“Summary of the ICO’s report on data analytics in political campaigns” By Sandip Patel QC

Click here to see full ICO report

The Information Commissioner’s Office (ICO) has published its report to Parliament bringing the ICO’s investigation into the use of data analytics in political campaigns up-to-date. It is the largest investigation of its type undertaken by any supervisory authority and the report covers areas investigated, findings and actions to date.

Particular concerns surrounding voters’ personal privacy include the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing and the use of third party analytics companies with insufficient checks around consent. The enforcement actions taken include:

• Fining Facebook the maximum penalty for serious breaches of the first and seventh principles of the Data Protection Act 1998.
• Instigating criminal proceedings against SCLE Elections Ltd (trading as Cambridge Analytica) for failing to properly deal with an enforcement notice dated 4 May 2018, in relation to a data subject access request. A trial is set for 9 January 2019 at Hendon Magistrates’ Court.
• Issuing a notice of intent to fine both Leave. EU and Eldon Insurance (trading as GoSkippy) £60,000 each for serious contraventions of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (SI 2003 2426) (PECR).
• Issuing a notice of intent to fine Leave.EU £15,000 for serious contraventions of regulation 22 of the PECR.
• Issuing formal warnings to 11 political parties requiring action, backed by an intention to issue assessment notices for audits, from January 2019.

The ICO has also made recommendations including asking the government to consider whether there are any regulatory gaps in the current data protection and electoral law landscape to ensure that the UK has a regime fit for purpose in the digital age. The ICO has recommended that a Code of Practice for the use of personal information in political campaigns be put on a statutory footing to help combat unlawful campaigning tactics and has launched a consultation.

The ICO started its investigation in May 2017, after allegations about “invisible processing” of people’s personal data and micro-targeting of political adverts during the EU Referendum.

“WannaCry?” By Sandip Patel QC

Click image to see full article

”2017 brought unrelenting growth in cybercrime including ransomware, phishing, hacking, social engineering and targeted campaigns, some state-sponsored. The World Economic Forum (WEF) has ranked cybercrime in the top three risks the world will face in 2018. According to its statistics, 357 million malware variants were released in 2016 alone and banking trojans (designed to steal account login details) on sale for just $500. Ransomware, said to be worth $1bn globally, continues to dominate the malware landscape and has grown by 56% according to McAfee Lab’s 2018 Threats Prediction Report.”

Sandip Patel QC – Chairperson of the Cybercrime Practitioners Association & OSP Cyber Academy’s Chief Legal Adviser – is an industry leading expert in cybercrime and cyber security. Involved as the prosecuting QC in cases ‘Anonymous’ and ‘Facebook Hacker’, Sandip has a wealth of knowledge of the Internet of Things and its potential threats.

Within this article for Counsel Magazine, Sandip goes into detail about Internet crime: Explaining the relationship between cyber attacks and internet infrastructure. He demonstrates which countries/ sectors are affected, as well as examining the UK’s own cyber security strategy; before explaining risk mitigation and how to protect from viruses and other malware.

Full article can be found here – Counsel_Magazine_May_2018 (1)

“A Cyber Week in London” Part 2 By Jane Lo


“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.” – UK ICO’s Elizabeth Denham, 5th October 2016.

“The most significant risks to individual’s personal info are now driven by the use of new technologies” – Elizabeth Denham at Turing Institute as part of the Turing GDPR event.

Day 3 – 2nd May – Breaches and Threats

TalkTalk Data Breach

The highest profile ICO case is undoubtedly the £400,000 fine against TalkTalk, close to the maximum fine of £500,000 ICO is empowered to apply, for contraventions of Data Protection Act 1998.

TalkTalk’s failure to properly protect customer data from a cyber attack resulted in a breach of personal data of 156,959 customers, including names, addresses, dates of birth, and in many cases bank account details and sort odes.

ICO found that the attack could have been prevented if TalkTalk had taken basic steps, such as infrastructure scanning (which could have uncovered vulnerable websites through which attacker accessed a customer information database), patching out-dated software (which could have fixed a bug that allowed the attacker to bypass access restrictions), installing defences against common hacking technique SQL injection used to access the data.

Cyber Security is a Board Room Issue

“Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers.” – UK ICO’s Elizabeth Denham, 5th October 2016, on issuing the largest fine, £400,000 to TalkTalk.

Tone-from-the top, where the Board is highly engaged and understands what comprises information “Crown Jewels”, is a foundational building block for effective cyber risk management.

Establishing clear authorities and responsibilities, demonstrating commitment to risk mitigation, fostering risk communication are some areas where industry best practices recommend Boards oversight. TalkTalk’s data breach also emphasized that Board’s oversight of regular independent assessments is essential to identifying vulnerabilities and forming appropriate risk mitigation and incident response plans.

Simply: if it matters to the board and senior management, then it will matter to everyone else across the organisation.

All threats, all hazards

The Queen’s Speech to Parliament on the 21st June 2017 confirmed ICO’s enforcement actions highlights that Privacy intrusions and data breaches can arise, not only from Cyber Security lapses, but also exploitation of standard operation procedures.

Reflecting these emerging security themes, focused conferences are hosted as part of the International Security Expo 2018. To find out more, under the invitation of International Security Expo organizer (Peter Jones, CEO Nineteen Events), we spoke to Don Randal MBE, who is also the Bank of England’s first ever CISO on Cyber Security.

He emphasized that: ‘The key to successful prevent, detection and subsequent prosecution is to understand the motivation of the attacker. Primarily people commit crime for three reasons. One is they need to, they’re cash-strapped, poverty-ridden and in such a bad state that the only way to go forward is to cross the line and commit a crime. The others are greedy script kiddies who are in pursuit for peer recognition and want the power of a hacker, or those with an alternative motivation, the likes of terrorism.’

Addressing these motivations such as countering terrorism in the digital age increasingly forms part of the big data conversation – and how data is collected and used.

Don Randall (right), Bank of England’s first Chief Information Security Officer, presented with outstanding Security Performance Awards (OSPAs) on 1st Mar 2018 at the Royal Lancaster London. Left Rick Mountfield of SYInstitute, sponsor of the Lifetime Achievement Award, presenting the award to Don Randall.

Day 4 – 3rd May – Data Protection by Design, by Default

Previously known as ‘privacy by design,’ “Data Protection by design, by default” has always been part of data protection law. Under GDPR, it is now a legal requirement.

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organization measures such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this regulation and protect the rights of data subject” – GDPR Article 25, Para 1, Data protection by design and by default.

It covers data protection and privacy up-front, and proactively anticipates potential privacy invasion events – that is, practicing end-to-end security in the design and architecture of IT systems and business practices: Protect, Detect, Know, Response, and Recovery.

And, by default, the design and architecture of IT system and business practices should also automatically protect personal data to meet the principles of personal data processing. Recognising that 100% protection is neither practical nor effective, a risk-based approached is central to “Data Protection by design, by default”.

This means building data protection in accordance with the risk profile of the operation. One example of how GDPR views this , is the requirements on ‘high-risk’ activities, such as Data Protection Impact Assessments (DPIAs).

From Left: Sandip Patel QC (OSP Cyber Academy Chief Legal Advisor), Ken McMillan (CEO Cap Badge Singapore), Peter Jones (CEO Nineteen Events International Security Expo 2018), Audrey Brown (M.D. Fuse Box), Admiral Lord West of Spithead GCB DSC PC (Chair and former UK Security Minister), Thomas McCarthy (Managing Director OSP Cyber Academy)

Day 5 – 4th May – What does it mean for Singapore?

Singapore’s Personal Data Protection Act 2012 (PDPA) came into force with the formation of the Personal Data Protection Commission.

As with the data protection acts in UK and EU, Singapore’s PDPA governs the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

Enforcement actions have been taken against organisations as well as individuals for lax cyber security procedures, unauthorized access and failure to take reasonable security measure in documents disposals. By regulating the flow of personal data among organisations, ultimately, PDPA also aims to strengthen Singapore’s competitiveness and position.

Development of Singapore’s PDPA

The development of Singapore’s PDPA takes into account international best practices on data protections, as well as the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data, and the APEC Privacy Framework.

Since the introduction of GDPR, three public consultations had been conducted to seek feedback. A recent proposed change relates to how companies handle individuals’ NRIC numbers, collect the physical NRIC or a copy of it.

NRIC (The National Registration Identity Card) has been widely used in Singapore for a range of activities by consumers. PDPC acknowledged that as “The NRIC number is a permanent and irreplaceable identifier of information relating to the individual, the indiscriminate collection and use of the numbers is of special concern as it increased the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.”

The latest guidelines addressed this concern and proposed that organisations should not collect, use or disclose an individual’s NRIC number; expect when it is required under the law or when it is necessary to identify the identity of the individual.

GDPR-ready for Singapore organisations

An organisation that does not have an establishment in the EU can still fall within the GDPR’s scope. Specifically, GDPR not only considers the location of the processing, but also the location of the individual whose data is being processed.

A Singapore e-commerce trader whose website is available in English and ships products to customers in the EU, is likely considered to be offering goods in the EU. A Singapore online behavioural advertising network or analytic company that processes personal data of say, a Singaporean living in EU to offer tailored promotions is considered monitoring data subjects in the EU.

In short, the territorial scope of GDPR means that a Singapore organisation that shares data or sells products and services within the EU, or process data subjects in EU will be subjected to GDPR. Moreover, as GDPR requires EU data controllers to only appoint GDPR-compliant processors, any Singapore organisation that provide data processing service to data controllers within the EU will need to ensure it is GDPR-ready.

Wrap-up – Privacy and Innovation

Sheer processing power and ‘big data’ are accelerating technological capabilities. With high communication speeds and falling costs of data storage and processing, innovations in the areas of mass data collection, automatic processing and algorithmic programming give rise to fraud detection, behavioural analytics, ubiquitous surveillance and so on.

Leveraging off technology for the legitimate interests and benefits for the customers and businesses promotes economic growth. Confidence and trust in the technology to securely capture, store and use information is essential to achieving this aim.

GDPR focuses organisations towards achieving this aim. While there are certainly short to medium-term costs for organisations to achieve compliance, data protection should also be seen as enabler of technological progress.

Elizabeth Denham summed this up at her keynote speech at the National Association of Data Protection and Freedom of Information Officers (NADPO) Annual Conference on 21st November 2016, “I wanted to make the point that I do not believe data protection law stands in the way of technological progress. The theme of my speech was privacy and innovation, not privacy or innovation.”

“A Cyber Week in London” Part 1, By Jane Lo

Click image to see full article

linkedin: @Asia Pacific Security Magazine          twitter: @apsmagazine


Just weeks ahead of the new European Data Protection law which came into effect on 25th May 2018, its parent SCL Elections Ltd. And Cambridge Analytica filed applications to commence insolvency proceedings, following wide spread media reports that it harvested personal data about Facebook users as far back as in 2014.

“The siege of media coverage has driven away virtually all of the Company’s customers and suppliers,” the firm said in the statement. “As a result, it has been determined that it is no longer viable to continue operating the business, which left Cambridge Analytica with no realistic alternative to placing the company into administration.”

Heavily embroiled in the scandal and determined to win back trust, Facebook said in full-page ads in European newspapers, “New EU legislation means more data protection for you.”

The new EU legislation is the General Data Protection Regulation, or GDPR in short. What is GDPR, why does Data Protection matter, and what are the implications for Singapore?

To answer these questions, we spent a week in London, speaking with Security Professionals with extensive experience in the European private and public sectors, and Cyber specialists from the OSP Cyber Academy.

 

Day 1 – 30th April – An Introduction to GDPR

What is Personal Data?

Data protection of personal data refers to the ability of a person to control, edit, manage and delete this information, and to decide how and to what extent such information is communicated to others. Common personal data such as race, age, gender come immediately to mind.

How did EU and UK Data Privacy and Protection laws come about?

“When we speak about social media, apps and the digital economy, it’s easy to forget the world that the UK’s current Data Protection Act was forged in. No Google. No Facebook. Clunky desktop computers with less processing power than we all have now in our pockets and purses.” – UK ICO (Information Commissioner’s Office) Elizabeth Denham.

With the appearance of mainframe computers which facilitated data banks in the 1960s, the collection and processing of personal data became widespread.

Elizabeth Denham, Commissioner UK ICO

 

Data protection principles were devised.

The German region of Hesse passed the first law in 1970; the US Fair Credit Reporting Act 1970 also contained some elements of data protection. In the UK, the Data Protection Act became law in 1984 Updated in 1998 to align with the EU 1995 Data Protection Directive, it became law on 1st March 2000.

How have they evolved since?

GDPR brings a 21st century approach with mandatory data breach reporting, higher standards of consent, and significantly larger fines (up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher).

Proposed in 2012, approved by the EU parliament in Apr 2016, it affects almost all organisations doing business in the EU. Effective from 25th May 2018, GDPR puts new obligations on companies and public bodies that collect data while giving consumers new rights over how their data is handled.

What does GDPR mean for UK businesses, after Brexit takes effect?

As UK is not yet out of EU on 25th May 2018, the legal reality, made explicitly clear by the UK Secretary of State, is that, UK businesses, like businesses in any other EU Member Sate, will need to comply with GDPR.

The Queen’s Speech to parliament on 21st June 2017 confirmed the implementation of the EU GDPR into UK national law: “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

This latest law, enshrining the GDPR and built on the UK Data Protection Act of 1998, was the UK Data Protection Bill. The text of the Bill received Royal Assent on 23rd May 2018 and is now an Act of Parliament (law).

 

Day 2 – 1st May – Demonstrating GDPR Compliance

“If it is not written down, it did not happen”. – Richard Preece, OSP Cyber Academy Chief Training Officer

What are the Key Principles underpinning the GDPR?

The European Court of Justice emphasized that even where there is a legitimate basis, processing must meet the principle of proportionality, and necessary to achieve stated purpose.

These key principles of “legitimacy”, “proportionality” and “transparency” in the EU Data Protection Directive of 1995, are retained in the GDPR Article 5 – Principles relating to processing of personal data:

1. Lawfulness (Data must be processed lawfully, fairly and in a transparent manner);
2. Purpose limitation (Data must be collected for specified, explicit and legitimate purpose);
3. Data minimization (Data should be limited to what is necessary)’
4. Accuracy (Data should be accurate and up to date);
5. Storage limitation (Data should be kept for no longer than is necessary).

What Rights do Data Subjects have?

The right of individuals to access their data is already an important part of the existing EU data protection law. Examples are the Right to request rectification of inaccurate personal information; the Right to restrict the processing.

GDPR also introduces the Right to data portability, seen as an important tool to facilitate the exchange of information necessary in the digital era. This right to transfer personal data from one organisation to another, or to the data subject, in a structured, commonly used and machine-readable format also encourages healthy competition between EU data controllers.

Some other key changes?

Where individual EU members had the ability to set specific detailed regulations in the old regime, GDPR sets explicit rules. Old rules specified data requests to be handled “without excessive delay” – but GDPR sets a deadline of one month.

Another is where previous rules allowed countries to set maximum fees in responding to requests – but GDPR rules that information be provided free of charge unless requests are “manifestly unfounded or excessive”.

What are the financial penalties?

Headline grabbing figure of €20 million, or 4% of the worldwide annual for non-compliance had attracted much attention.

But the penalty to be handed down may be lower, depending on the nature of data breached, and “the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them”.

What do all these mean in practice?

GDPR is principle-based to cater for the varying processing and technological approaches. Flexible though explicit, the interpretation depends on social and cultural attitudes to privacy. For example, “fair” in Germany may not be regarded as “fair” in Spain.

Differences in the resources and attitudes of national supervisors are likely to result in variations in enforcement.

 

Full article (Part 1) can be found here

Full article (Part 2) can be found here

“Implications of the GDPR and Data Protection Post 25 May 2018”

Former Chief Inspector with Police Scotland Irene Coyle, having retired after serving 30 years has now joined OSP Cyber Academy as Training Director, and acts as the Data Protection Officer for OSP Group Ltd. Irene is a certified GCHQ accredited Data Protection and GDPR practitioner; a registered DPO with the ICO, and now supports a wide range of clients with their training and outsourced Data Protection needs.

Irene was recently invited to be a Keynote Speaker at the “City of London Crime Prevention Association” Update on GDPR in Carpenter’s Hall, London. She gave a fantastic presentation to over 100 industry leaders and experts on the Implications of the GDPR and Data Protection Post 25th May 2018. Her findings are summarised below.

Irene Coyle, Training Director

GDPR is certainly leaving its mark on the Data Protection field. The legislation aims to tackle dangers to data security and to ensure companies are accountable to their customers.
Since 25th of May 2018, there have been 500 breach related reports to ICO every week. The effects can be seen in a variety of industries, from Education and Health to Transport and Criminal Justice.

Here are just a few examples of companies that have been caught out already:

• Oaklands Assist UK Ltd fined £150,000 – thousands of nuisance direct marketing phone calls
• Bupa Insurance Services Limited fined £175,000 – failing to have effective security measures in place
• Equifax Ltd fined £500,000- failing to protect personal information of up to 15 million UK citizens after cyber attack
• Everything DM Ltd fined £60,000 – sending 1.42 million emails without consent
• Gloucestershire Police fined £80,000 – revealing identities of abuse victims in bulk email
• Bayswater Medical Centre in London fined £35,000 – left highly sensitive medical information in an empty building
• University of Greenwich fined £120,000 – microsite compromised 20,000 staff & students’ personal data.

Some of the common themes that are causing concern for companies and their data breaches include marketing, not dealing with SARs, stolen information, and selling data on the dark web. Over 600 companies across the UK were surveyed about their GDPR compliance. The following facts make for interesting reading:

• 20% of the companies believed themselves to be GDPR compliant
• 53% in the implementation phase
• 27% have not yet started
• GDPR implementation under way or completed increased from 37% to 73% in the UK
• 74% of respondents expect to be compliant by the end of 2018 and 93% by the end of 2019.

Looking at some statistics 100 days post GDPR, more than 56% of companies admitted they have not audited their compliance with GDPR. More than 51% of organisations have not documented their technical and organisational security measures on how they are processing personal data.

Looking forward, Data Protection should encourage innovation & continuous improvement – whilst Data Protection & Cyber Security should not be perceived as a cost overhead. It should be a driver to do things better and to do better things.
Privacy by design and by default is now a legal requirement and is about considering privacy issues upfront in everything you do. Having the right mindset to Data Protection helps future proof a business. You should look to communicate this to your consumer’s, as they will know that companies are building privacy by design into their products and services, third party arrangements and future use of data.

As Irene says herself…

“Education, Awareness and Training of staff is key to the success of your business and in protecting the privacy and rights of individuals, including your staff. It is easy to forget that we are all human and just trying to do our job, but mitigate risk of the data breaches – that we can see here are still occurring – by making your staff fully aware of Data Protection and GDPR.”