Before Datonomy readers head off for their well-earned summer holidays, here’s a quick round up of “end of term" UK and EU regulatory activity. The weekly cyber update will also be taking a break during the rest of August, but will return - with batteries re-charged - in the Autumn to continue monitoring regulatory developments in the fields of data and cyber security.
EU POLICY AND REGULATION
- Network and Information Security Directive: Another glimmer of progress in the long-running saga of the NISD, and in particular the still unresolved question of the extent to which online platforms will be caught by the new breach reporting requirements. Following the recent sighting of a Council document on the scope of “essential services” (reported last week), on 31 July another potentially very significant new document was listed on the Consilium website. Entitled “Proposed approach to digital service platforms”, this promising-sounding document is, at the time … Continue Reading ››
The latest round up of legal, regulatory and other news from the Datonomy blogging team at Olswang LLP.
With thanks to: Christian Leuthner in Munich, Aisling O’Dwyer and Matt Hunter in Singapore, and Callum Monro-Morrison in London for their contributions to this week’s alert.
EU POLICY AND REGULATION
- Datonomy’s correspondent in Munich, Christian Leuthner has tweeted, that Germany’s IT Security Act came into force on 25 July. See his more detailed coverage of the new Act here
- Network and Information Security Directive: A glimmer of progress on the EU’s draft NISD in the past week, with the mention on the Council’s Consilium website of a Council document “Drafting suggestions on operators providing essential services”. As Datonomy readers will be aware, one of the sticking points on the Directive has been the extent to which online services should be caught by the new rules. At the end of … Continue Reading ››
The latest round up of legal and regulatory developments and news on cyber security from the Datonomy blogging team at Olswang LLP.
With thanks to Datonomy’s correspondents Tom Pritchard in London and Sylvie Rousseau (Paris and Brussels) for their contributions to this week’s update.
EU policy and regulatory developments
- General Data Protection Regulation: ITProPortal and the Register are reporting that the trilogue negotiations on 14 July made “good progress” and culminated in agreement on Chapter 5 (territorial scope) and Article 3 (international transfers). The Council’s Consilium website has posted a document detailing the debrief that the Council received on 15 July, however, this document is not yet publically accessible so we cannot report on the substance of the agreed compromise. The Register’s article states that “there has been a notable push to get the GDPR onto the law books as soon as possible. Negotiators have set themselves an ambitious deadline … Continue Reading ››
The latest round up of regulatory news from the Datonomy blogging team at Olswang LLP.
Reports and statistics
The Ponemon institute has published its 10th annual benchmarking study
into the Cost of Data Breach for the US. Headline statistics, which drew on a sample of 62 US companies in 16 sectors, include the following:
- $6.5m is the average total cost of data breach
- 11% increase in total cost compared to last year
- $217 is the average cost per lost or stolen record (up 8%)
- Malicious or criminal attacks continue to be the primary cause of breach, and these were also the most costly breaches.
Olswang will provide further coverage of the latest Ponemon findings in its Q2 Cyber Quarterly .
UK policy and regulatory developments
- CERT-UK: CERT’s latest weekly update is available here and highlights the risk from phishing attacks launched by means other than email (e.g. text and instant messaging apps) along with … Continue Reading ››
Olswang has just published the latest edition of the Cyber Alert, a regular round up of regulation, best practice and news from our international cyber breach and crisis management team. There is a great deal to report since our last update in October 2014. In February, the Olswang team visited our friends in the US, co-hosting a cyber workshop in Silicon Valley
and presenting to the Los Angeles chapter of the IAPP on the latest status of the General Data Protection Regulation. You can read our December 2014 status update on the draft Regulation, which includes an analysis of data breach notification here
In this edition:
Draft Network and Information Security Directive: entering final negotiation phase?
When we published our last Cyber Alert in late October 2014, the first trilogue negotiation between the three EU institutions had just taken pace, a second took place in November and the third and final meeting was scheduled for 9 December. The outgoing Italian Council Presidency published a statement that it was “confident the EP and the Council…will reach a deal before the end of the year”. However, progress updates then went quiet. It was not until 11 March that the (now Latvian) Council Presidency announced
that the Council’s negotiating mandate had been agreed at the Permanent Representatives Committee. This means that negotiations with the Commission and Parliament can resume, and this third trilogue is scheduled for late April.
It appears that one of the main sticking points within the Council has been the scope of the “market operators” who will be … Continue Reading ››
The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
UK policy and regulatory developments
- Given that passwords are often a weak-point in user security, CERT UK have focused on Windows 10 and Yahoo’s new approach to the topic. Windows 10 is developing a series of biometric tools (such as fingerprint, facial and iris recognition), whereas Yahoo is developing a system to provide one-time passwords every time a user tries to log in. See CERT UK’s weekly update for 19 March 2015 here.
- CERT’s latest weekly update also contains a plug for its recently published 12 page guidance “Cyber Security risks in the supply chain”. This illustrates recent examples of supply chain compromise, including those arising from third party software providers, website builders, third party data stores and watering hole attacks.
- The Department for Business, Innovation & Skills has updated … Continue Reading ››