Two recent surveys confirm long-standing claims that malicious or negligent employees are the major cause of data breaches. In one survey, CompTIA found that human error accounts for 52% of the root causes of security breaches, even as only a third of survey respondents viewed it as a serious concern. The other survey, by the SANS Institute, found that negligent employees accounted for the majority of the concerns that companies have about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined. A similar drum beat emerged at the annual RSA security conference in April, where the single biggest IT security threat was identified as employees tricked by social engineering tactics, such as phishing emails and fraudulent phone calls, into revealing personal and corporate information. Verizon's 2015 Data Breach Investigations Report also found that malicious email attachments and links were one of the most common attack vectors used by cyber spies.
Vulnerabilities posed by employees are scarcely news. A search of my own archives show that back in 2004, Gartner predicted that social engineering would be the greatest security threat over the next decade, ahead of electronic hacking. Nevertheless, amidst the continual barrage of reports of data breaches, how many organizations can affirm with any confidence that they have trained their employees to deal effectively with social engineering tactics? That they have tested their employees through actual phishing attempts and found them up to the challenge? Is there any defensible excuse or explanation for not training and testing?
Thursday, April 30, 2015
Manitoba's recently enacted Personal Information Protection and Identity Theft Prevention Act (PIPITPA) will come into effect as soon as it receives royal proclamation, which would make Manitoba the fourth Canadian province with a comprehensive privacy law applicable to the private sector. Unlike Alberta's Personal Information Protection Act (PIPA), PIPITPA includes data breach notification requirements and a private right of action against organizations that fail to protect personal information under their control. As with the laws in Alberta and British Columbia, PIPITPA does not require consent for the collection of employee personal information, unless such information is unrelated to establishing, managing or terminating the employment relationship. Given the extent of differences between the Manitoba legislation and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), PIPITPA may not be declared "substantially similar" to PIPEDA, in which case both PIPITPA and PIPEDA would apply to the private sector in Manitoba. The text and status of the Act may be found here.
Monday, April 6, 2015
U.S. support for the resolution was certainly ironic, given that it was mass surveillance by the NSA that elevated the profile of privacy within the United Nations. Following the outrage that erupted over Snowden's revelations, the 193 members of the General Assembly unanimously approved, in November 2013, a Brazilian-German declaration entitled The Right to Privacy in the Digital Age. This latest resolution, which re-affirmed the right to privacy articulated in Article 12 of the seminal 1948 Universal Declaration of Human Rights, added the principle that "the same rights that people have offline must also be protected online, including the right to privacy" and calls upon states to reign in their security operations. It will be interesting to see how the U.S., a country that still does not regard or protect privacy as a basic human right and shows little appetite for reigning in its surveillance apparatus, fares in the first report of the new special rapporteur, which is expected in September.
Sunday, April 5, 2015
The French data protection authority, the CNIL, streamlined international data transfers for companies with Binding Corporate Rules (BCRs), replacing the practice of requiring notification of each type of data transfer with a new procedure under which only one authorization will be needed by the group, with affiliates then submitting a simplified registration indicating that their data transfers outside the EU fall under that authorization. As a sign of their support for BCRs, the CNIL will be directly contacting each of the 60 or so multi-nationals with BCRs to explain the new procedure. Separately, the CNIL issued guidelines on March 4 for companies regarding Bring Your Own Device (BYOD) policies, appropriate safeguards for protecting the privacy of employees and notification of BYOD activities.
Court rulings in March in two EU member states affirmed the jurisdiction of European courts over foreign companies accused of violating national data protection laws. In the UK, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors, in a case brought by three users of Apple’s Safari web browser who claimed that Google ignored their privacy settings to profile them and deliver personalized ads. The EWCA, besides finding found foreign companies to be subject to UK data protection law, recognized a new tort of misuse of private information and found that the UK Data Protection Act 1998 failed to correctly implement several sections of the EU Data Protection Directive (95/46/EC) into UK law. In France, the Paris Court of First Instance found that jurisdictional provisions in Facebook's Terms & Conditions notwithstanding, French courts have jurisdiction against foreign companies that collect, process and transfer personal information in France. Both cases underscore how defenses based upon jurisdiction clauses are unraveling.
On March 24, the European Court of Justice heard arguments in the case brought by Austrian privacy activist Max Schrems challenging the position of Ireland's DPA that it was bound by the European Commission’s adequacy decision in 2000 with respect to the EU-US Safe Harbor framework, and therefore could not consider his claim that NSA surveillance made Safe Harbor invalid. The impact of the case could be wide-ranging, with some 4,000 US-based organizations currently relying upon Safe Harbor as their legal basis for importing personal data from the EU. Notably, the Commission admitted during the hearing that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US under Safe Harbor. Arguments supporting Schrems were advanced by Austria, Belgium, Poland, Slovenia, the European Parliament, the European Data Protection Supervisor and Digital Rights Ireland. Former French public prosecutor Yves Bot will render the Advocate-General opinion for the case, likely by June 24, with the final opinion of the full 15-member bench of the ECJ to follow.