Datonomy will be taking a short break over the upcoming UK bank holiday, so here is this week’s round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP, a little sooner than usual.
UK policy and regulatory developments
- CERT-UK has published its first annual report detailing the major pieces of malware that have operated in the UK over the last year (spread by criminal groups and nation states), a sector breakdown, a review of the Cyber Europe 2014 programme and the Cyber Security Information Sharing Partnership (CiSP), in addition to six predictions for 2015/2016, that include:
- The supply chain will be hit hard (following supply chain weaknesses exploited in the attacks on US companies JP Morgan, Target and Home Depot, the threat is expected to cross the Atlantic this year) ;
- Mobile devices will be a single point of failure for business and consumers (due to BYOD culture and the sharing of operational code with desktop computers);
- We will see another Shellshock or Heartbleed (i.e. another major operating system vulnerability that gets exploited);
- We will see the largest data breach ever;
- The Cyber Criminal Marketplace will become more accessible, and
- Consumers will expect better security.
- OCR (Oxford Cambridge and RSA) has drafted a new Computer Science GCSE which is to include several cybersecurity elements. If the GCSE is approved (it is due to be submitted to Ofqual next week), then secondary schools will begin to teach the basics of cybersecurity such as identifying and addressing phishing, malware, issues relating to firewalls and human error in security systems.
- The Department for Business, Innovation and Skills has announced the addition of another participating company to the cybersecurity supplier to government scheme. CapGemini UK can now advertise itself as a company supplying a cybersecurity product to the UK government and use the government’s logo in marketing materials in order to increase the UK’s cybersecurity exports.
EU policy and regulatory developments
- Network and Information Security Directive (NISD): the draft Directive was due to be discussed yesterday by the Council for the European Union’sWorking Party on Telecommunications and Information Society, according to this agenda, but there do not appear to be any public domain progress reports. The Council’s Consilium website has noted the existence of two further Presidency discussion documents dated 18 and 21 May respectively, but as is normal practice these have not yet been uploaded to the site, and the documents do not appear to have entered the public domain as yet.
- General Data Protection Regulation (GDPR) – the latest on fines: The latest position of the Council regarding fines and other remedies under the GDPR has been leaked on Statewatch.org. It indicates that the Member States favour fines of 0.5%-2%, as per the Commission’s original proposal, rather than the fines of up to 5% favoured by the Parliament’s 2014 text. Even so, as these percentages are linked to global turnover, they are still potentially enormous. Under the leaked document, national data protection agencies would have discretion as to how to apply such fines.
- Progress on the GDPR in general: As Datonomy readers will be aware, the Council has reached partial agreement on various aspects of the Regulation, but note that “nothing is agreed until all is agreed” – i.e. it cannot enter into trilogue negotiations with the other two institutions until it has concluded its own negotiating stance on the Regulation as a whole. The IAPP, on its website PrivacyAssociation.org, is reporting that the Council’s Data Protection and Information Exchange (DAPIX) working group, responsible for examining the Commission’s GDPR proposal in detail, has held its last meeting under the current Latvian Presidency, whose term ends at the end of June. According to the IAPP blog post, the intention is to agree the Council’s general approach (i.e. its negotiating stance on all 11 Chapters of the Regulation) during what remains of the Latvian Presidency, at the meeting of the Justice and Home Affairs Council on 15-16 June 2015 – even if it means a marathon lock-in, as reported here by the IAPP in March.
- The European Union Information and Network Security Agency (ENISA) is reporting that the first pan-European Cyber Security and Privacy Challenges for Law Enforcement conference went well on 18-19 May 2015. The conference, co-organised with Heraklion (Crete) Chamber of Commerce and Industry, focused on the interplay between cybersecurity, privacy and law enforcement by welcoming speakers from the Hellenic Cyber Crime Unit, Europol, Microsoft, Symantec and PwC, amongst others. The conference publicly concluded that more needs to be done to harmonise policy across the EU and to protect the sensitive sectors of finance, healthcare and infrastructure.
- EurActiv is reporting that European Commission Vice-President, Andrus Ansip, has had to publically defend the Commission’s Digital Single Market plans against accusations that they were planning to create backdoors to encryption technology to enable third parties to access secure digital communications. Ansip has commented, “Trust is a must and we don’t want to destroy the people’s trust by creating backdoors in identification systems”.
- The German banking regulator (BaFin) has issued a draft paper requiring greater safety when processing internet payments. The paper aims at combating fraud in online payment transactions by implementing certain measures, e.g. strong customer authentication, the protection of sensitive payment data and the improvement of customer protection. Read Olswang’s analysis of the German IT and Data Protection landscape here.
US policy and regulatory developments
- The Security and Exchange Commission (SEC) recently published cybersecurity guidance for investment companies and investment advisors. Given that investment firms and advisors hold a plethora of very private and valuable data, and given that the financial industry as whole has been regularly targeted by hackers, the guidance may serve as a tacit indication by SEC that they think insufficient resource is currently being used to address the issue. Consequently, the guidance features a series of best practice models to address the legal, compliance, and business risks posed by cyber threats.
Asia policy and regulatory developments
- Channel News Asia is reporting that the Cyber Security Agency of Singapore (CSA) has signed a memorandum of understanding with the French Agence Nationale de la Securite des Systemes d’Information (ANSSI – the French cyber authority). The agreement reportedly aims to strengthen collaboration between the two nations within the cyber sphere.
Attacks, reports and other news
- SC Magazine is reporting that the personal data of over one million CareFirst customers was exposed by a data breach in June 2014, yet the details are only just becoming public. The US-based company, a subsidiary of BlueCross BlueShield, apparently discovered the breach having hired Mandiant to perform a routine assessment of its IT systems. Reportedly, the names, dates of birth, and ID numbers of 1.1 million customers were compromised.
- BBC News is reporting that mSpy, a company selling software that allows users to track other’s online behavior (primarily being used by parents, employers and spouses to spy on their children, employees, spouses, etc.) , has itself been hacked. The company is reporting that 80,000 customers’ personal data has been comprised and is now available on the darkweb (Tor-based sites where data can be bought and sold anonymously).
- In another story of digital comeuppance, Channel 4 News is reporting that the adult dating site AdultFriendFinder.com has suffered an attack, causing the (very) personal data of 3.9 million of its 64 million members to be compromised. Users’ sexual preferences, their availability for an extramarital affair, in addition to their email addresses, dates of birth and post codes are being sold on the darkweb. The company is currently working with the digital forensic experts and law enforcement agencies to discover the agents and retrieve the data.
- The tech-focussed research firm, Technavio, has concluded a report on the future of the cybersecurity market in Europe through 2019 (read a précis here or purchase the full report for $3,000). The report predicts yearly growth of almost 13%, primarily driven by the enhanced threats of “bring your own device” (BYOD) mobile work solutions, in addition to cloud-based vulnerabilities.
- TechSci Research’s report “Global Cyber Security Market Forecast & Opportunities, 2020” is predicting that the global cybersecurity market will reach $123 billion by 2020. As with the above report, TechSci are predicting that cloud computing vulnerabilities will provide great opportunities for the industry, but they also list state sponsored attacks as another major driver.
- The International Business Times is reporting that hackers recently managed to infiltrate a video billboard in downtown Atlanta, Georgia and replace the advertisement with an image of a naked man. The hacker group, Assange Shuffle Collective, has taken credit for the hack which was apparently perpetrated due to the fact that it used an easy-to-guess password on its net-connected remote administration system. There was little the billboard owner, Yesco, could do except pull the plug.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.