Security breaches always get a lot of press attention but to date there haven't been that many large fines imposed by the Information Commissioner's Office (the "ICO") in the UK. However, last week saw a big one (although some have questioned whether it is big enough) with TalkTalk being given a record GBP400,000 penalty due to a violation of the DPA's seventh principle on security. This comes on the back of the GBP1,000 fine a couple of weeks ago in respect of TalkTalk's failure to give notice to the regulator in due time, which we reported on: http://datonomy.eu/2016/09/13/ico-wins-tiny-penalty-but-significant-principle-in-talktalk-security-breach-saga/ This case relates to cyber-attacks perpetrated against TalkTalk between 15 and 21 October 2015 exploiting vulnerabilities in certain webpages. Personal data of 156,959 customers including financial information was impacted with the attacker accessing the personal data of all of the customers along with bank account numbers and sort code of 15,656. When imposing … Continue Reading ››
As Datonomy reported recently, the UK Competition and Markets Authority has launched a call for information into the commercial use of data. In addition, it has now announced the appointment of researchers to look in more detail at how three specific sectors - games apps, clothing retail and motor insurance – use consumer data. With consumer data the new “currency of the Internet”, competition authorities at EU and UK level have been taking a keener interest in the issue for some time. Lucy Davies, an associate in Olswang’s Competition Team, explains what the CMA’s first formal steps in this area could mean in practice. What’s new? The call for information and appointment of researchers On 27 January 2015 the CMA launched a project to review the commercial use of consumer data by publishing its “Call for information: the commercial use of data”. As described in detail in our earlier blog … Continue Reading ››
The latest round up of legal and regulatory developments and news relating to cybersecurity, brought to you by the Datonomy blogging team at Olswang LLP. UK
- On 6 February 2015, the Investigatory Powers Tribunal (IPT) found that the UK government had breached Articles 8 and 10 of the European Convention on Human Rights (ECHR) when soliciting, receiving, storing and transmitting the private communications of individuals located in the UK, that had been provided by the US's Prism and Upstream intelligence programmes. The Tribunal rebuked the government for not making public its arrangements and was ordered to sufficiently sign-post such information to the public. Read the full judgment here.
- The Home Office began a consultation on 6 February 2015 on updating the interception code of practice and introducing a new equipment interference code of practice under the Regulation of Investigatory Powers Act 2000. The codes will regulate when law enforcement agencies … Continue Reading ››
Datonomy’s correspondents in Asia take an in-depth look at the new ISO 27018 and evaluate how it can help cloud customers meet the requirements of Singapore’s new Personal Data Protection Act. Back in September I blogged on the then newly-published ISO 27018, the first global security standard specifically applying to cloud services. In this recent post my colleague Daniel Jung and I take an in-depth look at how the new ISO measures up to Singapore’s new PDPA. The article will also be of wider interest to cloud customers and cloud providers as it considers the various ways a cloud provider can demonstrate compliance with the new standard. To read the post, please visit Datonomy’s sister blog Watching The Connectives at this link.
On August 19, 2014, more than one year after the first draft bill of an IT Security Act, the German Federal Ministry of the Interior has published the new draft bill of the Act, aimed at boosting the security of information technology systems. The full title of the legislation is “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme" (IT Sicherheitsgesetz) (“IT Security Act”). The new rules are still subject to change but look likely to come into force in early 2015. General overview In fact, the IT Security Act will not be an individual law, but will amend the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act and the Act on the Federal Criminal Police Office as well as the Act on the German Federal Office of Information Security. The IT Security Act contains five central topics and provides for:
- IT security in companies (see A. below)
- Protection … Continue Reading ››
CNIL’s recent ruling against Orange has wider lessons for all data controllers who rely on processors and sub processors to process personal data. Datonomy’s correspondent in Paris analyses the issues. Facts In its deliberation dated 7 August 2014 (but only published on 25 August), the CNIL issued, for the first time, a public warning (i.e no fine has been imposed on Orange, but the sanction consists in the publication of CNIL’s ruling on its website) against a telecoms operator on the basis of personal data breach requirements (pursuant to Article 34 bis of the French data protection act 1978). On 25 April 2014, Orange notified the CNIL of a technical failure in one of its marketing sub-processors, resulting in the leak of personal data (name, surname, birth date, email address and phone number) concerning 1.3 million subscribers. Following this notification, the CNIL investigated Orange and its processors’ premises and found … Continue Reading ››
Datonomy considers the Germany authorities’ reaction to the PRISM affair, and the wider practical consequences this could have for international transfers being made under the auspices of U.S. Safe Harbor and model contracts. After the reports about extensive surveillance activities by foreign and European intelligence services, especially by the American National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) and possible transfers of personal data to them by American companies, European data protection authorities are raising their voices. In a letter dated 13 August 2013, the chairman of the Article 29 Working Party expressed his deep concern to the Vice-President of the European Commission, Viviane Reding, urging her to seek for more clarification from the U.S. as well as announcing the intention of the European data protection authorities to conduct own investigations regarding the compliance of foreign and European intelligence programs with EU data protection principles. Concrete actions have … Continue Reading ››