The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- Given that passwords are often a weak-point in user security, CERT UK have focused on Windows 10 and Yahoo’s new approach to the topic. Windows 10 is developing a series of biometric tools (such as fingerprint, facial and iris recognition), whereas Yahoo is developing a system to provide one-time passwords every time a user tries to log in. See CERT UK’s weekly update for 19 March 2015 here.
- CERT’s latest weekly update also contains a plug for its recently published 12 page guidance “Cyber Security risks in the supply chain”. This illustrates recent examples of supply chain compromise, including those arising from third party software providers, website builders, third party data stores and watering hole attacks.
- The Department for Business, Innovation & Skills has updated its “Cyber security supplier to government scheme”. The scheme, which allows cybersecurity firms contracted by the UK government to be able to refer to this fact publicly (usually for the purpose of increasing legitimacy and pursuing overseas business), has now added the cybersecurity training and advisory firm, Templar Executives.
EU policy and regulatory developments
- The European Union Network and Information Security Agency (ENISA) Executive Director, Udo Helmbrecht, spoke to the EU Security and Defence subcommittee on Monday, 16 March 2015. Helmbrecht stressed the importance of the EU’s Computer Emergency Response Teams (CERTs) in developing ‘baseline capabilities’ for pan-European cybersecurity. The speech summarises ENISA’s progress in the following areas: pan-European cyber exercises, national cybersecurity strategies, critical information infrastructure, incident reporting, cryptography research and tools and ‘security by design’ and digital sovereignty (i.e. making the EU the single market of choice for governments and industry). On the topic of incident reporting, the speech notes that ENISA has issued four annual incident reports on telecoms operators, and that it has worked with National Regulatory Authorities and national DPAs to develop a common approach to incident reporting in Europe. Read the full speech here.
- NISD: there is no further news since the Council’s announcement on 11 March that it is ready to start trilogue negotiations with the EP and Commission in April. On 16 March this new page was posted on the European Commission’s website providing a general overview of the proposed Directive. No further official documents have been published on the Consilium website this week.
- GDPR: The Regulation is inching forward. Although there are no new developments in relation to the data security and breach notification provisions, on 13 March the Council announced it had reached a partial general approach on two further (and important) aspects of the draft Regulation. These are the provisions on the One Stop Shop approach to enforcement set out in Chapters 6 and 7; and the principles for processing personal data in Chapter 2. The Statewatch site published a revised version (dated 13 March) of Professor Steve Peers’ analysis document “The Proposed Data Protection Regulation: What Has The Council Agreed So Far?” There has been much press coverage of the Council’s proposal on the One Stop Shop, and in particular its impact on US tech companies with an EU base in Ireland, including this critique on The Register and this coverage in The Irish Times. In terms of overall timetable, the latest targets are for the Council to reach a common position (i.e. agree its negotiating stance) on all aspects of the Regulation by June and for trilogue negotiations between the three institutions to be completed by the end of 2015.
US policy and regulatory developments
- Following the approval of the revised Cybersecurity Information Sharing Act by the Senate Intelligence Committee on 13 March 2015, the amendments to the Bill have now been made public. The new wording addresses serious privacy concerns shared by many businesses and consumers. In an attempt to allay those concerns, the new wording emphasises that all information sharing is completely voluntary, companies must take proactive steps to remove irrelevant information before sharing, companies must obtain consent from customers before monitoring their networks and the use of narrower definitions has helped to limit the amount of information that can be shared. The Senate is scheduled to vote on the Bill on Monday, 23 March 2015. Read further commentary by The National Journal here.
- Reuters is reporting that the EU and Japan have now joined the US in opposing Chinese cybersecurity rules. As previously reported on Datonomy, China’s proposed cybersecurity rules would require foreign technology companies to hand over encryptions keys and passcodes protecting data to Chinese authorities. US criticisms are now being echoed by European and Japanese representatives. China is yet to provide any flexibility on the issue, consequently, it appears likely that the issue will be raised at the World Trade Organisation’s next meeting on the ground that it is a potential technical trade barrier.
Attacks, reports and other news
The threat landscape
- US retailer Target has reached a provisional settlement with the Minnesota state court to pay $10 million to the those affected by the high-profile hack Target suffered in 2013. The settlement still needs to be approved by the federal court, but the terms indicate that affected individuals will be able to claim up to $10,000 each via a specific online claims portal. The settlement also requires Target to employ a Chief Information Security Officer and to update its information security policy. However, the final hearing regarding the terms of the settlement will not take place until 10 November 2015. For more regarding the original attack read Olswang’s analysis here.
- US health insurance company, Premera Blue Cross, has recently made public the fact that a cyber attack on the company occurred in January 2015. The hackers responsible for the attack may have gained access to approximately 11 million customers’ names, dates of birth, Social Security numbers, addresses, bank account information and claim information. The FBI has now been brought in to investigate, but Washington state Insurance Commissioner Mike Kriedler has expresses concern regarding the delay between the attack and public announcement. A series of other smaller US health insurers have also been attacked as detailed here by IT Governance.
- South Korea’s Korea Hydro and Nuclear Power Company suffered a cyber attack by an unidentified hacker back in January 2015. South Korean investigators have now accused North Korea of perpetrating the attack after it was discovered that the code used in the attack was similar to that which North Korean hackers normally employ.
- The Guardian will be gathering a panel of information security and tech experts together to conduct a live Q&A session regarding “managing a cyber attack”. The panel will feature experts from The Guardian, Symantec, Olswang and Context Information Security. The Q&A session will begin at 1pm (GMT) on Wednesday, 25 March 2015 (finishing at 2:30 pm).
- Reuters is reporting that a spate of cybersecurity firms plan to go public in 2015 in order to capitalise on investor interest in the wake of cybersecurity’s recent rise up the corporate agenda. US based firms such as Rapid7, LogRhythm and Mimecast and all seeking valuations in excess of $1 billion.
- US defence and security firm, Raytheon, is reportedly set to continue bolstering it cybersecurity capabilities. Following the recent acquisition of cybersecurity company, Blackbird, for $420 million, the company is now looking at spending $1 billion on cyber software company, Websense.
- The cybersecurity firm, Darktrace, has recently announced that that it will be investing $18 million in hiring new recruits. CEO, Nicole Eagan, is particularly keen to narrow the gender gap within the industry by looking for more female recruits. While technology companies have historically been dominated by a male workforce (75%), the information security sector is even more disparate, with only 11% if the workforce being female according to Eagan’s recent interview with Upstart Business Journal.
- And finally… This article on co.uk reports on some recent research commissioned by Fujitsu which found that 61% of IT Directors welcomed the proposed introduction of higher fines for data breaches under the GDPR, in order to focus minds on IT security. 80% of those 150 UK companies (of various sizes) also expressed the view that tighter data protection rules are needed.
Contributors to this week’s update: Tom Pritchard, Paralegal, Katharine Alexander, Trainee Solicitor and Claire Walker, Head of Commercial Know How.