Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

European Union

Reaching the Cloud Era in the European Union

The ‘EU28 Cloud Security Conference: “Reaching the Cloud Era in the European Union” brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.

During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users’ concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.

Key conclusions highlight that:

  • There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.
  • There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged.
  • Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.
  • Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.
  • Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.
  • As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.

Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.

An update on the progress of the European Data Protection Act

At last week’s Information Commissioners Data Protection Officers Conference in Manchester I had the privilege of being updated on the progress, or lack of progress, of the revised European Data Protection Act.

With the existing directive dating back over 17 years an upgrade is well over due but there is significant pressure from businesses to water down any revisions to the directive.

A watered down directive does not serve anyone, the privacy campaigners or those with commerce in mind, because breaches are happening far too often and breaches affect consumer confidence.

This means the larger retailers should be supporting stronger Data Protection controls so the smaller, less funded or less skilled businesses have the detailed controls and the incentives to put privacy and security first.

In the main hall and in the breakout room there was constant reference to the thinking about the issues before systems and processes are put in place. The two terms used were:-

  1. Privacy by Design
  2. Security by Design

Both Privacy by Design and Security by Design are essential for consumer confidence because they are demonstrable actions organisations can refer to when dealing with the users of their data.

Françoise Le Bail of the EU Commission stated that “23% of users feel they do not have complete control of their data when shopping online”. In other words almost a quarter of those who buy on line are suspicious of the people who want to take money from them. If those statistics were applied to bricks and mortar retailers the high street would look a lot worse than it does now and it already looks pretty bad.

Françoise Le Bail also stated that the EC’s priorities for the Act are: –

  • The architecture of the framework
  • Key provisions to include all personal data and consent
  • A more risk based approach – proportionality
  • Data Protection Offices are needed
  • A consistent European wide level of governance
  • Support for authorities by providing training and not just fines

David Smith the UK Deputy Information Commissioner stated the UK was not 100% in favour of the current draft proposals but the UK was largely supportive.

David Smith had a list of items that were favoured including:-

  • Improved consistency across Europe
  • Enhanced Individual rights
  • Code of conduct and certification

However, the UK is looking for additional items to be added and a clarification on others, for example:-

  • The UK wants a more “risk” based approach to personal data
  • Individual compensation should not be restricted to monetary loss. It should also take into account aggravation and heartache.
  • Data Protection training needs to be added to the school curriculum
  • There are two proposals in place by the EU and the UK doesn’t want any more than that. The two proposals are Law Enforcement and everyone else.

Other items of note

  • The date for the Act to be passed is likely to be June 2014 with enforcement two years later in 2016
  • The 24 hour mandatory breach notification is likely to slip to 72 hours
  • The maximum 2% of global turnover is likely to be approved but some members of the commission are pushing for it to be 10%
  • Right to be forgotten is a big problem due to the nature of what can be forgotten and what should never be forgotten
  • Data Portability is both a target for Europe and a problem and negotiations are on-going with the US and other nations on cross border data sharing.
  • MiData now has 26 signed up companies and the drive for more is growing

Other blog posts on the subject are below:-

EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.

.

The Information Commissioner provides an update on the European Data Protection Act

David Smith the UK’s Deputy Commissioner of the Information Commission has commented on the progress of the Revise European Data Protection Act.

Put simply, the proposals could prove to be one of the biggest changes to data protection this country has ever seen. Against that backdrop it is no surprise that we’ve been monitoring events in Europe closely, looking at how the initial reform proposals, published by the European Commission in January 2012, might be brought into law.

The process by which this proposal might become UK law is not a simple one, as our overview of the whole process shows. The crucial next step is for the European Parliament and the Council of the European Union to look at this separately before coming together to approve a final text. 

The European Parliament is where the MEPs sit, some 736 of them from across Europe. Much like our own Parliament, the MEPs will sit on several committees. There are five committees directly involved in looking at the data protection reforms: JURI (legal), ITRE (industry), IMCO (internal market and consumer protection), EMPL (employment) and LIBE (civil liberties). LIBE is the ‘lead’ committee. All committees will submit their own amendments before negotiating a consolidated Parliament view which is expected in late April. 

While that is happening, the council are also looking at the reforms. The council is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies. The subgroup of the council dealing with this issue is called DAPIX (Data Protection and Information Exchange) and is chaired by the Presidency of the Council – currently Ireland. The ICO has a key role in advising the Ministry of Justice throughout these discussions. 

At the time of writing, the parliamentary committees are well advanced in considering their compromise amendments on both parts of the package. The council, however, has not finished its first round of amendments. Nevertheless, with a timetable to adopt the new rules by the end of June – the end of the Irish Government’s presidency – this is one of the top priorities. The presidency is scheduling in more meetings to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track. 

Once both the parliament and the council have their consolidated views in what is known as the ‘First Reading’, they will need to negotiate, possibly over the summer if things go well, to get an agreement on the text. Failing this, they will move to the ‘Second Reading’ and further negotiations. 

Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law. The proposal is for a general regulation with a directive specifically for the criminal justice sector. However there is speculation that this directive will be put on the back burner. This coupled with a move, which we and other data protection authorities are resisting, to confine the regulation to the private sector and develop a new directive to cover the public sector leave the outcome uncertain. Currently both the proposed regulation and the proposed directive allow two years for implementation following their coming into force. However experience suggests that because of its direct effect, implementation of any regulation will, in practice, come more quickly than implementation of any directive. 

In total, this means that the reform process will have taken around six years since the European Commission started its reflections on the matter. While this sounds like a long time we must remember that there are 27 Member States around the negotiating table; that’s at least 12 more than those negotiating our current framework which resulted in the Data Protection Act 1998! Even then the timescale is ambitious. Not many people expect agreement in June this year, but there is an imperative to get a package adopted by 2014 when the European Parliament and the commission are due for re-appointment. 

Crucially, the ICO has been involved throughout, and from several angles. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.

We recently published some of our thoughts on the latest developments which we passed to MEPs and other stakeholders. This builds on our initial analysis which we published last year to provide a core reference point explaining our views on the reforms.

In summary the Act is coming in 2013 but it is imperative that the Act comes because at the moment there are so many things missing that are essential for example mandatory disclosure of breaches and compulsory data officers for all companies over 250 employees. 

Lets hope they resolve it soon.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

Proposed European wide Data Protection Act – a review

Over the last few months I have attended several conferences and read a lot of research on the proposed upgrade of the European Commission’s 1995 Data Protection Act and have found it fascinating. The rumours, the speeches, the headlines and of course the lack of clarity on how the major issues will be dealt with in the real world.

EU Justice Commissioner Viviane Reding, the Commission’s Vice-President said:

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,”

“The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

Do not get me wrong I am 100% in favour of a consolidated European Data Protection Act because ambiguity in one country leads to breaches in another and that is not good for business or for the privacy of individual citizens.

After all the consultations and feedback the big development was the leaking of a draft EU Data Protection Act document at the end of 2011. The draft provided concrete evidence to substantiate the rumours and speculation about the requirements and likely fines and provided confirmation about the direction the Act was heading.

The Act is heading in the right direction but some of the points were likely to be contentious for example the “Right to be forgotten” and “all business with 250+ employees needing a Data protection Officer”, there are others but I will cover them later in the post.

One thing is obvious, a consolidated European Data Protection Act has polarised people into one of four camps:

  1. Those concerned with the privacy of the citizen who want more restrictions and tougher sanctions.
  2. Those concerned about the impact and cost to businesses who want less restrictions and lower sanctions.
  3. Those who have to translate and ultimately enforce the Act and to try and stop it becoming another Human Rights Act….! They want a simple and coherent Act that is easy to enforce without a constant steam of lawyers muddying the waters.
  4. Those citizens who in the main do not have a clue what is being done in their name and there are 500 million of them.

Viviane Reding Vice-President of the European Commission, EU Justice Commissioner believes the proposed EU wide Data Protection Act will save European businesses €2.3Billion annually whilst protecting the privacy of European Citizens.

Great, everyone one wins. Or do they?

The majority of the savings will probably benefit businesses that currently have to cope with 27 differing Data Protection Acts currently being operated across the EU commission member states. However if you are a small business operating in one or two countries you may struggle to financially benefit from the consolidation.

The impact on the local Data Protection Authority (DPA), which in the UK is called the Information Commissioner, is likely to be massive which means they will need more staff to accommodate and enforce the new requirements which also means the individual states will have to spend more money.

Why will there be a massive impact? There are several reasons but one in particular stands out as an administrative nightmare, if Personally Identifiable Information (PII) relating to a European citizen is transferred outside the boundaries of the EU the local DPA has to be informed. How many times this will need to be done is hard to calculate but how much data goes to the Call Centres in the Philippines? With 600,000 Philippine’s employed in call centres it is going to be a lot. Then there is the data processing in India, Data Translation in America, Disaster Recover contingencies across the globe, Cloud computing (where is the cloud?), the list of possibilities is endless.

The EU Commission is mindful of these implications and is discussing how some specific actions can be taken into account when defining the final draft. Three specific areas they are looking at are:

  1. Binding corporate rules on what, where and how.
  2. Sectoral adequacies, and the continuation of the Safe Harbour Agreements
  3. Existing mechanisms such as contractual clauses that are broadly used on both sides of the Atlantic.

Using the UK as an example, last year the UK Information Commissioners (ICO) office handled 30,000 complaints and with the proposed requirements on businesses that number could easily quadruple.  You could say “some of the 30,000 complaints lead to convictions and fines and that could pay for the increased costs of operating the new Data Protection Act”, on the face of it you are correct except the fines are collected by the UK Treasury and are not handed to the ICO. If the fines were passed over then the process could be self-funding.

On the 3rd May 2012 Viviane Reding announced the intention to conduct a funding review of all DPAs and then to lobby Governments for the correct funding in each country and she believes that if the leveraged fines were pointed in the right direction they could become a revenue generator for the country.

“the national data protection authority can even be a good investment as it can bring additional revenue for the Member State due to the fact that the main establishment is located in its territory. Such extra revenue and wider benefits can come from tax income, newly created jobs, and the collection of administrative fines on infringements. Let’s also not forget that according to the reform proposals, the administrative fines a national data protection authority can impose can be up to 2% of the annual worldwide turnover of an enterprise. This can lead to quite substantial revenues”

This review will not impact individual DPAs until the summer of 2013 which is likely to be 12 months before the Act is enforceable but 12 months after the hundreds of thousands of business have asked for assistance on what they need to do, who they need to register with, etc.

A significant improvement within the Act will be a requirement on business to be pro-active. Prevention is better than the cure or in this case better than a Data a Breach.

Businesses will be required to:

  • have “Privacy/Data Protection by Design” which means that, at the point of building a process or system, security has to be on the list of desired out-comes.
  • Data Protection by default, which means all systems have to be secure.
  • All business must undertake a Privacy/Data Protection Impact Assessment, which means they must have a documented process for assessing the risk to their PII data and be able to demonstrate that they have undertaken, “at least” annually, an assessment of the risk and taken steps to mitigate the risk. This is not a Penetration Test this is a thorough assessment of people, process and technologies surrounding and impacting on the PII data. A good guide is contained in the book Privacy Impact Assessment by David Wright and Paul de Hert ISBN-10: 9400725426.

Another huge improvement is the requirement on business to formally notify the local DPA of any breaches. Breach Notification has been in existence for several years, for example in California and in Germany. The new requirements will mean businesses can no longer delay notifying those affected in the hope that it will never surface.

It is proposed that the organisation’s Data Controllers notify the DPA within 24 hours.

Mandatory Breach Notification is a difficult area because some breaches can run for months or years before they are discovered. It is the point of discovery that is important, as far as the Act is concerned, but if a business did try to cover up then there is a good chance they will be found out and the details of who did what will be clear for the world to see.

In 2007 when the UK’s HMRC lost a CD containing the child benefit details of 25 million people everyone expected an avalanche of Identity Thefts but, fingers crossed, nothing has happened in the last 5 years. They notified the authorities and the press within days. It could be argued however that, as a result, 25 million people were alerted and put under stress for no reason. Further details of the loss can be found here.

Similar to the HMRC situation in 2008 was when Heartland Payment Systems lost millions of credit card records. In this case they did not know the breach had occurred for approximately 8 months, but when they did find out they undertook forensics and notified the authorities within 8 days. The issue in this case was the data was used for criminal purposes. The criminal Albert Gonzalez AKA “segvec,” “soupnazi” and “j4guar17” has since been convicted and is currently serving 20 years for various crimes involving up to 130 million stolen credit cards’ data. Details of Gonzalez can be found here.

Once the DPA has been informed the organisation then has to inform the individuals affected. This is the first direct cost of a breach. See my post The huge and unexpected administrative costs of a data breach. There is always the risk that they may not understand the notification, for example a report indicated that “39% of those who received them (or properly noticed them) initially thought it was marketing material of some form”.

If adequate protection is in place, for example Tokenization, it is unlikely the organisation will have to inform the individuals. This makes putting security in place and being able to prove it was running essential.

Another impact which affects many countries, especially the UK, is the Freedom of Information Act (FOIA). Currently the FOIA does not allow access to information relating to voluntary breach notifications, which means if a cover up has been attempted but was not successful there is a chance they can avoid having all the information going public by admitting it and therefore suppressing it. The new Act will mean nearly all of the information about a breach will be in the public domain including an organisations failure to protect PII and possibly the organisations attempts to cover it up.

Across Europe the enforcement of the Act will be handled by the individual DPAs, around 1,500 seasoned Data Protection professionals, but many sceptics have speculated that larger businesses can flex their political muscle and lobby for leniency or to keep their breach out of the public eye.

The commission has recently taken a strong line on the need for independence and in April 2012 took action against Hungary for its DPAs lack of independence. For any Country to be hauled in front the of the European Courts of Justice is embarrassing, especially if they have to amend their own legislation. Full details of the Hungarian action can be found here.

Summary of proposed key changes in the proposed Act:

The Right to be forgotten is a contentious area for many organisations, for example;

  • Can someone with a bad credit history evoke the right to avoid their past?
  • If some evokes the right with their insurance company they will lose their Car Insurance no claims bonus – could this then create a right to be remembered? And who pays the administration costs for the reinstatement of the data.
  • In the case of employees past and present what information can be retained and what information has to be retained.

Privacy by Design. There is a debate as to whether the actual working will be Privacy or Data Protection which will be finalised when the final draft is passed for law. Organisations need to understand and account for:

  • why they need the data
  • what they are going to do with the data
  • how they intend to process the data
  • what protections are required
  • who will manage the processes

All organisations employing 250+ employees must have a Data Protection Officer.

All companies storing PII must undertake “regular” Privacy Impact Assessments. The wording may change to Data Protection Impact Assessment but that will not change the requirement to undertake, log and act upon the results of the Assessment.

All international data transfers need to be logged and the Data Protection Authority Informed.

Explicit consent must be obtained to include PII in databases and an ability to easily have their information removed.

Compulsory Breach Notifications within 24 hours of the breach.

Personally Identifiable Information is likely to include

  • Bank Account details
  • Credit Card data
  • IP addresses

Data Portability. Business must address the portability of data;

  • What is going to be done with it
  • How is it secured
  • How will fraud and Identity Theft be avoided

Significant fines can be levied. Actions that are likely to involve a fine from the DPA include

  • Failure to appoint a Data Protection Officer
  • Unauthorised International Data Transfer
  • Failure to undertake a Privacy/Data Protection Impact Assessment

Fines will be levied on a sliding scale

  • 0.5% of global turnover or                  €250,000
  • 1.0% of global turnover or                  €500,000
  • 2% of global turnover or                     €1 million of Global Turnover
  • So far no minimum figure is known.

The new EU Data Protection Act will be compulsory for all organisations except for Law Enforcement, who will operate under a European Commission “directive”. The Directive is designed to allow for faster and easier transfer of data and joined up policing across the member states.

This post was meant to be a short summary, compared to my notes it is, but the far reaching impact of this Act is largely unknown by most organisations and has a high probability of being passed into law during 2012 give a requirement to be compliant by 2014. Whatever the date is there is a need for organisations, of any size, to be aware of what is coming and to start developing plans to have Privacy and Data Protection at the forefront of their business plans NOW.

.

Cloud Computing Risk Assessment from ENISA

European Network and Information Security Agency
Image via Wikipedia

In November 2009 The European Network and Information Security Agency (ENISA) published a document title “Cloud Computing Risk Assessment” the “Benefits, risks and recommendations for information security“.

The document maybe 15 months old but it is an excellent starting point for any organisation looking to invest in the CLOUD.

The official ENISA wording is below.

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.Produced by ENISA with contributions from a group of subject matter expert comprising representatives from Industry, Academia and Governmental Organizations, a risk assessment of cloud computing business model and technologies. This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations. It is produced in the context of the Emerging and Future Risk Framework project.

Download the document from the ENISA site here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: