NHS warns patients they could lose text alerts as GDPR deluge continues*:
- Health service joins UK firms in rushing to comply with new data protection rules.
- The National Health Service is texting patients to warn they could lose alerts about hospital and doctor appointments.
- It gives all EU citizens the right to know what data is stored on them and to have it deleted, plus protect them from privacy and data breaches.
- If companies fail to comply, they can be hit with fines of up to €20m (£17.5m) or 4% of global turnover.
- Some small businesses are reporting that "reconfirmation" rates are averaging just 10%, meaning they are losing 90% of their marketing email lists.
- Data rules mean that the messages are sent by each individual NHS trust rather than centrally from the NHS.
- Companies are handling the new rules in different ways, as there is no prescribed format for GDPR approval.
- If a company has a "legitimate interest" in contacting a customer – such as their principal bank account – then it only needs to let the customer know that privacy details have been updated.
- But if the email address had been obtained in other ways – such as a pre-ticked box – then that is not regarded as legitimate, and the company has to contact the consumer and obtain approval for further communications.
- Some companies are insisting users go through the rigmarole of logging in, which might entail trying to remember a password or setting up a new account.
- Companies are resorting to ever more desperate ways to catch the eye of users in inboxes deluged with GDPR emails.
*Source: The Guardian, May 19, 2018
New rules on data protection for EU institutions agreed*:
- The new rules are aligned with the general data protection regulation (GDPR) which enters into force on 25 May 2018.
- Increase the protection of personal data and ensure a free flow of that data between the institutions and the different bodies, insofar as it is necessary.
- As in the GDPR, the new regulation provides for a number of principles to be followed in the processing of data and a number of rights guaranteed to individuals whose data are collected.
- These include, for example, the right of individuals to access, correct or delete their personal data.
- In line with the GDPR, institutions and other bodies must also ensure that they provide transparent and easily accessible information on how personal data is used, and foresee clear mechanisms for individuals to exercise their rights.
- The new legal instrument also reconfirms, clarifies and enhances the role of data protection officers within each EU institution and of the European data protection supervisor.
- The objective is also to try to simplify the procedures in this field.
- Processing of personal data by the Union agencies in the field of law enforcement and judicial cooperation (e.g. Eurojust) is covered by the regulation through a specific chapter.
- The rules in this chapter are aligned with the Law Enforcement Directive.
- More specific rules can also be laid down in the founding acts of these agencies to take into account their particular circumstances.
*Source: Consilium, May 24, 2018
UK calls for special EU deal on data-sharing laws after Brexit*:
- British negotiators warn of security dangers as they call for preferential treatment
- The continued, uninterrupted and secure flow of personal data between the EU and UK is vital for all partners.
- An agreement on data protection will be crucial for the EU and the UK, and any disruption to cross-border data flows would be costly to all partners.
- An agreement will also ensure clarity on enforcing citizens' rights.
- Britain instead wants a more "stable" system that allows the Information Commissioner's Office (ICO), the largest data protection authority in the EU, to sit on the body that regulates and sets guidelines.
- The nationality of the body taking the lead would be determined by the location of the main establishment of the data controller involved.
- It will benefit EU businesses operating in the UK to avoid two parallel processes on data protection disputes – one in the UK led by the ICO and one in the 'one-stop shop', and avoids unnecessary additional cost.
- It could include amendment, dispute resolution and termination provisions.
- This would provide EU and UK individuals and businesses with greater stability and certainty.
- It also pointed to its efforts to enforce General Data Protection Regulation – which aims to make all organisations gain genuine consent to use personal information
- We seek a new agreement on data protection that builds on a standard adequacy decision.
*Source: The Guardian, May 24, 2018
Another data breach for SA - passwords and IDs exposed*:
- A database containing sensitive personal data that came from a traffic fine platform has been leaked online.
- The information contained in this leak includes names, ID numbers, e-mail addresses, and passwords stored in plain text from South African citizens.
- That the database had close to 1 million personal records and was "discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa".
- 934,000 personal records of South Africans have been leaked publicly online.
- African was able to view the publicly available database, and it may be a case of negligence and carelessness regarding the safety of the data.
- it appears that a backup of the sensitive data was saved in a directory which was publicly accessible.
- It's suspected that the data may have been uploaded around three years ago.
- The Home Affairs Department was only able to confirm that it was looking into the data breach, but is committed to providing a comprehensive response.
*Source: IOL, May 24, 2018
Believing your data is probably secure means it's not secure at all*:
- All too often organisations have been handling this issue of data privacy in an ad hoc way, the data is probably secure' and convince themselves it's OK without necessarily having proof of that.
- But if you're saying it's 'probably' secure, it probably isn't. And we shouldn't be playing this game of probabilistically securing things.
- Warnings about the integrity of privacy protection are timely, given the conclusion of Privacy Awareness Week (PAW) 2018 ahead of next week's implementation of the European Union's general data protection regulation (GDPR).
- That regulation will require companies to have a much clearer view of their data holdings, imposing strict penalties for companies that fail to adequately secure their customers 'personally identifiable information (PII)'.
- Companies can better evaluate the real risk of their data-exchange practices – and attest to their having managed data in an "approvable private way".
- Evaluating data protections using mathematics may offer a better degree of governance, but PAW 2018 offers a timely reminder about the importance of privacy as an operating construct – shared and practiced by all employees – as well.
- Having a customer identity and access management solution in place can play a critical role in ensuring customer confidence, as well as compliance with privacy regulations across all the jurisdictions in which a business operates.
*Source: CSO, May 21, 2018
More than Half of Users Reuse Passwords*:
- Passwords are a poor security mechanism. We're really bad at passwords.
- That's the conclusion of a study that looked at 28.8 million users and their 61.5 million passwords in 107 services over 8 years.
- Password reuse, considered a major "no-no" by security experts, is considered a major factor in easy-to-hack user authentication schemes.
- Don't let your fingers walk: Keyboard walking occurs when a user lets their fingers walk across a row of keys on the keyboard, e.g., 12345.
- The resulting string is an easily guessed password.
- That tendency limits the combinations and makes the passwords subject to relatively easy brute force cracking.
- The consequences of complex passwords: Remembering and typing unique strong passwords makes for a high-friction transaction, and in the context of purchases, high friction is not forgettable.
- Beyond bad passwords: Until biometric authentication becomes more wide-spread, best practice suggestions for consumers are still important, provides a list that contains no surprises for anyone in the security industry:
- Use a unique password for every online account
- Generate passwords that exceed the minimum of 8 characters
- Create passwords with a mix of case-sensitive letters, numbers, and special symbols
- Avoid using passwords that contain common phrases, slang, places, or names
- Use a password manager to help generate, store, and manage your passwords
- Never use an unsecured Wi-Fi connection
*Source: Dark Reading, May 25, 2018