The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- Latest UK stats on breach notification: The Information Commissioner’s Office published its annual report for 2014/2015 on 1 July 2015. It includes statistics on data breach and data loss incidents reported voluntarily to the ICO (1,677 self-reported incidents, resulting in 1,707 investigations, £692,500 of fines, 3 enforcement notices and 26 undertakings). There were 285 data breach reports by communications service providers under the compulsory PECR regime, and one CSP was fined for late notification. It also includes statistics and trends on sources of complaints to the ICO – with security related complaints rising from 6 to 8% of all complaints reported to the ICO compared to the previous year – and on the type of enforcement action taken by the ICO in response. Read the full report here.
- According to SC Magazine, cybersecurity will be included in all UK computing degrees starting this September (with a two-year grace period for certain universities). As part of the government’s Cyber Security Strategy, guidelines have been drafted to ensure that graduates are equipped with defensive programming skills – “designing systems from the outset which are secure from vulnerabilities, threats and attacks.”
EU policy and regulatory developments
- Network and Information Security Directive (NISD): Since the “breakthrough” announcement by the outgoing Latvian Presidency of the Council which Datonomy reported on last week, there does not appear to be any further progress news or significant documentation in the public domain. To recap, late on 29 June the Latvian Presidency announced that agreement had been reached on the main principles of the Directive. However, the most controversial aspect of the proposal – namely the extent to which online platforms should be subject to the new requirements on breach reporting – does not appear to have been fully resolved. The press release states that: “It was agreed that digital service platforms would be treated in a different manner from essential services. The details will be discussed at a technical level.” It is unclear at this stage just how differently, and what this might mean in practice. Luxembourg took over the Council Presidency from Latvia on 1 July and will be under pressure to finish the job, after EU Member States called for “rapid adoption” of the Directive in the Council meeting held on 25 and 26 June. Luxembourg’s priorities for EU policy during its term are set out in this document. It does not make any specific mention of the NISD, although it highlights as a major priority the implementation of the renewed European Union Internal Security Strategy for 2015-2020, driven by factors including the rise in cyber crime.
- General Data Protection Regulation (GDPR): The Luxembourg Presidency’s Priorities document reiterates statements made recently by the outgoing Presidency and by the Commission that the aim is to conclude negotiations on the GDPR by the end of 2015. It also flags the need for revised rules on data retention following last year’s annulment of the 2006 Data Retention Directive.
- Information-age.com has written a guide to what CISO’s need to do before January 2016 in order to comply with the anticipated GDPR after the agreement of the general approach on 15 June. The five key pieces of advice are: locate the data, define access, understand legalities, know the security risks and assess the future.
- Forum Europe has announced that it will be hosting its Cyber Security Conference in Brussels on 1 October 2015. Speakers from the European Commission, European Parliament, NATO and ENISA will lead sessions at the event exploring:
- Cyber Security in Europe: are we on the right track? What are the next steps?
- Technical innovation, people and processes: strengthening preparedness against cyber incidents;
- Developing cyber defence capabilities and norms: defending Europe from external threats.
- A full agenda can found here.
- The EPP conducted a hearing on data driven security on 1 July 2015. The hearing included discussion on the topics of “new trends in digital technology and cyber threats to security” and “cybersecurity: ensuring security and safety on state and individual levels”. Udo Helmbrecht, the Executive Director of the ENISA, participated in the sessions where it was noted that that the line separating national security from commercial security is becoming increasingly blurred.
US policy and regulatory developments
- The Wall Street Journal is reporting that the joint U.S. and UK and Cyberwar Games conducted in June in Suffolk, Virginia have now concluded. The Pentagon, Department of Homeland Security and National Security Agency, invited unnamed energy and banking companies to sit in on the exercise. Though little is being made public about what was learnt during the exercise, it is known that “the scenario in the war game began with a major earthquake hitting southern California, followed by a series of coordinated cyberattacks, including oil and gas pipeline disruption, interference at a major commercial port in the U.K., attacks on Pentagon networks, a freeze on access to cash at banks and long lines for food at stores.”
Asia policy and regulatory developments
- The National People’s Congress of China has passed a new “National Security Law” imposing territorial sovereignty over its internet space and stricter cybersecurity. The legislation calls for strengthened management of over the web by creating “secure and controllable” information technology and critical infrastructure. SC Magazine is reporting that “The move is seen in part as response to Snowden revelations that US agencies planted code in American tech exports to spy on overseas targets.” Companies may now worry that this will undermine their ability to send encrypted emails or operate private networks within the country.
- Reuters is reporting on an interesting trend in Chinese cybersecurity: amateur hackers are trading in their bedrooms for offices. As China takes the issue of cybersecurity increasingly seriously, hackers are being convinced to join the burgeoning industry and even start their own businesses. “Dozens of cyber security companies are now cropping up across China according to industry observers, populated by young techies with bona fide security skills and work experience at firms like Alibaba, Tencent Holdings Ltd and Baidu Inc. China is hoping that eventually domestic cyber security groups will provide most of its companies with defenses against hacking, rather than them relying on foreign firms like Symantec, Kaspersky and EMC Corp’s RSA.”
Attacks, reports and other news
- Canadian news site CTV News is reporting that the Canadian Security Intelligence’s website was recently temporarily taken down by hackers. A denial of service attack was allegedly perpetrated by a single individual aggrieved by the controversial Bill C-51 (an anti-terrorism law that could potentially be used against protestors). The individual tweeted, “I’m deciding if I should let CSIS back online and hit another government website, or if I should keep it offline for a while.” This follows a similar report noted on Datonomy two weeks ago, in which the hacker group Anonymous took down the Canadian government’s website in opposition to the same bill.
- CERT-UK’s weekly update focuses on the cybersecurity threat to small businesses. Showcasing a small trading company from Northern Ireland, employing no more than 20 individuals, to demonstrate the potentially crippling effect a ransomware attack can have on a business. The update also features a report on the new vulnerabilities found within Adobe and Apple’s software. Read the full report here.
- Nasdaq is reporting that Cisco Systems are acquiring OpenDNS, a private cloud-based security firm, for $635 million. The San-Francisco based target harnesses projective intelligence to block malware agents, botnets and phishing threats. The acquisition follows Cisco’s continued strategy to become a major player within the cybersecurity industry after the previous acquisitions of cybersecurity companies Neohapsis, ThreatGRID and Sourcefire.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.