Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

GDPR

ICO: Warning to SMEs as firm hit by cyber attack fined £60,000

Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the UK Information Commissioner’s Office.

An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.

Sally Anne Poole, ICO enforcement manager, said:

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

She added:

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”

The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Ms Poole said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

Advertisements

Is the North West a hub for nuisance calls?

In the last few months it appears that the North West of England has become a hub of nuisance calls after three raids undertaken on behalf of the Information Commissioners Office.

The ICO executed two search warrants this week, one in Gatley, Greater Manchester, on Wednesday and the other in Wilmslow, Cheshire, on Thursday.

Computers and phones were seized during the searches as the ICO continues to investigate nuisance calls prompted by the theft of people’s details from car repair centres throughout the UK. The items will now be subject to forensic examination and investigation.

Mike Shaw, ICO Criminal Investigations Group Manager, said:

“This illegal trade has multiple negative effects – both on the car repair businesses targeted for their customer data and the subsequent nuisance calls made to customers. These can be extremely unsettling and distressing. 

“Our searches this week are the latest step in us tracking down the unscrupulous individuals involved in this industry. These people won’t get away with it – any person or business involved in the theft and illegal trade of personal data may find themselves subject to ICO action.”

ICO investigators are looking at how the data was stolen, who stole it and which companies have subsequently made calls to the public encouraging them to make compensation claims about to accidents they may have been involved in.

The ongoing investigation, named Operation Pelham, started in May 2016 and has so far involved:

December 2016. A business and two homes in Macclesfield and Heald Green were searched by ICO officers. The business was linked to the making of telephone calls to numbers originating from some of the car repair centres. Computers, telephones and documents were among items seized from the residential properties.

April 2017. Homes in Macclesfield and Droylsden.

Will GDPR Change the World?

Rob Luke’s keynote speech ‘Will GDPR Change the World?’.

Introduction

Thank you.

Let me take a moment to thank TechUK for putting together this event and for offering me the platform to speak with you this morning.

Our Commissioner, Elizabeth Denham, has been clear that the ICO’s vision – of increasing data trust and confidence among the UK public – can only be achieved by working in partnership with the private, public and third sectors.

An important part of that is developing key relationships with representative or umbrella organisations as multipliers and amplifiers for our engagement with different constituencies. Helping us reach new or hard-to-reach audiences.

Our strong relationship with Tech UK is a great example of that partnership approach.

We appreciate the role you play in bringing together representatives from across the sector and your ongoing constructive dialogue with us around issues of importance to your members and the sector as a whole.

I’m glad to have the opportunity to continue that dialogue this morning.

Will GDPR change the world?

Will the General Data Protection Regulation change the world?

Wow, what a question. On the face of it, even the most ardent data protection advocate would struggle to make a case that a blandly titled piece of European legislation deserves that billing.

So despite my professional obligation to emphasise the importance of data protection in the digital age, I am not going to make the argument for the world revolving around GDPR.

What I will try to do is highlight some of the opportunities and challenges GDPR brings for organisations.

Ultimately, of course, GDPR is an indicator of change as much as it is an instigator. And no sector is more relevant to that rapidly changing landscape than yours.

GDPR is part of the response to the challenge of upholding information rights in the digital age. Of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change.

So I feel it is particularly relevant to mark One Year To Go in dialogue with the tech sector in particular.

I should be clear early on that this is not a speech about Brexit or an exploration of the UK’s possible post-Brexit data protection framework.

In a pre-election period, and with the need to adhere to the guidance on purdah, I hope you will understand that I am not in a position to speculate about the post-Brexit environment, nor indeed to comment on proposals in political party manifestos.

I apologise in advance if there are questions, or elements of the panel discussion, where I am limited by the caution that purdah requires.

What we can safely say however, is that one way or another, GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.

Fit for the digital age

The moment at which GDPR takes effect in the UK on 25 May 2018 will of course mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities and organisations need to be working now to prepare for them.

I assume that this audience has a familiarity with the core features of GDPR and the key requirements it places on organisations. I hope you have already deployed our ’12 steps to take now’ guidance and our ‘Overview to GDPR’ and that you are drawing on our wider resources.

One consistent feature of our outreach with organisations is a high demand for granular guidance – often people will say to us: “tell us what we need to do”.

We are working at pace to produce detailed guidance, both at national level but also European level guidance produced by the Article 29 EU Working Party to which we are making a major contribution.

I will flag up some particular pieces of guidance in a minute, and the pipeline of guidance will continue to flow.

But I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management.

Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong.

Transparency and accountability

It can be boiled down to two words: “transparency” and “accountability”.

Being clear with individuals how their personal data is being used.

And placing the highest standards of data protection at the heart of how you do business.

An issue for the boardroom

That means this is an issue for board level, whatever the size of your business.

Not least because under GDPR the regulator wields a bigger stick. For the most serious violations of the law, the ICO will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year.

And as we’ve seen in well-publicised examples the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation.

We would all prefer a win-win outcome. A model where organisations take an approach to data protection which earns the trust of consumers in a more systematic way. And where that trust translates into competitive advantage for those who lead the charge.

Nowhere does that feel more relevant than for your sector.

GDPR and the tech sector

The UK tech industry is at the forefront of our vibrant digital economy, changing how we live our lives and offering huge potential for positive change and wide social benefit.

Data is the fuel that powers that economy and tech companies are involved at every level.

GDPR is a response to this evolving landscape, building on previous legislation but bringing a 21st century approach and delivering stronger rights in response to the heightened risks.

The right of an individual to be informed about use of their data; their right to access their information and move that information around; the right of rectification and erasure of data where appropriate; the right to remove consent; and the right to enable automated decisions to be challenged.

Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and ensuring privacy by design – are now legally required in certain circumstances.

The ICO covers privacy impact assessments in its existing Privacy by Design guidance and the European Article 29 Working Party has also issued draft guidelines.

Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready.

Increased responsibilities for data processors are another feature. Data processors, companies using personal data on behalf of others, will have specific legal obligations to maintain records of personal data and processing activities.

Data breach reporting will also change under the GDPR. You’ll be obliged to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics mean that profiling is becoming a much wider issue.

People have legitimate concerns about surveillance, discrimination and the use of their data without consent.

Data protection can be challenging in a big data context and some types of big data analytics, such as profiling, can be intrusive.

We explore many of these issues in detail in our recently updated paper on big data, artificial intelligence, machine learning and data protection.

We’ve also recently published a consultation paper on profiling under GDPR to which TechUK has responded. We’ll be using this to feed into the European Article 29 Working Party guidelines.

Harnessing the benefits of big data, AI and machine learning, as it relates to healthcare for example, will be sustained by upholding the key data protection principles and safeguards set out in GDPR.

Whilst the means by which personal data is processed are changing, the underlying issues remain the same. Are people being treated fairly? Are decisions accurate and free from bias? Is there a legal basis for the processing? These will remain key questions for us as a regulator under GDPR as they have been under the DPA.

The GDPR is a principles based law well equipped to take on the challenges of 21st century technology.

It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want.

Data analytics

As data becomes the fuel powering the modern economy, so it becomes a key element of many of the debates in modern society.

Take the announcement last week by Elizabeth Denham of her opening of a formal investigation into the use of data analytics for political purposes.

Given the big data revolution I have mentioned it is understandable that political campaigns are exploring the potential of advanced data analysis tools to help win votes. The public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing.

This is a complex and rapidly evolving area of activity and the level of awareness among the public about how data analytics works, and how their personal data is collected, shared and used through such tools, is low.

What is clear is that these tools have a significant potential impact on individuals’ privacy. It is important that there is greater and genuine transparency about the use of such techniques to ensure that people have control over their own data and the law is upheld.

We will provide an update on that investigation later in the year.

Rising to the challenge

I’ve talked about some of the challenges and opportunities GDPR brings for organisations. Likewise it is a moment for us at the ICO to reflect on how we do our work.

Clearly there are practical aspects such as preparing for a higher volume of activity given enhanced breach notification requirements.

But we are thinking more widely than that.

One example, again with particular relevance for the tech sector, is how we might be able to engage more deeply with companies as they seek to implement privacy by design.

How we can contribute to a “safe space” where companies can test their ideas. How we can better recognise the circular rather than linear nature of the design process.

Separate but related we need to become more comfortable about recognising good practice and drawing on exemplars.

We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play.

To deliver on the above and more broadly we also need to build our own tech know-how and capability. We are working on a new Technology Strategy which will outline our means of adapting to rapid technological change as it impacts information rights.

We are also committed to exploring innovative and technologically agile ways of protecting privacy.

And of course we need to exercise global reach and influence. Effective protection of the UK public’s personal information becomes increasingly complex as data flows across borders.

The ICO will continue to develop and deepen effective relationships with our international partners, reacting to changes in the global regulatory environment.

These goals among others feature in our new Information Rights Strategic Plan, being launched today by Elizabeth Denham, which sets out the ICO’s plan for the coming four years.

The tech sector will be a priority for our engagement as we look to seize these opportunities set out in the strategy.

Conclusion

With 12 months to go until GDPR takes effect in the UK, I hope I have offered a brief insight into some of the implications and impacts of GDPR on UK businesses.

I hope I have also signposted key actions you should be taking and key tools on which you can draw to rise to the challenge.

GDPR brings big changes, important changes. But GDPR is an evolution of the existing rules, not a revolution.

And as I said at the outset it is also a mirror of the changes in the practices and environment it seeks to regulate.

It is not GDPR which is pushing data protection up the public, political and media agenda. It is the changing nature of the world in which we live, and the ubiquity of data, which is causing society to reflect on the consequences for our personal information and for privacy itself.

You are at the heart of that change. Your response to the challenges and opportunities of GDPR will set a marker for other sectors.

You have a major stake in the enterprise of increasing data trust and confidence among the UK public. By putting the individual in genuine control of their own data you can help achieve that goal, delivering benefits for your consumers, your business and society as a whole.

Thank you.

ICO statement on recent cyber attacks on the NHS

The ICO has released the following statement concerning the recent cyber attacks on the NHS:

“All organisations are required under the Data Protection Act to keep people’s personal data safe and secure.

“Following the news on Friday afternoon that many organisations had been the subject of a cyber attack, the ICO made contact with both NHS Digital and the National Cyber Security Centre (NCSC).

“Our enquiries will continue this week and we note that NHS England have said they have no evidence that patient data has been accessed.

“Any appropriate next steps for the ICO will decided once these initial enquiries are complete.

“The ICO has published a useful blog on how to prevent ransomware attacks.”

Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference 2017

6th march Manchester, UK.

Good morning, and welcome to Manchester. It’s cold and it’s grey, but for those of us who live around here, we kind of like it, and we’re proud it’s where the biggest data protection conference of the year takes place.

We’ve got a busy schedule today. Lots on GDPR, of course. Trevor Hughes from IAPP talking about the role of the data protection officer internationally. Practical workshops on everything from breach notification to consent. And a very engaging information market – the speakers’ corner looks sure to be a conversation starter, and don’t miss our experts talking about the law enforcement directive too.

So lots to engage you. Let’s get started by getting your grey matter warmed up: a quick general knowledge quiz. One question:

What links the following:

  • the Labour Party;
  • international weightlifting;
  • the music you heard when I entered the room; and
  • the ICO?

The answer is right before your eyes: all have performed right here at this venue. I’m not sure which of the four had the rowdiest audience…!

Manchester Central has been the home of the Data Protection Practitioners Conference for the best part of a decade, and I’m sure you’ll agree it’s an excellent venue. It was converted from a railway station built more than 125 years ago by Sir John Fowler, the architect famed for his work on the Forth Railway Bridge.

Sir John once said: “Engineers are not mere technicians and should not approve or lend their name to any project that does not promise to be beneficent to man and the advancement of civilization.”

DPOs in the mainstream

I think there’s something in that comment for us here today. About not merely being technicians. About looking to see how the projects we contribute to can be beneficial to citizens. How we can put the customer first.

I don’t think that’s too grand an aim. This is an exciting time to be in data protection. Like many of you, I’ve worked in this sector a long time. I remember when we were a back office function. When we often were seen as “mere technicians”. That seems a very long time ago.

My colleague Rob Luke, who you’ll hear from shortly, is speaking before an advertising conference later this week. Fifteen years ago, which advertiser would have invited the data protection regulator to their annual event? Who thought data protection when they booked a slot in the ad break during Coronation Street? But today, data protection is central to their work. Making the most of customer data. Combining big data sets. Finding new ways to better understand what consumers want, to track how they act or predict what they will do next.

Last week, we opened an inquiry into privacy risks arising from the use of data analytics for political purposes following public reports about the role of private firms in the Brexit referendum. We often find ourselves at the heart of many debates of modern society.

It’s an exciting time to work in data protection, whatever your sector, with real opportunities. We’ll talk a lot today about the practical aspects, from how GDPR will change things at your organisations, to the steps you can take to use the coming change in the law as an opportunity to inform your practices.

But let’s not lose sight of what good data protection can achieve. We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens.

Review of last 12 months

I think it’s fair to say that a recap of the files we’ve been involved in over the past twelve months can be characterised by organisations failing to put customers first.

Our work with WhatsApp and Facebook springs to mind. We all rely on digital services for important parts of our lives. But my office felt these apps were not taking enough responsibility for data protection. Companies have legal responsibilities to treat people’s data with proper care and transparency – to give them persistent control and choice.

Similarly the record fine we issued to TalkTalk. You could write an essay discussing the technical detail of the cyber-attack itself, but fundamentally, not enough respect – not enough care – was being given to the type of protection consumers would have expected of their personal information.

And without rehearsing the conversations we’ve had with parts of charity sector, there’s a similar theme: insufficient thought about the level of transparency donors would want, expect, or support.

They’re examples of organisations getting it wrong under the current Data Protection Act. GDPR is going to put even more of an onus on organisations to understand and respect the personal privacy rights of consumers.

GDPR

Because while the General Data Protection Regulation builds on the previous legislation, it provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data.

The GDPR gives specific new obligations for organisations, for example around reporting data breaches and transferring data across borders.

But the real change for organisations is understanding the new rights for consumers.

Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.

On that subject, do take a look at the guidance on consent that is now out for consultation, and will be discussed at our workshop later today.

Accountability and breadth

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society.

Making it matter to the boardroom

I’ve already spoken to some of you this morning, and I hear what you’re saying. You understand why having your organisation accept more accountability for data protection matters. You want to change the culture of your organisation. But in many cases, you need to convince your senior management first. So, what can I give you today to help you make that case when you go back to your offices tomorrow?

The fines are the obvious headline. The GDPR gives regulators greater enforcement powers. If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.

But there’s a carrot here as well as a stick, and as regulators we actually prefer the carrot. Get data protection right, and you can see a real business benefit.

Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.

What the ICO is doing

Gandhi said the future depends on what we do in the present. So let me talk a little about what my office is doing now, to help you prepare for the future.

I’ve worked as a regulator in this field for more than twelve years and my focus has always been on making sure the regulator is relevant. On making sure we’re taking on that challenge of not being mere technicians but instead are making a difference to the organisations we regulate through education. Making a difference to the public, through giving them an avenue to file a complaint and by sanctioning the bad actors.

Each of us in the information rights field, on a daily basis, tries to make a difference to the public. Collectively, we do a good job: I think people have never been more aware of their rights, of what they can expect of the businesses and organisations they trust with their data. But consumer trust hasn’t followed that. An ICO survey last year showed only one in four UK adults trust businesses with their personal data. And I don’t believe the figure would be much higher for the public sector. As a regulator, it’s one of my jobs to give you the tools and the support to turn that around.

I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK. I think that’s achievable.

We’ll be shortly announcing work we’ll be doing to contribute to that. We want to support independent research that helps people better navigate the digital world. Our research and grants programme will dedicate funds over the next five years to engaging the research community in finding ways to help consumers. More details in due course.

Post Brexit

And of course we need to be looking to the horizon, to what might exist beyond GDPR.

Fourteen months ago I was writing a speech for a different audience, in a different role. My appearance was at the Canadian annual privacy and security conference, as information and privacy commissioner for British Columbia. I was talking about the challenges of a digital economy that required data to flow across borders, where different legal systems and cultural norms about privacy make this a complicated undertaking. More specifically, I spoke about how changes within the EU affect those outside of it, particularly around adequacy.

How familiar does that sound today? The UK EU referendum decision means we’re facing the same challenges. The UK’s digital economy needs data to flow across borders: how do we make sure that can happen? How can we foster economic growth while still respecting citizen’s rights?

When the government comes to answer those questions beyond the implementation of GDPR in 2018, we expect to be at the centre of many conversations, speaking up for continued protection and rights for consumers, and clear laws for organisations. And addressing the strong data protection laws we’d need if we want to keep the UK’s approach at an equivalent standard to the EU.

Conclusion

Which brings us back to today. The GDPR is a strong data protection law. It gives consumers more control over their data. And it includes new obligations for organisations.

Today is about learning more about those obligations, more about data protection best practice, more about how to get it right.

Today is about helping you make the best use of tomorrow.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: