The latest round up of legal, regulatory and other news from the Datonomy blogging team at Olswang LLP.
With thanks to: Christian Leuthner in Munich, Aisling O’Dwyer and Matt Hunter in Singapore, and Callum Monro-Morrison in London for their contributions to this week’s alert.
EU POLICY AND REGULATION
- Datonomy’s correspondent in Munich, Christian Leuthner has tweeted, that Germany’s IT Security Act came into force on 25 July. See his more detailed coverage of the new Act here
- Network and Information Security Directive: A glimmer of progress on the EU’s draft NISD in the past week, with the mention on the Council’s Consilium website of a Council document “Drafting suggestions on operators providing essential services”. As Datonomy readers will be aware, one of the sticking points on the Directive has been the extent to which online services should be caught by the new rules. At the end of June, the Council announced that it had reached an “understanding” with the European Parliament on the “main principles” of the Directive. The release went on to state that “It was agreed that digital service platforms would be treated in a different manner from essential services. The details will be discussed at a technical level.” The appearance of this latest document could be an indication of further work on that issue, although until the document is actually made available in the public domain it is hard to tell. AS Datonomy readers will also be aware, there is generally a time lag of days to weeks between the Consilium listing a document of this nature and actually making the text available. The Directive was on this agenda for discussion at the meeting of the Council’s Telecoms Working Party on 23 July. The last official meetings of Council bodies are scheduled to take place this week, so it remains to be seen whether there will be any more official news before the Brussels institutions start their Summer break.
- General Data Protection Regulation – Summer holiday reading? For Datonomy readers still wading through the leaked 682 page mark-up of the institutions’ respective negotiating positions on the draft Regulation (see our 13 July alert), help is at hand in the form of a new mobile app from none other than the EDPS (the European Data Protection Supervisor, Giovanni Buttarelli). Announced today, the tablet and mobile – friendly app coincides with the publication of the EDPS’s own contribution to the trilogue negotiations: this press release urging the institutions to ensure the changes result in a “better deal for the individual” and acknowledging that while the “GDPR is not the reform of [his] dreams”, that improvements to the text are still feasible; this 12 page opinion setting out his key recommendations to the negotiators; and a four-column mark-up, which weighs in at a mere 520 pages, adding the EDPS’s position on each provision, alongside those of the Commission, Parliament and Council.
- US Safe Harbor: talks to reform the US Safe Harbor agreement continue according to this official announcement from the European Commission on 23 July. Although the tone of the announcement is up-beat, there is no detail on what the outstanding sticking points are, and still no end-date in sight for this long-running saga as the release concludes “Commissioner Jourová aims for a finalisation of discussions in the coming weeks.”
- European Union Agency for Network and Information Security: ENISA has reported back on the key conclusions from its recent Workshop on the Protection of Electronic Communications Infrastructure and Information Sharing.
UK POLICY AND REGULATION
- ICO follow up actions on data breach undertakings: recently the ICO has published a number of follow up actions on undertakings given by organisations in relation to a range of security breaches. Apart from prolonging the pain for such organisations (having suffered first the trauma of a hack or other form of security breach and then of having to give a public undertaking to the ICO) the detail of the follow up reports makes interesting reading in terms of the practical security measures expected by the ICO – and therefore useful indications of preventive steps other businesses should be taking, to avoid falling short of the 7th DPA Principle. The follow up reports, along with new undertakings and enforcement actions, are available on the ICO’s website here.
- A Cyber Demonstration Centre has been set up by UK Trade and Investment and Department for Culture, Media and Sport on behalf of the Cyber Growth Partnership. The details can be viewed here. It was funded as part of the National Cyber Security Programme in Cabinet Office. The Centre will: support the growth of the sector; showcase the depth, breadth and quality of the UK cyber security offer to delegations from across the world; and ensure that the UK continues to be one of the major players in the global market.
- Japan is proposing to invest 20 billion yen in cyber-security training in advance of the 2020 Olympics, according to this article by SC Magazine.
- According to this article on the website IT news for Australian Business Security, reforms proposed by the Australian government are causing consternation among the telco industry, as insiders say the reforms are too broad, intrusive and onerous. In a joint submission, the Australian Industry Group (Ai Group), the Australian Information Industry Association (AIIA), the Australian Mobile Telecommunications Association (AMTA) and the Communications Alliance said the legislation would fail to achieve its objectives as they would “divert resources from investing in addressing cyber security threats to compliance with onerous obligation”.
Attacks, reports and other news
A selection of cyber security news stories from the past week.
- Last week it was reported that Hackers Chris Valasek and Charlie Miller had showed Wired magazine that they could take control of a Jeep Cherokee 4×4 by sending data to its internet-connected ‘Uconnect’ entertainment and navigation system via a mobile-phone network. In the wake of this news, Fiat Chrysler has recalled 1.4 million vehicles, as has been reported widely, including by the BBC here.
- CERT UK’s latest update was published on 23/07 and is available here. It reports, amongst other things, that Google has released Chrome version 44.0.2403.89 for Windows, Mac, and Linux to address multiple vulnerabilities.
- The BBC reports that customer data has been stolen from adulterous dating site Ashley Madison. The hackers obtained information including “all the customers’ secret sexual fantasies and matching credit card transactions.” Ashley Madison told the BBC that it would allow people to delete their profile from the site for free with immediate effect.
- The BBC reports that according to US tech-giant Hewlett-Packard, the best-selling smart watches on the market all have security problems. Testing 10 leading wearables for security features like password protection and data encryption, the company found that all devices had flaws in at least one area.
- The Evening Standard reports on an investigation by tech-watchdog Which? this week, showing that consumers who use contactless debit and credit cards could be vulnerable to fraud. Cheap card scanners were able to read essential data meant to be hidden and researchers were able to successfully place orders, including one for a £3,000 television set.
- SC Magazine UK reports that the National Fraud Intelligence Bureau is warning people to be wary of emails that appear to come from British Gas, the Ministry of Justice or the Home Office because they may infect your computer with the TorrentLocker ransomware.
- The Register reports that Kaspersky researcher Ido Naor says that LinkedIn users could be phished thanks to vulnerabilities in its notification system. These flaws have since been patched, but meant that malware could be sent to LinkedIn users via email notification when someone commented on their posts.
M&A and corporate activity
SC Magazine UK is reporting that UK cyber-security company Darktrace has been valued at more than US$ 100 million (£64 million), after US venture capitalist Summit Capital invested US$ 22.5 million (£14.5 million) in the business. The money is expected to allow the British-American company to continue its expansion into the Asia-Pacific region.