DOJ issues updated best practices on cyber incidents; incorporates CISA

On September 27, 2018, as part of the Department of Justice’s (DOJ) cybersecurity roundtable discussion, the DOJ’s Cybersecurity Unit issued Best Practices for Victim Response and Reporting of Cyber Incidents (the Best Practices), including a Cyber Incident Preparedness Checklist. As noted by the DOJ, the Best Practices do not have the force of law, and they are “not intended to have any regulatory effect.” Regardless, the Best Practices provide insight into the DOJ’s concerns with respect to cybersecurity and its expectations regarding organizations’ levels of effort on cybersecurity.

The newly published Best Practices are an update to the Best Practices issued in April 2015. Notable items in the updated Best Practices are:

  • Integration of CISA to the Best Practices: The Best Practices incorporate the Cybersecurity Information Sharing Act of 2015 (CISA), which “provides private entities with broad authority to conduct cybersecurity monitoring of their own networks, or a third party’s networks with appropriate consent.” CISA provides an exception to other potentially conflicting laws, such as the Wiretap Act and the Pen Register/Trap and Trace Act, as long as the CISA requirements are met. Under CISA, private entities are permitted to monitor information or an information system for a “cybersecurity purpose,” which means a “purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” CISA is also meant to promote sharing information about cybersecurity threats by affording protections to private entities against certain liabilities (as long as CISA requirements are met).
  • Descriptions of basic cybersecurity procedures: The Best Practices describe several protocols as basic cybersecurity procedures. Specifically, they recommend: (i) a reasonable patch management program to address software vulnerabilities; (ii) access controls and network segmentation to limit the data at risk; and (iii) maintenance of copies of server logs Continue Reading

Spotlight shone on online advertising as complaints are filed with EU supervisory authorities

On 12 September 2018, complaints were filed with the UK Information Commissioner’s Office and the Irish Data Protection Commissioner regarding the “wide scale and systemic breaches of the data protection regime” by Google and others in the online advertising industry (the Complaints).

The Complaints

The Complaints were submitted by Brave, an ad blocking web browser, together with the Open Rights Group and Michael Veale, a researcher at University College London. They focus on the real time bidding (RTB) systems used by Google and the wider online advertising industry, which operate to provide personalised advertising on websites.

It is claimed that there are ongoing breaches of applicable data protection laws across the industry. As an example, a wide range of personal data is gathered by the RTB system, far more than is necessary to provide targeted advertisements to individuals browsing the web. It is suggested that the information collected is then provided to a host of third parties for a range of uses that go far beyond those purposes which a data subject can understand, consent to, or object to. According to Brave, “every time a person loads a page on a website that uses programmatic advertising, personal data about them are broadcast to tens – or hundreds – of companies”.

Continue Reading

Singapore data protection commission fines carpooling service and LAN gaming centre

Two businesses have been fined a total of S$13,000 for breaching Singapore’s data protection law.

GrabCar

Facts

The first decision involved a carpooling service operated by GrabCar through an app.

Twenty drivers had their accounts suspended for flouting usage rules for the platform. They were allowed to submit an appeal, by filling a Google form with their name, national registration identification card number, mobile number, vehicle licence number and appeal statement.

A GrabCar employee uploaded the completed Google form incorrectly, which allowed all of the drivers to view each other’s personal data on the form.

Decision

The commission’s findings were as follows:

  • GrabCar failed to protect the personal data of its drivers, as it ought to have trained its employees on how to use Google forms properly.
  • Regardless of whether it knew about or approved an employee’s act, an employer is automatically responsible for any contravention of Singapore’s data protection law, so long as that conduct was carried out in the course of employment.
  • While business contact information is exempted, this only included the names and mobile numbers of the GrabCar drivers, but not their vehicle licence numbers and national registration identification numbers, since the latter were not means of contacting these drivers.
  • The business contact information exemption did not apply at all to GrabHitch drivers, who were non-commercial private car owners who carpooled with people commuting along the same route.
  • A penalty of S$6,000 was imposed.

Key takeaways

The commission found that GrabCar did not have any policies or procedures to guide its employees on the use of Google forms nor did it provide any training. Given that the law imputes liability on employers for their employees’ contravening conduct, businesses should put in place robust data protection training and operational processes to ensure compliance.

Continue Reading

ICO publishes Technology Strategy for 2018–2021

The Information Commissioner’s Office (ICO) has published its Technology Strategy for 2018 to 2021. The Strategy, part of the ICO’s focus on adapting to rapidly developing technologies, outlines eight “technology goals” and the measures that will be implemented to achieve them.

Technology goals

Broadly, these goals include increased technology training for the ICO’s staff and appointment of staff with technology expertise, greater public and industry engagement in terms of the data protection risks posed by technology, and engagement with other regulators internationally. It is apparent from the Strategy that the ICO is placing greater emphasis on adapting to the ever-changing technological environment, through increased engagement and enhancement of its technical expertise and technical solutions.

The ICO also commits to publishing further guidance and reports on the use of data protection design by default. This guidance will be “technically feasible and proportionate” and will likely include analysis of the data protection implications of emerging technologies, such as artificial intelligence (AI) and machine learning.

Continue Reading

Singapore’s Personal Data Protection Act provides guidelines for handling national identification

Beginning on September 1, 2019, all Singapore private sector organizations will be banned from collecting, using or releasing all national identity cards, copies or their numbers unless required under law or deemed necessary to verify an individual’s identity. If organizations violate the rules under the Singapore Personal Data Protection Act 2012 (PDPA), they could face a financial penalty of up to $1 million.

To more information, click here to access our FAQ guide.

Monetary Authority of Singapore panel urges financial institutions to adopt cybersecurity measures

An international cybersecurity advisory panel formed by the Monetary Authority of Singapore (MAS) has recommended that all financial institutions in Singapore ensure that data stored on the public cloud is kept secure, and that they perform cybersecurity risk assessments on their third-party providers.

These proposals were raised at the panel’s second annual meeting, after its members had met with representatives from the Standing Committee on Cyber Security from the Association of Banks in Singapore, Life Insurance Association Singapore and General Insurance Association of Singapore.

The panel also noted that there had been an increase in use by financial institutions of application programming interfaces (APIs) to build software and applications. As use of such APIs could pose a greater risk of cyber threats, the panel suggested specific ways in which the institutions should combat such risk; for instance:

  • conducting “red-teaming” cyberattack simulations
  • securing network connections with any third party providers
  • monitoring for any suspicious cyber activity.

Continue Reading

FTC continues aggressive enforcement of Privacy Shield

On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.

Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.

Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.

Continue Reading

ICO takes enforcement action against Brexit campaigners

On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum.

AggregateIQ

The terms of the enforcement notice require AggregateIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”, within 30 days of the date of the notice.

AggregateIQ contracted with UK political organisations to receive personal data of UK individuals during the Brexit campaign. In particular, AggregateIQ contracted with a number of pro-Brexit groups, including Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaign. AggregateIQ processed this personal data to target individuals with political advertising messages on social media.

Continue Reading

An interview with North Carolina AG Josh Stein

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with North Carolina Attorney General (AG) Josh Stein. Throughout his tenure as AG, Stein has shown a clear commitment to data privacy and security through his advocacy for strong protection of individuals’ personal information, both in North Carolina and on the national stage. In the interview, he shares his vision for smart data use and protection in North Carolina.

The article is available on the IAPP website.

The impact of a no-deal Brexit on data protection

The government has published guidance for UK organisations on transfers of personal data in the event of a so-called no-deal Brexit. In particular, the guidance sets out actions for UK organisations to take to enable the continued flow of personal data between the UK and the European Union (EU) in such an event.

While emphasising the fact that a no-deal Brexit is “unlikely”, the guidance notes that it is important to prepare for all eventualities.

The guidance forms part of the government’s series of notices on a no-deal Brexit, aimed at businesses and citizens.

The current position

The UK has a comprehensive data protection framework, consisting of the Data Protection Act 2018, which is a UK-specific law, and the General Data Protection Regulation (GDPR), which applies across the EU Member States.

The GDPR does not restrict transfers of personal data within the EU. Transfers can also be made outside of the EU if there is an appropriate legal basis for doing so.

Continue Reading

LexBlog