careful planning, a strong strategic vision, good leadership, buy-in from the board, plus trusted partnerships.  Firstly in fostering and directing the talent of inhouse IT teams and then identifying the areas where further support or specialist technological solutions are needed to drive higher performance, enablement and ROI, adding new frontiers of value that come with our brave world of tech.

Q What has been your experience of cloud migration?  Has your organisation been able to make the leap to digital transformation, or is this part of a longer strategy which has either started or is being planned?

 

You have been told…. GDPR is not Y2K

The Information Commissioner made an interesting observation about GDPR in her end of year summation on 22nd December 2017.

Elizabeth Denham commented that some businesses held the false perception that GDPR was on a par with the Y2K Millenium Bug worry that all systems would fail, which festered amongst business in the run up to New Year’s Eve 1999.

In a view which Amicus ITS shares, she commented that organisations that had taken steps to put in place preparations for GDPR, should not be concerned.  This follows a notable increase in scaremongering stories and also profiteering activity during 2017 for ‘GDPR solutions’.

Ultimately, companies have had two years to prepare for GDPR – and all the details are known (unlike with Y2K) and 25th May 2018 is simply the date the legislation takes effect.

However the identification of risks, understanding and good data management (accompanied by transparency to explain and communicate individuals’ rights) will, the ICO believes, create a sea change of positivity over time, as organisations catch up and apply the appropriate security to keep data safe.

Being committed to good process measures and demonstrating accountability for data management will, for Amicus ITS’ Director of Technology & Governance, JP Norman create a clear sign of assurance, competence and insight, especially valuable for IT Managed Service Providers. “For an MSP, the word ‘solution’ is a dangerous thing in relation to GDPR. There is no panacea. GDPR is essentially about a collection of measures diligently applied to fully understand and map how data comes into an organisation, where it is held, where it goes to – and then ensure it is safely protected and managed appropriately at all times in an open and transparent manner for stakeholders”.

See JP Norman’s interview and thoughts on GDPR for CRN as part of their expert European panel and download the e-book for more information http://view.ceros.com/incisive-media/solarwinds-gdpr-1/p/3

GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.

 

 

ICO starts to bear its teeth ahead of GDPR as fines start ramping up

New research from PwC reveals that the Information Commissioner’s Office (ICO)  levied 35 fines in 2016 for breaches of the Data Protection Act (DPA). This is almost double the 18 fines from the year before.

Those fines totalled £3.2 million, which makes the UK the most active country in Europe in terms of regulatory enforcement of data protection laws. The next most penalised country was Italy (£2.86 million). However, figures across Europe pale in comparison to the US, which sees far more incidents and whose regulators can issue much larger fines. The PwC reports that US organisations were fined a total of approximately $250 million (about £193 million) in 2016.

Preparing for the GDPR
The gap between US and EU regulatory powers is set to shrink when the EU’s General Data Protection Regulation (GDPR) comes into effect next year. From 25 May 2018, all organisations that process EU residents’ personal data must comply with the Regulation, or they’ll face fines of up to €20 million (about £17.4 million) or 4% of their annual global turnover – whichever is greater.

This is much higher than the current limit for EU regulators. For example, the maximum fine that the ICO can currently issue for a breach of the DPA is £500,000 – although it is yet to do so. The largest fine a UK organisation has received from a breach of data protection laws has been £400,000 which was levied against Kerboom Communications in May 2017 and TalkTalk last year.

PwC addressed the arrival of the GDPR in its study. The company’s global cyber security and data protection legal services lead, Stewart Room, advised UK organisations to use the next year to prepare for the GDPR, adding: “We’ve performed more than 150 GDPR readiness assessments with our clients around the world. Many struggle to know where to start with their preparations, but also how to move programmes beyond just risk reviews and data analysis to delivering real operational change”.

It’s impossible to ignore the impact of legal and regulatory change in this area in recent years. The GDPR has already been a force for good by bringing the issue to much wider attention. After all, who can argue against what is essentially a code for good business, where privacy by design becomes part of everyday operations?

Disaster for Three Mobile as huge data hack is disclosed

three-logo

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here