The latest round up of regulatory news from the Datonomy blogging team at Olswang LLP.
Reports and statistics
The Ponemon institute has published its 10th annual benchmarking study into the Cost of Data Breach for the US. Headline statistics, which drew on a sample of 62 US companies in 16 sectors, include the following:
- $6.5m is the average total cost of data breach
- 11% increase in total cost compared to last year
- $217 is the average cost per lost or stolen record (up 8%)
- Malicious or criminal attacks continue to be the primary cause of breach, and these were also the most costly breaches.
Olswang will provide further coverage of the latest Ponemon findings in its Q2 Cyber Quarterly .
UK policy and regulatory developments
- CERT-UK: CERT’s latest weekly update is available here and highlights the risk from phishing attacks launched by means other than email (e.g. text and instant messaging apps) along with its latest vulnerabilities summary.
- Investigatory Powers Bill: while not strictly a cyber-specific measure, the revival by the new Government of proposals to update and extend the UK’s communications data regime has been attracting much press comment and speculation. The plans were unveiled, as expected, in the Queen’s Speech on 27 May. At the time of writing, the text of the draft Investigatory Powers Bill has yet to be published. See the Guardian’s coverage here for more background.
- Cyber priorities for the new Parliament: The House of Commons Library service has published a briefing paper for MPs “Key issues for the 2015 Parliament”. This includes a short section on cybercrime and cyber security issues which, while not “new news”, provides a useful overview.
- ICO action targets supply chain weakness: The ICO’s recent follow up assessment of, and follow up undertaking from, Oxford Health NHS Foundation Trust highlights some common data security weak spots. The Trust was required to give an undertaking in 2014 following two data breaches, one of which stemmed from errors by a data processor who posted a file of patient data online in the course of migrating a website. The undertaking required the Trust to address supply chain compliance in various ways, including better due diligence on processors, the use of Privacy Impact Assessments and appropriate processor clauses and appropriate breach management plans. The ICO’s latest action does not set any new precedents, but it does serve as a reminder that a data controller’s compliance is only as good as that of its weakest link – often its supplier – and that that the ICO will keep a close eye on data controllers who have previously been found to have breached the DPA.
- Financial Services sector: In a recent speech, Nausicaa Delfas, Director of Specialist Supervision at the FCA , stressed that cyber risk is high on the FCA’s agenda, operational risk being the “single largest risk class for most of our solo-regulated firms”.
EU policy and regulatory developments
- Last week saw the European Commission’s Second High-Level conference on the EU Cyber Security Strategy, more details here.
- NISD progress? Despite the fact that one of the aims of the above conference was to “explore the way forward regarding the proposal for a Network and Information Security Directive” there is (as usual) a dearth of public domain information about the latest procedural progress. An article on the Euractiv service reports the frustrations of the Latvian Presidency which is trying to get the Directive agreed before the end of its term at the end of June. The article does not give a specific progress update, but indicates that certain Member States “are stalling talks by protesting the mandatory reporting clause”.
- The recent spate of cyber attacks against the media were the subject of discussion by the European Parliament on 27 May – more details here.
- GDPR progress: On 26 May EU Justice Commissioner Jourova made a speech in which she stated she was confident that the Council of the EU would reach its general approach (i.e. full negotiating stance) on the draft Regulation in mid-June, enabling the proposal to be negotiated with the other EU institutions and adopted by the end of 2015. It remains to be seen whether this, the latest of many targets to be set, will be achieved…
- Last week ENISA’s Executive Director participated in the Commission’s Cyber Security conference above.
- ENISA also published a report which analyses the opportunities and challenges of the first European public-private partnerships in the field of network and information security and resilience in Europe: the European Public-Private Partnership for Resilience (EP3R). For a summary see this link and for the full report see here.
- ENISA also reports that the Cloud Certification Scheme List (CCSL) has been updated with new schemes mapping all their security objectives against the 27 Security Objectives of the CCSM (Cloud Certification Schemes Metaframework, launched earlier this year). CCSL and CCSM tools “help the cloud user understand what certification against a specific scheme means, and helps providers to take informed decisions on cloud security implementations”.
More cyber news from the Datonomy team next week.