Olswang launches ADTEKR

Alasdair Lamb - February 26th, 2015
Alasdair Lamb

Olswang has launched ADTEKR,  a weekly update on topical issues from the word of adtech, covering not only regulatory issues but key industry trends and a jargon-cruncher. Readers of Datonomy might be particularly interested to hear about the many  privacy-related issues raised by this technology including:

  • recent developments regarding user’s consent for device fingerprinting;
  • Verizon’s use of a unique identifier header tracking tool or “zombie cookies”, which it uses on its customers’ smartphones;
  • the increasing amount of fraudulently generated non-human traffic and the advertising industries response,

…and much much more.

To receive the short weekly alerts, please visit www.adtekr.com/ and enter your email details on the left hand side of the screen, or follow @adtekr

Posted in adtech, data protection. privacy.freedom of information, privacy. | Leave a comment
Tom Pritchard

Here is the latest round up of cybersecurity news from the Datonomy blogging team at Olswang.

EU developments

  • There does not appear to have been any official news on the progress of the Network and Information Security Directive during the past week. Further trilogue discussions between the three EU institutions were expected to take place at the end of February – see our latest report here.  According to the TechUK website, the UK government was due to give a briefing to TechUK members on the impact of the Directive on 17 February 2015.
  • Vice-President of the European Commission for the Digital Single Market, Andrus Ansip, recently spoke on the issue of “A safe and secure connected digital space for Europe” at a debate hosted by the European Internet Foundation. Read the complete speech here.
  • The Czech government has approved new national cybersecurity strategy.  Similar to strategies in the US and UK, the strategy focuses firstly on critical infrastructure, calls for greater collaboration between the public and private sector as well as greater international cooperation.

US developments

  • Following last week’s update detailing the cybersecurity summit hosted by President Obama at Stanford University on 13 February, the President signed an Executive Order entitled “Promoting Private Sector Cybersecurity Information Sharing” which, as its name suggests, promotes disclosure of information between private companies and the government.  Following the summit, President Obama has been providing further commentary on cybersecurity issues via an interview with the independent technology news site, Re/code.  In the interview, the President has committed to his position that the government must be aggressive in this space, noting, “This isn’t a traditional setting where you can just set up a few standards or rules or regulations, and then just sit on our laurels. We have to constantly update all the time.”  Taking it one step further, when discussing international relations, the President stated, “This is more like basketball than football, in the sense that there’s no clear line between offense and defense. Things are going back and forth all the time.”  Read more here.
  • Moscow-based security firm, Kaspersky Lab has according to various reports, including this one on Sky News, published a report linking the US National Security Agency (NSA) with “the Equation Group” and its spyware that has been found on computers in over 30 different countries.  The report claims the spyware is connected to “Stuxnet”, a former US NSA computer worm, and that it has been implanted in the disk-drive source code of more than a dozen top manufacturers.  Such a strategy raises concerns that the group could have access to most of the computers in the world.  Read more coverage from The Independent here.
  • The tech press have begun to speculate on whether the potential government shut-down on 27 February 2015, threatened by Congressional leaders following the President’s Executive Order on immigration and a budget impasse, could affect the operations of the Department of Homeland Security (DHS).  During the last government shut-down (1 to 16 October 2013), the DHS’s critical functions continued but employees had to work without pay for the period.  Experts are suggesting that day-to-day efforts to protect the nation from attack would continue in such a scenario but that it could cause a serious set-back in the development of new proposals and systems (such as the newly established Cyber Threat Intelligence Integration Centre – see last week’s post).

Australian developments

  • According to this report on The Register, the day after Australian Prime Minister, Tony Abbott, announced his intention to reform data protection laws, the government has taken the action of delaying a major review assessing Australian cyber risks and examining their public-private collaboration and network security.  It is being reported that the delay is being caused by political division, after opposition leader, Bill Shorten, accused the PM of politicising the issue.  The review is now unlikely to be concluded before November 2015.

Attacks, statistics and other news

  • CERT, the UK National Computer Emergency Response Team, which was established under the UK’s Cyber Security Strategy to coordinate management of cyber incidents and promote best practice in preventing them, produces a weekly update highlighting current threats. The latest update (19 February 2015) is here.
  • Following last week’s story regarding the suspected theft of up to $1 billion by hacker group Carbanak, experts are urging UK banks to prepare themselves for a “zero day attack”, according to The Guardian.  Zero day attacks involve the use of malicious software that can bypass traditional security measures.  Some banks, such as HSBC, are making it publicly known that they are now hiring former military intelligence officers to combat the attacks.  Read more coverage in The Evening Standard here.
  • The latest document allegedly provided by NSA whistleblower, Edward Snowden, reveals details of British and American spies hacking into the computer networks of the world’s largest SIM card manufacturer, Gemalto (based in the Netherlands).  Should the details be true, experts are suggesting that this would enable the NSA and GCHQ to secretly monitor the majority of the world’s mobile communications. Read further coverage by the BBC, here.
  • PWC’s latest Global Economic Crime Report concludes that having surveyed 5,128 companies from 99 different countries, one in four has experienced cyber crime and of those, 11% have suffered losses greater than $1 million.
  • London-based cybersecurity company, Sophos, is gearing up for a £1 billion London Stock Exchange floatation later this year.  The investment firm, Apax, bought a 70% share in the business for £372 million in 2010.  Consequently, if the valuation is met, the investment will represent an almost doubling of their money in five years.
  • And finally…Security researcher Jacob Torrey, of Assured Information Security, believes he has developed method of encrypting software then prevents reverse engineering (a scheme he calls the Hardened Anti-Reverse Engineering System – HARES).  Reverse engineering is the primary method used by hackers to exploit weaknesses in software code.  Torrey claims that by instructing the computer to decrypt the code at the last possible moment before the code is executed, software can be much more secure.

 

This week’s update was brought to you by Katharine Alexander (Trainee Solicitor), Tom Pritchard (Paralegal) and Claire Walker (Head of Commercial Know-How).

Posted in cyber crime, cyber-privacy, cybersecurity, data, data breach, encryption | Leave a comment
Lucy Davies

As Datonomy reported recently, the UK Competition and Markets Authority has launched a call for information into the commercial use of data. In addition, it has now announced the appointment of researchers to look in more detail at how three specific sectors – games apps, clothing retail and motor insurance – use consumer data. With consumer data the new “currency of the Internet”, competition authorities at EU and UK level have been taking a keener interest in the issue for some time. Lucy Davies, an associate in Olswang’s Competition Team, explains what the CMA’s first formal steps in this area could mean in practice.

What’s new? The call for information and appointment of researchers

On 27 January 2015 the CMA launched a project to review the commercial use of consumer data by publishing its “Call for information: the commercial use of data”.  As described in detail in our earlier blog post, the call for information is a fact-finding exercise to “understand the potential for the collection and use of consumer data to generate concerns, both in terms of competition and markets, as well as consumer protection”.  Those wishing to respond have until the 6 March to do so.

The call for information follows the publication of the CMA Strategic Assessment in November 2014 which identified a need for the CMA to acquire a better understanding of developments and practices relating to global online commerce.  In particular, the commercial use of personal data, peer to peer/collaborative markets, and online markets such as cloud computing and the Internet of Things were identified as specific areas which the CMA needed to focus on.  The commercial use of personal data is particularly important given the value of personal data – the Strategic Assessment estimates that “the value extracted from European consumers’ personal data was worth €315 billion in 2011 and has the potential to grow to nearly €1 trillion in 2020”.

The CMA is concerned that the data provided by consumers to online businesses could become a potential source of competitive advantage or market power.  In order to better understand the implications of the use of data, in addition to seeking stakeholders’ views, the CMA has now appointed researchers to establish why businesses collect data and how they use it.  The CMA has decided to focus the research on three sectors: motor insurance, clothing retailing and games applications.  The research on games applications is limited in scope to consumer data collected through games applications used by adults and will not review gambling applications.  The CMA hopes that the research (which will take account of all available evidence as well as information obtained from businesses and third parties) will better inform its understanding of how the commercial use of consumer data affects consumers, businesses and competition.

What’s the status of the CMA’s research?

Both the call for information and accompanying research fall outside the CMA’s formal process for the review of markets.  This has two immediate implications: (i) stakeholders cannot be compelled to submit the information requested in the call for information to the CMA or to respond to any data request they might receive from the researchers; and (ii) there is no statutory deadline by which the CMA must reach a conclusion with respect to the information collected.  Nonetheless, stakeholders should be wary of ignoring this CMA initiative; failure to comply now could result in the initiation of a formal market study.

If the CMA is conducting research within the parameters of a formal market study it has statutory powers to compel businesses to provide it with evidence and specific documents relating to the study; failure to comply attracts criminal liability as well as administrative penalties.  A formal market study in this field would see the CMA examining the regulatory and economic drivers of the consumer data market, as well as patterns of consumer and business behaviour in the market.

What might the next steps be?

On concluding a formal market study (which must be within 12 months from the publication of the market study notice, the document which formally signals the start of the market study), the CMA has the power to order certain remedies to address the concerns identified in its market study report.  These include:

  • creating a CMA-led, consumer-focused project aimed at raising consumer awareness with respect to a particular issue (for example, how businesses use consumer data);
  • encouraging self-regulation for businesses operating on the investigated market (for example, the creation of a code of conduct for businesses which collect and use consumer data);
  • making recommendations to Government with respect to changes in policy or regulation (for example, to address short-comings in consumer protection in the collection of data online);
  • pursuing enforcement action against certain businesses operating on the investigated market which the CMA suspects have infringed competition law or consumer protection rules; and
  • making a market investigation reference in circumstances where the market study report gives the CMA reasonable grounds to suspect that features of the investigated market might restrict, distort or prevent competition. The market investigation entails a second, more detailed investigation conducted by a new team within the CMA.  The statutory deadline for the completion of a market investigation is 18 months from the date of the reference.

Alternatively, the CMA may conclude that there are no concerns on the market examined and close the investigation without any further consequence.

It is too early to tell whether this initial call for information will result in a formal market study – much will depend on the information the CMA receives from stakeholders at this early stage.  However, if after the conclusion of this initial round of information collection the CMA decides that it still needs more information to determine whether there are consumer protection and/or competition problems on the consumer data market it may well look to commence a formal market study in the future.

Datonomy will keep you updated as the CMA investigation continues.

Posted in anti-trust, competition, data, data security standards, Datonomy, internet, online data protection, UK | Leave a comment
Ross McKean

Olswang supporting new technology and innovation:

I presented on drone law to the Security and Defence Interest Group of Cambridge Wireless yesterday, hosted jointly by Olswang and the Knowledge Transfer Network. Despite being half term week we had a full house thanks to the great programme put together by Nicholas Hill of Cambridge Wireless’s Security & Defence SIG. Speakers included Nicholas Hill of Plextek Consulting; Professor Jim Scanlan of the University of Southampton’s Aerospace Division; Alan Brooke, Unmanned Aircraft Systems lead for the Centre for Applied Science & Technology of the Home Office, and myself.

Is 2015 the year of the commercial drone?

Drones – also known as small unmanned aircraft; remotely piloted aircraft systems, and a growing number of similar acronyms, continue to make news. They have come a long way from their military origins and took centre stage at the annual Consumer Electronics Show in Las Vegas in January. Some commentators are predicting that whereas 2014 was the year of wearables, 2015 will be the year of mass adoption of drones.

What is a drone?

In the UK, for CAA regulatory purposes a “drone” is generally used to refer to a small unmanned aircraft below 7Kg in weight though the category extends to any unmanned aircraft. In the USA, the recently published FAA consultation on the liberalisation of commercial drone use defines drones as small unmanned aircraft up to 55lbs / 25Kg. It is this low weight category which has seen the greatest innovation and development recently.

Drones – good or evil?

The word “drone” comes laden with negative connotations of military drones, kill lists and human “collateral damage”. Yet despite attempts by manufacturers to rebrand drones as SUA or RPSA for consumer use, the term “drones” has stuck with consumers and commercial users.

As a technology enthusiast, I share the view that technology is rarely the problem per se; it is the use of technology that can be harmful. Drone enthusiasts argue that drones can improve safety and reduce risk of harm by taking over dangerous jobs that would otherwise be done by people – like surveying tall inaccessible structures; search and rescue exercises or delivery to remote locations in poor weather. They point to the early mass adoption use cases of drones such as precision spraying of pesticides on small Japanese farms which has reduced wastage, improved efficiency and avoided spraying pesticides over homes. As it is in largely rural areas, privacy is less of a concern.

On the other hand, as drones become cheaper, capable of carrying relatively heavy payloads and more readily available, it is easier for the criminal, the malicious and the negligent to do harmful, dangerous or just plain dumb things. A football match between Serbia and Albania in October 2014 had to be halted after a drone flying the Albanian flag over Serbian supporters caused a major brawl; France is on high alert after a spate of unexplained “visits” by drones to French nuclear power stations; another drone, believed to be a small helicopter, distracted a pilot landing at Heathrow when it came within 20 feet of an Airbus A320.

Drones – where to draw the regulatory perimeter?

So where should regulators draw the line? In the UK, the CAA regime is viewed as one of the most permissive regimes in the world which has resulted in many drone operators and manufacturers setting up shop in the UK. As a general rule, no CAA permission is required where drones are not used for commercial purposes (broadly – where no “valuable consideration” is earned) and, in the case of drones fitted with cameras, these are not flown within congested areas or within the minimum distances of people or properties (vehicles, vessels or structures) that are not under control of the pilot.

For commercial use of drones or use of surveillance drones within congested areas or within the minimum distances prescribed, a CAA exemption or licence will be required. Though again the CAA is viewed as a progressive aviation regulator supportive of innovation of SUAs. A number of the speakers commented that in their experience provided an appropriate safety case can be submitted, the CAA will generally grant permissions or licences quickly.

The reality is that the CAA does not have the resources to enforce against all users who breach these rules – though they have taken actions which they publicise to act as a deterrent to others. For example, the first reported drone prosecution was in April 2014 when an individual was convicted of flying a surveillance drone within 50 metres of a bridge with traffic. They were fined £800 plus £3500 costs. A photographer was recently cautioned for selling footage from a surveillance drone to the media, without having a CAA commercial use permission. The CAA has also published helpful guidance for hobbyists to promote responsible flying and compliance with safety rules.

Drones – big brother with wings?

I also touched on data protection and privacy concerns in my presentation commenting that drones are viewed as a potentially far more invasive technology than CCTV by data regulators. The influential European Data Protection Supervisor succinctly put it that drones “give the most sophisticated cameras wings” so careful planning needs to be taken to ensure compliance with data and privacy laws. Planning flight paths; not using high res cameras when low res will suffice; using appropriate signage, high vis clothing and warnings; pixilating images of people inadvertently captured; transmitting and storing data securely and keeping it for no longer than necessary – can all help to minimise the risk of infringing data protection and privacy rights. The ICO has also published helpful guidance for the drone hobbyist emphasising the need to fly responsibly and pointing out that surveillance drones used for commercial work will be subject to the Data Protection Act. Hobbyists can’t rely on the “domestic purposes” exemption if they sell footage captured with a drone.  For business, the recently updated ICO guidance on CCTV includes guidance on unmanned aerial system surveillance.

 US drones – when will the FAA liberalise the rules?

The long awaited US Federal Aviation Administration proposals to liberalise the commercial use of drones (up to 55lbs / 25Kg) in US national airspace were published on February 15th this year. Although widely reported as a step in the right direction by the US press, others argue it does not go far enough as it still requires visual line of site operation and does not permit night flying (likely a response to a drone landing on the White House lawn at 3am in the morning). It is also at least a year if not two years away from coming into law at a time when the UK and several other jurisdictions already enjoy considerably more permissive regimes for commercial use of drones, raising concerns that there will be a talent and investment drain from the nascent US drone economy. One US not for profit group has estimated that each year the FAA delays liberalising drone rules costs the US economy 10 billion dollars in lost opportunity.

Are drones a security threat? Can drones be weaponised?

Clearly this is a concern given the wide availability of drones and increasingly heavy payloads they can carry. As a result the European Commission has encouraged investment in security for command and control systems to protect against the risk of drones being commandeered in flight and footage being hacked.

Drones and liability – who is legally responsible if drones cause damage or injury?

The debate around liability for autonomous machines has largely focused on driverless cars to date. Supporters of the safety benefits driverless cars could potentially deliver by removing the main cause of accidents (human fallibility), argue that manufacturers should be incentivized to invest in the technology by granting them special protection from certain liability – which in the UK is most likely to arise under the tort of negligence or strict liability for defective products. Drones are different. Where they are flown remotely by a pilot, the pilot is ultimately responsible for unsafe flying, albeit that the manufacturer may also be at fault if the drone is defective and third parties may be contributory negligent. Where they have a safe pre-programmed flight path and malfunction, the argument that drones are inherently safer than manned systems does not generally hold true – at least not with current technology. Lightweight drones do not enjoy the multiple redundancies required for large manned aircraft; on the contrary they often have several single points of failure in order to keep flying weight to a minimum. The debate will continue but there is less of an obvious policy reason to grant special liability carve-out incentives to drone manufacturers. The “old” law of negligence and product liability will continue to apply in the meantime.

What are the likely mass adoption use cases for drones?

Not surprisingly, the conclusion in the room was that agriculture which has already been proven as a highly successful use case in Japan and has lower safety challenges is likely to be an early mass adoption use case. Transatlantic drone deliveries were also mooted.

Coolest drone news from the event? Easy – Southampton University was the first to design, build and fly a 3D printed drone and is now at the forefront of printable drone innovation. They are a great UK technology success story.

 

Ross McKean is a technology partner in the London office of Olswang LLP and heads the firm’s global data protection practice.

Posted in Uncategorized | Tagged , , | Leave a comment
Claire Walker

The latest round up of legal and regulatory developments and news relating to cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

UK

  • On 6 February 2015, the Investigatory Powers Tribunal (IPT) found that the UK government had breached Articles 8 and 10 of the European Convention on Human Rights (ECHR) when soliciting, receiving, storing and transmitting the private communications of individuals located in the UK, that had been provided by the US’s Prism and Upstream intelligence programmes. The Tribunal rebuked the government for not making public its arrangements and was ordered to sufficiently sign-post such information to the public.  Read the full judgment here.
  • The Home Office began a consultation on 6 February 2015 on updating the interception code of practice and introducing a new equipment interference code of practice under the Regulation of Investigatory Powers Act 2000. The codes will regulate when law enforcement agencies can legally hack and bug devices including computers, servers, routers, laptops, and mobile phones to either obtain information or conduct surveillance.  The consultation will close on 20 March 2015.

 EU

  • Internet of Things: The European Network and Information Security Agency (ENISA) has published the “Threat Landscape and Good Practice Guide for Smart Home and Converged Media” report.  As smart technologies become increasingly prevalent in our homes, recording and transmitting more and more personal data, the study aims to address the security risks inherent in the collection of that data and the connection of our homes to the cyber world. Read the full report here.
  • ENISA has also published a report on its own cybersecurity campaign, “European Cyber Security Month” (ECSM) which took place in October.  ECSM’s popularity, reaching 40 million online users, reflects the increased importance and engagement around the topic.
  • ENISA has also announced Crete as the location for the next Conference on Cyber Security & Privacy Challenges for Law Enforcement.  The conference will be held on 18-19 May 2015 and will bring together experts to discuss emerging cyber technologies, cross-border cooperation and future policy initiatives.

US

  • On 10 February, the White House announced the creation of a new agency to coordinate the country’s cybersecurity efforts.  The agency, The Cyber Threat Intelligence Integration Centre (CTIIC), will be responsible for joining up the cybersecurity efforts of the National Security Agency, the Department of Homeland Security, the FBI and the CIA.  White House security advisor, Lisa Monaco, said that the agency will become the hub for public-private information sharing about cybersecurity threats, noting “we want this flow of information to go both ways.”  However, opponents have already questioned whether this is another unnecessary level of bureaucracy in the fight against cyber threats, and one that increases worries that the US government is spying on the private sector and its customers.
  • On 12 February, President Obama announced that he would sign an Executive Order that day promoting the sharing of cybersecurity information between private companies and the government.  The Order calls for the creation of, and participation in, ISAOs (information sharing and analysis organisations).  More specifically, “In encouraging the creation of ISAOs, the Executive Order expands information sharing by encouraging the formation of communities that share information across a region or in response to a specific emerging cyber threat.  An ISAO could be a not-for-profit community, a membership organization, or a single company facilitating sharing among its customers or partners.”  The Order also directs ISAOs to begin developing common sets of voluntary standards for information sharing, makes clear the Department of Homeland Security’s ability to enter into agreements with ISAOs, provides companies with the ability to access classified threat information held by the government when facing an appropriate risk, and also attempts to protect private sector civil liberties.  Read more here and here.
  • In line with the above Executive Order, President Obama hosted a cybersecurity summit on 13 February at Stanford University featuring Apple’s Tim Cook and senior executives from Microsoft, Facebook and Google.  President Obama reiterated his point that “this is a challenge that we can only meet together” (referring to the public and private sectors).  The venue of Stanford symbolised the enhanced collaboration between the Washington D.C. and the Palo Alto tech centre. However, reports suggest that high-profile figures such as Mark Zuckerburg, Marissa Mayer and Larry Page all declined invitations and sent their CIOs instead.

Attacks, statistics and other news

  • Russian cybersecurity company, Kaspersky, has publically stated that they believe a hacker group called Carbanak has stolen up to $1 billion from financial institutions around the world in the last two years.  The conclusion is the result of Kaspersky’s collaboration with Interpol and Europol, in which it was found that the group used carefully crafted emails to trick particular employees into using invasive software (a technique called “spear phishing”).  Once the software had been opened the hackers supposedly gained access to video surveillance and began mimicking the activity of bank tellers when transferring money between accounts and then ordering cash machines to dispense money at predetermined times.  Read more here and here.
  • Following last week’s story that Anthem, the US’s second largest health insurer, was the subject of a data breach, in which their databases containing nearly 80 million records were compromised, security experts are now warning that healthcare and insurance companies could become the next big targets of cyber crime.  As healthcare and insurance companies tend to hold masses of personal (and often very private) data about large numbers of individuals,  the tech press are picking up on expert predictions that hackers are moving away from financial organisations towards the less secure health sector.  In the UK, the ICO has made similar predictions about the NHS.  Furthermore, Connecticut Attorney General, George Jensen, sent an open letter to Anthem admonishing their failure to provide adequate details to the individuals affected by the data breach regarding what renewed efforts Anthem will make and how customers can sign up.
  • And finally…Japan recently hosted a hacking competition, called the Security Contest or SECCON, in which over 4,000 young hackers competed to hack into six virtual servers to discover keywords.  Participants came from China, Japan, Poland, Russia, South Korea, Taiwan and the US.  Organisers stressed the importance of bringing people with these skill sets into the mainstream so that they are not pulled into the “underground world” of hackers.
Posted in cyber crime, cyber-privacy, cybersecurity, data, data breaches, data security standards, data sharing, EU, Europol | Leave a comment
Katharine Alexander

The latest round up of legal and regulatory developments and news relating to cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

 UK developments

  •  UK initiatives to develop the cyber insurance market, announced by the Government in November, have been the subject of a recent panel session hosted by industry group techUK. The website post considers: market drivers, the current state of the market, and potential solutions. The discussion featured contributions from Kroll, Hiscox, Dell and DBIS. Working groups in the Government’s initiative are due to report conclusions to the Cabinet Office by April 2015.
  • CESG (which is the information security arm of GCHQ) has published the latest document in its ongoing series, “Keeping the UK safe in cyber space”.  This new guidance is on “Technology and information risk management”.  The guide is aimed at public sector organisations and their supply chains, and outlines the factors to consider when selecting cybersecurity technologies within a business context.
  • MP Francis Maude spoke at the Entrepreneur Country Global Forum on 3 February 2015.  The MP outlined the importance of securing our online identities and what GOV.UK Verify is doing to set standards and encourage development of a market for identity services.  Read the full speech here.
  • The IT press is reporting City of London Police Commissioner Adrian Leppard’s comments at the recent NED Forum summit, where he claimed that it will take a major global company going under before the private sector really shake up their cybersecurity efforts.  Despite the pessimistic tone about the increased threat of cyber attacks, Leppard did comment that he believed the UK Government was doing all it could do to address the threat.
  • Northrop Grumman, one the world’s largest global security companies, is the latest expert firm to be contracted by the UK Government for delivery of cybersecurity solutions.  The seven year contract requires Northrop Grumman to provide engineering and development services in support of data security and information assurance.

 EU developments 

  • Today, the European Network and Information Security Agency (ENISA) published the Threat Landscape and Good Practice Guide for Smart Home and Converged Media. The guide identifies security risks and challenges for emerging technologies in smart homes, and is a step towards achieving the EU Cyber Security Strategy objectives.
  • ENISA renewed its focus on the importance of sharing information with telecoms and internet service providers at the 3rd annual Electronic Communications Reference Group meeting on 29-30 January 2015.  ENISA took the opportunity to demonstrate its new incident reporting tool that will provide the opportunity to share incident reports with other providers in an anonymised
  • Todd Ruback, the Chief Privacy Officer of Ghostery (a marketing technology company that provides online transparency and control software to individuals and businesses), spoke on Data Protection Day (28 January) to the EU Parliament about the potential for self-regulation to complement the EU’s General Data Protection Regulation (GDPR).  Ruback spoke of how the ‘internet of things’ will enhance the need for robust monitoring and meaningful enforcement of data protection regulation and how private companies can assist public bodies.
  • Alexander Klimburg, a senior research fellow at the Hague Centre for Strategic Studies, has claimed that two years after the EU published the first “Cybersecurity Strategy”, the EU is making slow but steady progress towards its aims.  Klimburg has detailed the progress of the each three limbs of the strategy (cyber crime; common foreign and defence policy; and network and information security) and stated that each are pushing forward public policy and challenging the private sector.

 US developments 

  • President Obama has finalised his proposal for the 2016 fiscal budget and is seeking $14 billion to support cybersecurity efforts.  The money is intended to deploy further intrusion detection and prevention capabilities throughout the public sector and to enable greater sharing of information with the private sector.  The largest portion of the proposed budget is allocated to the Pentagon, which has requested $5.5 billion in funding for cybersecurity.  The budget is now to be considered by the Republican-controlled Congress.  Read more here.

 Attacks, statistics and other news 

  • US health insurance company, Anthem, has reported that hackers have stolen personal information from a database containing information relating to up to 80 million people. The hackers have obtained names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data.  Anthem have alerted the FBI and hired cybersecurity firm FireEye to help investigate.  Read more here.
  • Software giant, Adobe, is reporting its third security advisory of the year after discovering further vulnerabilities that can be exploited by malware.  Adobe has publicly expressed concern that successful exploitation of the vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. An update to the flagship Flash Player software has now been made available. Read more here.
  • James Lewis, a cybersecurity expert at the Washington-based Center for Strategic and International Studies, has claimed that businesses should worry less about preventing attackers from getting into their computer networks and more about minimising the damage they cause once inside.  Mr. Lewis is advocating the practice of “air gapping”, physically disconnecting important parts of the computer infrastructure and business practices so that hackers can’t access the rest of a network.  Opponents have argued that this is an unnecessarily expensive practice for most businesses.
  • The tech press is reporting that the US is the leading producer of malicious and privacy-intruding apps, rather than the commonly assumed Asia.  The research, conducted by Marble Security, found that 42% of dangerous apps came from US companies.
  • And finally…prominent hacker group, Lizard Squad, appears to have hacked pop star Taylor Swift’s twitter account after a message was posted on her account stating “go on follow my boy @lizzard”.  Twitter responded ‘swiftly’ by taking the down the message and securing the account.  Safe to say that Ms Swift has managed to ‘Shake It Off’ after posting, “hackers gonna hack hack hack hack hack”.

This week’s update was brought to you by Katharine Alexander (Trainee Solicitor), Tom Pritchard (Paralegal) and Claire Walker (Head of Commercial Know-How).

Posted in cyber crime, cyber-privacy, cybersecurity, data, data breach, ENISA | 1 Comment
Tom Pritchard

Another weekly round-up of legal and regulatory developments and news in the field of cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

UK developments

  • Andrew Gracie, the Bank of England’s Executive Director for Resolution, has called upon companies to put their competitive objectives to one side and work together in order to combat cybersecurity.  Gracie was speaking at the Cyber Defence and Network Security conference in London on 23 January 2015.  Read the speech in full here.
  • London is launching a cybersecurity technology business incubator in April 2015.  The incubator, named CyberLondon (or CyLon), will grant £5,000 each to ten teams who will then house themselves within the incubator for 13 weeks.  The incubator is founded by Alex van Someren of Amadeus Capital Partners, however, the incubator is not-for-profit and will not take equity stakes in any of the businesses.
  • The tech press is reporting that as part of the Cybersecurity Challenge UK, the defence firm QinetiQ has simulated cyber attacks in order to test 20 of the UK’s top amateur code breakers.  The amateurs were asked to intercept and prevent a real-time attack on a fictitious international publishing house.
  • Ofcom has published a document entitled “Promoting investment and innovation in the Internet of Things. Summary of responses and next steps” which summarises responses to a call for evidence. Priority areas include data privacy and network security and resilience. The focus is on ensuring that data is stored and processed securely. See paragraph 1.30 for proposed next steps, including amending guidance to relate specifically to the Internet of Things. Section 4 of the document goes into more detail.
  • Further to our update last week, controversial proposals by a group of Lords to introduce the 2012 Communications Data Bill by means of amendments to the Counter Terrorism and Security Bill were withdrawn.  See BBC coverage here.  The BBC report suggests that a further attempt to reintroduce the provisions could be made, unless the Home Office agrees to publish its latest draft of the Comms Data Bill – so Datonomy readers should watch this space.  For updates on the latest stages of the CTS Bill see this page of the  Parliament website and for a very useful potted history of the Communications Data Bill see this 15 page Parliamentary briefing paper published on 30 January 2015.

 

EU developments

  • Progress on GDPR: As Datonomy readers will be well aware, 28 January was Data Protection Day, and the three year anniversary of the official  publication of the Commission’s draft of the General Data Protection Regulation.  The EU Commissioners responsible for data protection (the Justice Commissioner Věra Jourová and Vice-President Andrus Ansip) marked the occasion with this detailed blog post taking stock of the procedural state of play on the Regulation. In line with recent statements from the Commission and Council Presidency, the post states: “The European Commission is pushing for a complete agreement between Council and European Parliament on the data protection reform before the end of this year.” This is the latest in a series of Commission-imposed deadlines; with a number of issues still to be agreed both within the Council, and then between the three institutions, it remains to be seen whether this will be achieved – we will continue to monitor progress.
  • Progress on the draft  NISD: After a quiet patch on the draft Network and Information Security Directive (NISD), this document leaked to the Statewatch website sheds some more light on the state of play on trilogue negotiations between the three EU institutions.  In short, there remain significant differences between the Council and the European Parliament over – among other things – which critical infrastructure providers should be made subject to the new obligations to report cyber attacks.  The Council is due to have further meetings to agree its own negotiating stance on 3 and 10 February, with a view to having further trilogue meetings towards the end of February.  For Datonomy readers with the appetite for more detail, the leaked Council paper, which is 145 pages long, contains a detailed 4 column table showing the current stances of the Commission, EP and Council respectively, and possible areas for compromise, on the entire draft Directive.
  • Trade press are reporting that business leaders and IT decision makers are generally ill-prepared for the changes that will be brought about by the NISD and GDPR, according to research conducted by IDG Connect on behalf of Fire Eye.  Confusion remains as to whether preparations can be put in place while the legislative wording is yet to be finalised. Read further coverage here and here as well as the full report here.
  • The European Network and Information Security Agency (ENISA) has published its “Cloud Certification Schemes Metaframework” (CCSM).  The CCSM is an online tool for businesses to ensure security when purchasing cloud storage services.  By requiring 27 security objectives to be met in order to become a certified cloud scheme provider, Udo Helmbrecht, the Executive Director of ENISA, hopes that procurement of cloud services can be greatly simplified.
  • ENISA has also published its third annual “Threat Landscape” document.  The report analyses the top cyber threats currently facing the world.  Among the major changes noted in 2014: increased complexity of attacks, successful attacks on vital security functions of the internet, and successful international coordination of operations involving law enforcement and security vendors.

US developments

  • The American Chamber of Commerce in China (and 17 other US business lobbies) has asked the Chinese government to delay the implementation of new regulations requiring technology vendors to Chinese banks to undergo security testing.  Vendors are facing increased pressure to use Chinese encryption algorithms should they wish to continue working with China’s state-run financial institutions, however, opponents argue this may lead to the disclosure of sensitive intellectual property.  Read more here.
  • The CEO of Marble Security, David Jevans writing for Forbes, has opined that cybersecurity threats will not only be addressed by government agencies and corporate America, but that not-for-profit businesses have a large and important role to play. Not-for-profit organisations such as the ShadowServer Foundation, Anti-Phishing Working Group (for whom Jevans is the chairman), Team Cymru and the Internet Systems Consortium, operate systems that detect attacks all over the internet and provide data services that are shared with banks, companies, and government agencies to help protect them against cyber attacks.

Attacks, statistics and other news

  • The Wall Street Journal is reporting that the increased threat of cyber attacks is driving the development of a new insurance market.  Demand for insurance policies that cover the fallout from hacking is rising, and while the policies have been available in the US for some time, the WSJ’s tech blog is now reporting that the European market is gathering momentum.
  • Singapore is set to bolster its public sector cybersecurity measures by appointing a minister and launching a government agency to specifically deal with the threat.  The National Cybersecurity Agency will commence operations on 1 April 2015.  Read more here.
  • Malaysia Airlines was hacked last week by the hacking group, Lizard Squad.  The airline’s website went down for almost a full day as Lizard Squad left the message, “404 – Plane Not Found” (a reference MH370, the missing plane).  Worryingly, the message also said that the site had been hacked by the “Cyber Caliphate” raising suspicions that Lizard Squad, who previously only attacked gaming sites, may now be allied with the Islamic State.
  • The global hotel chain, Marriott, was warned about the vulnerability of its customers’ data by software developer Randy Westergren when he found problems with the company’s Android app.   Westerngren discovered a security issue that made available customers’ full names, postal and email addresses and credit card information.  Westerngren and Marriott security have now moved swiftly to address the issue.

 

This week’s  Cyber update is brought to you by Datonomy bloggers: Katharine Alexander (Trainee Solicitor), Tom Pritchard (Paralegal) and Claire Walker (Head of Commercial Know-How).

Posted in cyber crime, cyber-privacy, cybersecurity, data, data breach, data protection regulation, Datonomy, ENISA | 1 Comment
Ross McKean

The UK Competition regulator, the Competition and Markets Authority, has just launched a call for information into the commercial use of consumer data. Given the exponential rise of data as a business asset in the digital age, competition regulators and commentators have been talking about personal data as a potential anti-trust issue for some time; this inquiry is a first step in the direction of potential competition intervention in an area hitherto the preserve of privacy regulators. Businesses wishing to share information with the CMA (and the wider world) about how they collect and monetise data have until 6 March to respond.

The CMA published its “Call for information: the commercial use of consumer data” on 27 January. The purpose of the fact-finding exercise is to “understand the potential for the collection and use of consumer data to generate concerns, both in terms of competition and markets, as well as consumer protection”. The document seeks responses from (among others) organisations collecting consumer data and infomediaries who process and analyse such information. There are 12 specific questions relating to the following 4 broad areas:

  • The consumer data collected, sold and its value
  • Uses to which the data is put and any restrictions in gaining access to it
  • The benefits to, and risks to, both consumers and businesses of using this data
  • The policy implications and future developments

Competition regulators’ interest in personal data is not new: for example in 2012 the then EU Competition Commissioner Joaquin Almunia gave this speech in which he highlighted the need for competition policy to be “vigilant” to the commercial use (and potential abuse) of data. His successor, Margrethe Vestager, in her hearing before the EP acknowledged the role of data as the “new currency of the Internet”. As she considers the next steps in the probe into Google’s dominance in search advertising markets, it will be interesting to see what stance EU policy will take on data. Last but not least, the new European Data Protection Supervisor, Giovanni Butarelli, has recently called for a more joined-up approach between competition and data regulators, following on from his predecessor’s opinion on “privacy and competitiveness in the age of big data”, published in March 2014.

With regulators (both competition and privacy) taking an ever keener interest in businesses’ use and abuse of personal data, organisations should be mindful that any information they elect to share with the CMA potentially becomes disclosable (to regulators, to rivals, to the press) under the Freedom of Information Act, as explained by the CMA in this note. Some of the questions – for example on how firms use data and share it with other organisations, and on how it is collected (and in particular how well consumers understand and consent to these uses) have the potential for self-incrimination.

As Datonomy readers may already be aware, today is Data Protection Day, an annual event initiated in 2007 to raise awareness of data protection. Although the CMA was one day early, the timing of the Call For Information is fitting in this sense, in that it shows that data is now officially on the radar of anti-trust as well as privacy regulators – and if that doesn’t serve to raise personal data up the business agenda, nothing can.

Datonomy wishes all its readers a happy, and competitive, Data Protection Day 2015!

Posted in EDPS Opinions, FoI, freedom of information | Leave a comment
Katharine Alexander

A weekly round-up of legal and regulatory developments and news in the field of cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.

UK developments

  • Further to our coverage last week of the UK/ US collaboration on cybersecurity, the issue continues to receive much coverage both in the mainstream media and trade press. The tech press gave positive coverage of David Cameron’s recent trip to the US after he took a delegation of UK cybersecurity companies to the US to meet with the Obama administration about responses to cyber threats.  Mr Cameron has appointed Andy Williams of Tech UK’s Cyber Connect project as the UK cyber envoy to be based in the British Embassy in Washington, DC.
  • The first initiative in this UK/US collaboration will be the planned “war games” to test each other’s preparedness for a cyber attack.  The drill will simulate attacks on the City of London and Wall Street in order to test the resilience of financial institutions.  In order to plan further joint war games, Cameron and Obama have spoken of setting up cyber cells either side of the Atlantic in which GCHQ and the NSA can share information and review strategies. In a second initiative, MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) will compete against the University of Cambridge in a ‘hackathon’ as part of an attempt to share expertise.
  • British high street shoe-retailer Office, has given an undertaking to the Information Commissioner’s Office after a recent data breach exposed more than one million customers’ details.  ICO officials have stated that the hack highlights two important issues: the unnecessary storage of older personal data and the lack of security in hosting infrastructure. In response, Office has given undertakings with regard to penetration testing, implementing new policies (to include data retention and disposal) and staff training (read the full undertaking here).
  • Last week, a cross-party group of peers tabled amendments to the Counter Terrorism and Security Bill; these changes seek to introduce the extended law enforcement powers, originally proposed by the 2012 Communications Data Bill, to access internet data. The Lords are due to debate the proposals this afternoon (Monday 26 January). Full information about the stages of the current Bill can be found on the parliament website here.

EU developments

  • The European Network and Information Security Agency (ENISA) has published a guide detailing the current information-sharing landscape in the context of cybersecurity information that requires reporting.  The report then outlines a series of existing tools and standards, best practices and recommendations for improvement.
  • ENISA’s Executive Director, Udo Helmbrecht, participated in the discussion panel regarding “Secure identities – An effective tool to increase information security?” at the Omnicard event in Berlin on 21 January 2015. The panel discussed the challenges to electronic identification procedures being made secure for both businesses and individual consumers using everyday online services.
  • The European Commission has announced that the Cybersecurity & Privacy Innovation Forum will be held on 28-29 April 2015 in Brussels.  The forum aims to bring policy-makers and researchers together in order to discuss future challenges and research priorities.
  • GDPR – latest predictions on adoption: In the long-running saga of negotiations to agree the draft GDPR, which includes revised rules on data security and data breach notification, the latest prediction comes from Commission Vice President for the Digital Single Market, Andrus Ansip. According to this interview reported by the Euractiv service Mr Ansip stated “The Data Protection regulation discussions can and should be finalised in 2015. This is one of the Commission’s top priorities” and that he believes the next hurdle – general agreement by the Council on the draft – can be achieved by the end of June 2015.  However, this is just the latest in a series of target dates which have come and gone.  On 22 January, Jan Albrecht (the EP’s Rapporteur for the proposal) was quoted as saying he was optimistic that the Council would reach its negotiating position by the summer, and that he was “optimistic we can reach a solution in 2015”.  Even if the Council reaches its common position by the summer, the three institutions still need to hammer out a compromise text before the measure can be adopted.  Some commentators are sceptical that the measure will be adopted before 2016 – and then there will be a two year lead in period before the Regulation takes effect.
  • In related news, viEUws, the EU policy broadcaster, hosted an online debate regarding the European Commission’s General Data Protection Regulation (GDPR) this week.  Discussion focused on public confidence in the GDPR given the legislative hold-up and harmonisation with any potential ePrivacy directive.

US 

  • President Obama used his State of the Union speech to reinforce his recent legislative push for greater cybersecurity.  The speech mirrored his recent legislative language, focussing on three specific issues: cybersecurity information sharing, modernisation of law enforcement agencies against cyber crime and national data breach reporting.

Attacks, statistics and other news

  • Coinciding with last week’s World Economic Forum in Davos, the newly-published World Economic Forum’s 2015 report into global risks lists cyber attacks as the among the most likely high-impact threats in the modern world (only behind water crises, interstate conflict and failure of climate-change adaptation).  The WEF report highlights the serious dangers associated with cyber threats including interstate conflict, terrorism and the proliferation of WMDs.  In addition, the report stresses how the power of interconnectivity has broadened the potential effects of cyber threats, noting “Assessments must go beyond cybersecurity, as the risks are not just about external threats but also about the fundamentally unstable dynamics of digital infrastructures and the complex, chaotic and unpredictable ways they can interact with civic, social and economic systems.”
  • Cisco’s 2015 Annual Security Report suggests that government agencies, in general, appear to be better able to cope with data breaches/have stronger cybersecurity than the private sector.  About 43% of the public sector fell into the “highly sophisticated” category while financial services and pharmaceutical companies registered 39% and 32% respectively.
  • The tech press are reporting that this year’s ESG IT spending intentions survey has revealed that “security/IT risk management initiatives” is the most popular initiative driving IT spending at large organisations this year.  This marks the first year that security has topped the list.
  • According to the IT governance blog, one of Australia’s largest travel insurance companies, Aussie Travel Cover, attracted criticism for failing to notify customers following a recent cyber attack.  Having become aware of the attack on 18 December 2014, they notified third-party agents on the 23rd, but never notified customers despite 870,000 records (which included names, phone numbers, email addresses, travel dates and policy details) being affected.  The Australian Information Commissioner’s Office guidance strongly recommends notifying individuals.

More cyber news from the Datonomy team at Olswang next week.

 

Posted in cyber crime, cyber-privacy, cybersecurity, data breach, privacy., privacy. identity.sensitive personal data | Leave a comment
Katharine Alexander

With cyber attacks now routinely in the headlines, with the global cost of cybercrime estimated at $400 billion for this year and with governments responding with a host of counter-measures, The Datonomy team  is launching a weekly round-up to help you stay up to date the latest legal, regulatory and news developments from around the world. Given the inextricable link between data privacy and cybersecurity, we hope that Datonomy’s growing readership  will find this update useful. We look forward to hearing your comments, and welcome news and updates from Datonomy readers  around the globe.

UK developments

  • Cyber security was again front page news last week with the announcement by the UK and US that they will stage cyber attack war games, initially in the financial services sector, and improve the exchange of cyber intelligence between the two powers – read the BBC’s coverage here. In related news, twelve UK cyber defence firms, including Darktrace, Cambridge Intelligence and Digital Shadows, have joined David Cameron on his trip to the US to discuss cybersecurity with the Obama administration.  The effort hopes to reinforce the international perception of the UK as a leading player in terms of the skills, knowledge and intellectual property in cyber defence.
  • The UK government has published updated cybersecurity guidance (originally published in 2012) for businesses.  In an interdepartmental report between the CESG, Cabinet Officer, Centre for the Protection of National Infrastructure and DBIS, a 10 step approach to bolstering information risk management regimes was presented as the most cost-effective way to protect businesses against cyber threats. Although the 10 steps remain the same, the updated guidance includes a new paper entitled “Common Cyber Attacks: Reducing The Impact”.

EU developments 

  • Progress on the draft EU Network and Information Security Directive: This update will be keeping a keen eye on the progress of the EU’s proposed Network and Information Security Directive, also known as the Cyber Security Directive. As Datonomy readers will be aware, it is almost two years since the European Commission published its proposals, which include the mandatory reporting of cyber attacks by providers of key infrastructure – see our original summary here and our status update as at the end of October 2014 here. A revised draft (with significantly narrowed scope) was passed by the European Parliament in March 2014, and  trilogue negotiations between the Commission, Parliament and  Council to finalise the Directive  began in October and were predicted (by the Council) to conclude in early December. However, there have been no official progress reports since November. The scope of the “market operator” definition – and in particular whether ecommerce and social networks should be caught (as per the Commission’s original proposal) or not (as per the Parliament’s text)  – is one key area of debate. It remains to be seen when the Directive will be adopted; the incoming Latvian Presidency of the Council has included it as one of its policy priorities for the six months ahead. Once adopted, Member States are likely to be given an 18 month transposition deadline – although some Member States such as France and Germany  are already pre-emption it with new cyber legislation   Watch this space for future updates.
  • The European Network and Information Security Agency (ENISA) has published a report aimed at internet infrastructure owners and operators highlighting the threat landscape and best practice with regard to cybersecurity.  The report details specific threats that can disrupt connectivity, including: routing threats, DNS threats and denial of service threats.
  • ENISA has also published its findings in relation to the draft Network and Information Security Directive (NISD) specific to the EU’s finance sector.  Despite varying approaches in the 28 member states, the study largely demonstrates a good understanding of the risk landscape and appropriate response strategies within the sector.
  • To cap off a busy week, ENISA has published another new report, “Privacy and Data Protection by Design – from policy to engineering”, detailing leading privacy design strategies.  The report lays out a plan to marry the EU’s existing legal framework with expected technological implementation measures in the field.  Targeted towards data protection authorities, policy makers, regulators, engineers and researchers, the report suggests producing further incentives for adopting privacy by design measures and new standards for electronic communication.
  • A recent survey of French, German and British companies found that only 39% of organisations have met the new requirements introduced by the NISD and even fewer (20%) in the case of the General Data Protection Regulation (GDPR).  The survey details the strain placed on in-house IT departments to pay for and implement the necessary additional hardware, software and security policies.

US developments 

  • Following recent reports of the resurfacing of a Cybersecurity Bill in Washington, President Obama is pushing forward in attempting to implement the findings of his Cyberspace Policy review with a host of new legislative proposals focused on the following issues: enabling cybersecurity information sharing between the private sector and the government, modernising law enforcement authorities to combat cyber crime and harmonising national data breach reporting protocols.  Within the legislative proposal is a specific bill, the Student Digital Privacy Act, preventing companies from selling student data to third parties, and another, the Personal Data Notification & Protection Act, mandating that companies alert consumers within 30 days of discovering a security breach involving customer information.  President Obama does however face an uphill challenge to get the legislation approved with a Republican-led Congress, which he has already threatened with three vetoes within the first week of sitting.  Read more here and here.
  • Vice President Joe Biden has announced a bump of $25 million in funding to be applied to cybersecurity education efforts throughout the US.  The investment, which will mainly be provided to 13 historically black colleges and universities, aims to address the recent understanding that the demand for cybersecurity workers is growing 12 times faster than the US job market.

Attacks, statistics and other news 

  • In the biggest cyber news story of the past seven days, the Obama administration was given a stark reminder of the threat posed by hackers after the US military’s Central Command twitter account was allegedly hacked by ISIS this week. The terrorist group posted the message, “American soldiers, we are coming, watch your back. ISIS” on the account and provided a link to a statement that claimed the terror cell were already inside all the military’s computers.
  • Cybercrime has even made it onto the agenda for this week’s annual World Economic Forum, in Davos, Switzerland.  The members of over 40 heads of state want to progress discussion regarding cybersecurity after an estimate that cyber crime will cost the world around $400 billion this year. See the 2015 Edition of the WEF’s Global Risks Report available here.
  • The Australian government are concerned about the rising threat of cyber espionage after reports that Chinese spies have stolen the designs of its new F-35 Joint Strike Fighter jet.
  • The threat of cyber attacks from criminal gangs in Russia and China is not being abated according to a top-secret US cybersecurity report.  The report points to the failure of public and private entities to implement sophisticated encryption technologies fast enough.
  • Venture capital funding in new cybersecurity companies increased by more than a third in 2014 according research company Privco, as reported by the FT.  Over $2.3 billion was invested last year as high-profile hacks fuel early stage investment in online security companies.
  • Games developer, Money Horse, has been forced to abandon the development of its game “Glorious Leader!”  The game allowed players to assume the role of the North Korean leader as he bids to take on the US Army.  Hackers recently penetrated the game’s data files and shut down production completely. 

More cyber news from the Datonomy team next week.

Posted in BBC, cyber crime, EU, UK, United States | Tagged , , , | 2 Comments