News Archives

Thursday, April 30, 2015

Single Biggest IT Security Threat Remains Employees

Two recent surveys confirm long-standing claims that malicious or negligent employees are the major cause of data breaches.  In one survey, CompTIA found that human error accounts for 52% of the root causes of security breaches, even as only a third of survey respondents viewed it as a serious concern.  The other survey, by the SANS Institute, found that negligent employees accounted for the majority of the concerns that companies have about insider threats, more than malicious employees, and all contractors, clients, partners and other affiliates combined.  A similar drum beat emerged at the annual RSA security conference in April, where the single biggest IT security threat was identified as employees tricked by social engineering tactics, such as phishing emails and fraudulent phone calls, into revealing personal and corporate information. Verizon's 2015 Data Breach Investigations Report also found that malicious email attachments and links were one of the most common attack vectors used by cyber spies.

Vulnerabilities posed by employees are scarcely news.  A search of my own archives show that back in 2004, Gartner predicted that social engineering would be the greatest security threat over the next decade, ahead of electronic hacking.   Nevertheless, amidst the continual barrage of reports of data breaches, how many organizations can affirm with any confidence that they have trained their employees to deal effectively with social engineering tactics?  That they have tested their employees through actual phishing attempts and found them up to the challenge?  Is there any defensible excuse or explanation for not training and testing?

German DPA Orders Changes in Google's Policies and Practices

In April, the Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar, became the latest European DPA to take enforcement action against Google stemming from its March 2012 introduction of a consolidated privacy policy.  Under the order, Google has until the end of 2015 to be more transparent about how it combines and uses personal information gathered by all the different company services that an individual uses, to obtain consent for such merging of personal data and to limit the combining and processing of the data if consent is not given.  After being fined in France and Spain over the same issue, and facing threatened fines in the Netherlands, Google has already agreed to modify its policy and practices in the UK and Italy.  The company is reported to have presented its plans for substantial changes to European DPAs late in March; the acceptability of these changes is yet to be determined.   One week after Caspar issued his order in Hamburg, the European Commission officially accused Google of antitrust violations that could lead to a fine exceeding €6 billion.

Manitoba Poised for Private Sector Privacy Law

Manitoba's recently enacted Personal Information Protection and Identity Theft Prevention Act (PIPITPA) will come into effect as soon as it receives royal proclamation, which would make Manitoba the fourth Canadian province with a comprehensive privacy law applicable to the private sector. Unlike Alberta's Personal Information Protection Act (PIPA), PIPITPA includes data breach notification requirements and a private right of action against organizations that fail to protect personal information under their control.  As with the laws in Alberta and British Columbia, PIPITPA does not require consent for the collection of employee personal information, unless such information is unrelated to establishing, managing or terminating the employment relationship.  Given the extent of differences between the Manitoba legislation and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), PIPITPA may not be declared "substantially similar" to PIPEDA, in which case both PIPITPA and PIPEDA would apply to the private sector in Manitoba.  The text and status of the Act may be found here.

Monday, April 6, 2015

UN Again Elevates Privacy as a Human Rights Issue

On March 28, the United Nations Human Rights Council voted to establish a special rapporteur on the right to privacy. Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that can range from access to water to extrajudicial killings.  Rapporteurs serve three-year terms and report annually to the Council and to the General Assembly.  Brazil, Germany, Austria, Switzerland, Norway, Liechtenstein and Mexico sponsored the resolution to establish the special rapporteur, which was adopted unanimously by the 47 members of the Council

U.S. support for the resolution was certainly ironic, given that it was mass surveillance by the NSA that elevated the profile of privacy within the United Nations.  Following the outrage that erupted over Snowden's revelations, the 193 members of the General Assembly unanimously approved, in November 2013, a Brazilian-German declaration entitled The Right to Privacy in the Digital Age.  This latest resolution, which re-affirmed the right to privacy articulated in Article 12 of the seminal 1948 Universal Declaration of Human Rights, added the principle that "the same rights that people have offline must also be protected online, including the right to privacy" and calls upon states to reign in their security operations.  It will be interesting to see how the U.S., a country that still does not regard or protect privacy as a basic human right and shows little appetite for reigning in its surveillance apparatus, fares in the first report of the new special rapporteur, which is expected in September. 

Sunday, April 5, 2015

Russian Ombudsman Challenges Data Localization Law

As the clock ticks down towards the September 1 implementation of Russia's data localization law, the country's Internet Ombudsman, Dmitry Marinichev, sent a letter to President Putin proposing that foreign online companies be allowed to store Russians' personal data in a third country if consent from the user is obtained.  Marinichev suggested allowing these companies to store the data in one of the 46 countries that, like Russia, have signed the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 107).   While the Russian DPA, Roskomnadzor, has yet to issue formal guidance on the new law, it has been meeting with various industry groups to explain its approach.  Key take-aways from these meetings include the assertions that the new law will apply to all data operators, including foreign businesses, collecting personal data directly from Russian citizens; that the primary databases involved must be located in Russia; that cross-border transfers may continue to occur if compliant with previous requirements (such as obtaining the consent of data subjects); that any structured set of personal data is subject to the law irrespective of the format and means of processing (including data found in spreadsheets and card files).

CNIL Eases Trans-Border Notification Requirements

The French data protection authority, the CNIL, streamlined international data transfers for companies with Binding Corporate Rules (BCRs), replacing the practice of requiring notification of each type of data transfer with a new procedure under which only one authorization will be needed by the group, with affiliates then submitting a simplified registration indicating that their data transfers outside the EU fall under that authorization.  As a sign of their support for BCRs, the CNIL will be directly contacting each of the 60 or so multi-nationals with BCRs to explain the new procedure.  Separately, the CNIL issued guidelines on March 4 for companies regarding Bring Your Own Device (BYOD) policies, appropriate safeguards for protecting the privacy of employees and notification of BYOD activities.

Major Data Protection Rulings in the UK and France

Court rulings in March in two EU member states affirmed the jurisdiction of European courts over foreign companies accused of violating national data protection laws.  In the UK, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors, in a case brought by three users of Apple’s Safari web browser who claimed that Google ignored their privacy settings to profile them and deliver personalized ads.  The EWCA, besides finding found foreign companies to be subject to UK data protection law, recognized a new tort of misuse of private information and found that the UK Data Protection Act 1998 failed to correctly implement several sections of the EU Data Protection Directive (95/46/EC) into UK law.  In France, the Paris Court of First Instance found that jurisdictional provisions in Facebook's Terms & Conditions notwithstanding, French courts have jurisdiction against foreign companies that collect, process and transfer personal information in France. Both cases underscore how defenses based upon jurisdiction clauses are unraveling.

ECJ Hears Arguments in Challenge to Safe Harbor

On March 24, the European Court of Justice heard arguments in the case brought by Austrian privacy activist Max Schrems challenging the position of Ireland's DPA that it was bound by the European Commission’s adequacy decision in 2000 with respect to the EU-US Safe Harbor framework, and therefore could not consider his claim that NSA surveillance made Safe Harbor invalid.  The impact of the case could be wide-ranging, with some 4,000 US-based organizations currently relying upon Safe Harbor as their legal basis for importing personal data from the EU. Notably, the Commission admitted during the hearing that it cannot guarantee EU citizens’ fundamental right to privacy when their data is transferred to the US under Safe Harbor.  Arguments supporting Schrems were advanced by Austria, Belgium, Poland, Slovenia, the European Parliament, the European Data Protection Supervisor and Digital Rights Ireland. Former French public prosecutor Yves Bot will render the Advocate-General opinion for the case, likely by June 24, with the final opinion of the full 15-member bench of the ECJ to follow.