A weekly round-up of legal and regulatory developments and news in the field of cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP.
- Further to our coverage last week of the UK/ US collaboration on cybersecurity, the issue continues to receive much coverage both in the mainstream media and trade press. The tech press gave positive coverage of David Cameron’s recent trip to the US after he took a delegation of UK cybersecurity companies to the US to meet with the Obama administration about responses to cyber threats. Mr Cameron has appointed Andy Williams of Tech UK’s Cyber Connect project as the UK cyber envoy to be based in the British Embassy in Washington, DC.
- The first initiative in this UK/US collaboration will be the planned “war games” to test each other’s preparedness for a cyber attack. The drill will simulate attacks on the City of London and Wall Street in order to test the resilience of financial institutions. In order to plan further joint war games, Cameron and Obama have spoken of setting up cyber cells either side of the Atlantic in which GCHQ and the NSA can share information and review strategies. In a second initiative, MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) will compete against the University of Cambridge in a ‘hackathon’ as part of an attempt to share expertise.
- British high street shoe-retailer Office, has given an undertaking to the Information Commissioner’s Office after a recent data breach exposed more than one million customers’ details. ICO officials have stated that the hack highlights two important issues: the unnecessary storage of older personal data and the lack of security in hosting infrastructure. In response, Office has given undertakings with regard to penetration testing, implementing new policies (to include data retention and disposal) and staff training (read the full undertaking here).
- Last week, a cross-party group of peers tabled amendments to the Counter Terrorism and Security Bill; these changes seek to introduce the extended law enforcement powers, originally proposed by the 2012 Communications Data Bill, to access internet data. The Lords are due to debate the proposals this afternoon (Monday 26 January). Full information about the stages of the current Bill can be found on the parliament website here.
- The European Network and Information Security Agency (ENISA) has published a guide detailing the current information-sharing landscape in the context of cybersecurity information that requires reporting. The report then outlines a series of existing tools and standards, best practices and recommendations for improvement.
- ENISA’s Executive Director, Udo Helmbrecht, participated in the discussion panel regarding “Secure identities – An effective tool to increase information security?” at the Omnicard event in Berlin on 21 January 2015. The panel discussed the challenges to electronic identification procedures being made secure for both businesses and individual consumers using everyday online services.
- The European Commission has announced that the Cybersecurity & Privacy Innovation Forum will be held on 28-29 April 2015 in Brussels. The forum aims to bring policy-makers and researchers together in order to discuss future challenges and research priorities.
- GDPR – latest predictions on adoption: In the long-running saga of negotiations to agree the draft GDPR, which includes revised rules on data security and data breach notification, the latest prediction comes from Commission Vice President for the Digital Single Market, Andrus Ansip. According to this interview reported by the Euractiv service Mr Ansip stated “The Data Protection regulation discussions can and should be finalised in 2015. This is one of the Commission’s top priorities” and that he believes the next hurdle – general agreement by the Council on the draft – can be achieved by the end of June 2015. However, this is just the latest in a series of target dates which have come and gone. On 22 January, Jan Albrecht (the EP’s Rapporteur for the proposal) was quoted as saying he was optimistic that the Council would reach its negotiating position by the summer, and that he was “optimistic we can reach a solution in 2015”. Even if the Council reaches its common position by the summer, the three institutions still need to hammer out a compromise text before the measure can be adopted. Some commentators are sceptical that the measure will be adopted before 2016 – and then there will be a two year lead in period before the Regulation takes effect.
- In related news, viEUws, the EU policy broadcaster, hosted an online debate regarding the European Commission’s General Data Protection Regulation (GDPR) this week. Discussion focused on public confidence in the GDPR given the legislative hold-up and harmonisation with any potential ePrivacy directive.
- President Obama used his State of the Union speech to reinforce his recent legislative push for greater cybersecurity. The speech mirrored his recent legislative language, focussing on three specific issues: cybersecurity information sharing, modernisation of law enforcement agencies against cyber crime and national data breach reporting.
Attacks, statistics and other news
- Coinciding with last week’s World Economic Forum in Davos, the newly-published World Economic Forum’s 2015 report into global risks lists cyber attacks as the among the most likely high-impact threats in the modern world (only behind water crises, interstate conflict and failure of climate-change adaptation). The WEF report highlights the serious dangers associated with cyber threats including interstate conflict, terrorism and the proliferation of WMDs. In addition, the report stresses how the power of interconnectivity has broadened the potential effects of cyber threats, noting “Assessments must go beyond cybersecurity, as the risks are not just about external threats but also about the fundamentally unstable dynamics of digital infrastructures and the complex, chaotic and unpredictable ways they can interact with civic, social and economic systems.”
- Cisco’s 2015 Annual Security Report suggests that government agencies, in general, appear to be better able to cope with data breaches/have stronger cybersecurity than the private sector. About 43% of the public sector fell into the “highly sophisticated” category while financial services and pharmaceutical companies registered 39% and 32% respectively.
- The tech press are reporting that this year’s ESG IT spending intentions survey has revealed that “security/IT risk management initiatives” is the most popular initiative driving IT spending at large organisations this year. This marks the first year that security has topped the list.
- According to the IT governance blog, one of Australia’s largest travel insurance companies, Aussie Travel Cover, attracted criticism for failing to notify customers following a recent cyber attack. Having become aware of the attack on 18 December 2014, they notified third-party agents on the 23rd, but never notified customers despite 870,000 records (which included names, phone numbers, email addresses, travel dates and policy details) being affected. The Australian Information Commissioner’s Office guidance strongly recommends notifying individuals.
More cyber news from the Datonomy team at Olswang next week.