ICO brings criminal prosecution for data misuse

The Information Commissioner’s Office (ICO) has prosecuted an individual under the Computer Misuse Act 1990 (CMA 1990), resulting in a six-month prison sentence. This prosecution is the first of its kind by the ICO.

The facts

The defendant was a man named Mustafa Kasim. Mr Kasim was employed in the motor repair industry and had used a colleague’s log-in details to access a software system. This allowed Mr Kasim to access the personal data of customers, such as their names, phone numbers, and vehicle and accident information, without permission. Mr Kasim continued to access the software after moving to a different organisation. Continue Reading

ICC updates marketing and advertising code to account for the digital world

The International Chamber of Commerce (ICC) has revised its code of conduct for advertising and marketing (the ICC code) to keep up with the “rapid evolution of technology and technologically-enhanced marketing communications and techniques”.

The revised ICC code considers emerging digital marketing and advertising practices, in order to set a “gold standard for modern rule-making in our digital world”.

The ICC code

The ICC code is a framework for self-regulation, which applies across the global advertising and marketing industry.

The basic principle of the ICC code is that all marketing communication should be “legal, honest, decent and truthful”. Other key principles include respecting human dignity, being transparent, fair competition, social responsibility, making the marketer’s identity apparent, and taking special care where communications are directed at children and teenagers under 18.

What’s new?

Continue Reading

Guiding principles for AI development

A meeting of data protection authorities from around the world has highlighted the development of artificial intelligence and machine learning technologies (AI) as a global phenomenon with the potential to affect all of humanity. A coordinated international effort was called for to develop common governance principles on the development and use of AI in accordance with ethics, human values and respect for human dignity.

The 40th International Conference of Data Protection and Privacy Commissioners (conference) released a declaration on ethics and data protection in artificial intelligence (declaration). While recognising that AI systems may bring significant benefits for users and society, the conference noted that AI systems often rely on the processing of large quantities of personal data for their development. In addition, it noted that some data sets used to train AI systems have been found to contain inherent biases, resulting in decisions which unfairly discriminate against certain individuals or groups.

To counter this, the declaration endorses six guiding principles as its core values to preserve human rights in the development of AI. In summary, the guiding principles state: Continue Reading

Get your update on IT & Data Protection Law in our Newsletter (Fall 2018 edition)

The Fall 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released.

We provide updates on Facebook fan pages, the right to be forgotten, cease and desists by competitors under GDPR, spamming and customer satisfaction surveys, the German Network Enforcement Act, and more. The newsletter also includes multiple recommended reads on the GDPR.

We hope you enjoy reading it.

EU and U.S. second annual review of Privacy Shield

The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.

On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.

Continue Reading

Highlighting the “SEC” in cybersecurity: Continued regulatory focus on preparedness and response

In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system.

The SEC recently issued a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act (the “Report”) that advised public companies to develop and implement internal accounting controls that include an approach to cyber threats.[1] The Report stemmed from an investigation of nine unidentified public companies that had fallen victim to cyber fraud in the form of “business email compromises.” The nine issuers were defrauded into losing almost $100 million via wiring funds phished from compromised or spoofed emails claiming to be legitimate sources such as company executives. The Report sharply criticized the victim companies for failing to identify red flags and train personnel, and serves as a stern warning that the SEC will not hesitate to turn a victim company into the target of an enforcement action.[2]

Indeed, the SEC has started bringing enforcement actions in the cybersecurity space in egregious cases. In September it issued a Consent Order against a registered investment adviser for a cyber-intrusion that resulted in the compromise of customer personal information.

The SEC determined that the company knew about the weaknesses in its cybersecurity procedures as a result of a prior attack.[3] Earlier this year the SEC also settled charges that stemmed from inadequate breach reporting.[4]

The SEC appears to be focused on the importance of well-designed policies and procedures and training. Two elements of compliance that the Report emphasizes are the importance of procedures to authorize wire transfers (including the requirement for multiple levels of approval and verifying changes in counterparties) and the need for continued training of employees to familiarize them with common cyberattack strategies. These focal points serve as useful action items for companies to evaluate their own risk profiles. Although the SEC refrained from suing the companies mentioned in the Report, the attention paid to internal controls and cybersecurity in particular is a shot across the bow that the SEC will not be as generous in the future.

All of this activity comes on the heels of the creation of the SEC’s Cyber Unit[5] as well as the SEC’s own data breach of its EDGAR system, which made the SEC acutely aware of the challenges issuers face with respect to cybersecurity.[6] Coupled with the SEC’s guidance from earlier this year on cybersecurity disclosures as crucial to enterprise risk-management,[7] the recent Report and enforcement activity serve as reminders for public companies to evaluate their policies and procedures and adequately train personnel to minimize falling victim to a cyberattack.


Footnotes:

  1. “Report of Investigation Pursuant to 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” SEC Release No. 34-84429 (Oct. 16, 2018).
  2. Controls to reasonably safeguard company funds are required under Section 13(b)(2)(b) of the Exchange Act. See Id.
  3. “SEC Charges Firm with Deficient Cybersecurity Procedures.” SEC Press Release No. 2018-213 (Sept. 26, 2018).
  4. See our April 24, 2018 Post, “Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors.” https://www.technologylawdispatch.com/2018/04/data-cyber-security/being-first-isnt-always-best-sec-settles-for-35-million-fine-for-failure-to-disclose-data-breach-to-investors/
  5. “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC Press Release No. 2017-176 (Sept. 25, 2017).
  6. “SEC Chairman Clayton Issues Statement on Cybersecurity.” SEC Press Release No. 2017-170 (Sept. 20, 2017).
  7. See our February 27, 2018 Post, “Guiding Light: SEC adopts update cybersecurity guidance” https://www.technologylawdispatch.com/2018/02/privacy-data-protection/guiding-light-sec-adopts-updated-cybersecurity-guidance/

 

High Court blocks data privacy claim against Google

An attempt to bring legal action against Google for its alleged tracking of an estimated 4.4 million iPhone users in 2011 and 2012 has been blocked by the UK High Court (the court).

Campaign group “Google You Owe Us” brought the claim as a representative action on behalf of the affected individuals (the class) in 2017. It is thought to be the UK’s first mass legal action of its kind.

The case

Google You Owe Us argued that Google breached its duty under the Data Protection Act 1998 by circumventing the default settings in Apple Safari, placing cookies on the browser to track user’s movements, and using the collected data to sell advertisements. The decision is still relevant to the Data Protection Act 2018.

In an application for permission to serve the claim on Google in the United States, the High Court was required to determine, amongst other things, whether the claim had a reasonable prospect of success.

Justice Warby acknowledged that Google may have breached its duty. He said: “There is no dispute that it is arguable that Google’s alleged role in the collection, collation and use of data obtained via the Safari Workaround was wrongful, and a breach of duty.”

Continue Reading

European Parliament favours innovation-friendly blockchain regulation

The European Parliament has published a non-binding resolution on distributed ledger technologies and blockchains (blockchain technologies).

What is distributed ledger technology?

Best known as the technology behind bitcoin and other crypto-currencies, distributed ledger technology is, in its simplest form, a ledger of digital information maintained in decentralised form across a large network of computers. The information making up the ledger is secured using cryptography and can be accessed using keys and cryptographic signatures. Cyber-attacks are considered to have less impact on such technologies as they need to successfully target many decentralised ledgers.

Positive applications of blockchain technologies

The resolution highlights the potentially positive applications of blockchain technologies across numerous industries and sectors including:

  • Transforming the energy markets by allowing households to produce environmentally friendly energy and exchange it on a peer-to-peer basis;
  • Improving the efficiency of the healthcare sector through electronic health data interoperability;
  • Improving supply chains by facilitating the forwarding and monitoring of the origin of goods and their ingredients or components, and improving transparency, visibility and compliance checking;
  • Enabling the tracking and management of intellectual property and facilitating copyright and patent protection;
  • Improving transparency and reducing transaction costs and hidden costs in the financial sector by better managing and streamlining processes; and
  • The potential of initial coin offerings as an alternative investment instrument in funding SMEs and innovative start-ups.

Continue Reading

Singapore to adopt new legislation on unsolicited commercial messages, and enhanced practical guidance framework for data protection

On 8 November, 2018, Singapore’s Personal Data Protection Commission (PDPC) issued its response to feedback received on a public consultation paper. In that consultation paper, the PDPC had proposed to:

  1. merge the Do Not Call provisions in the Personal Data Protection Act 2012 of Singapore (PDPA) and Spam Control Act into a single legislation to govern all unsolicited commercial messages; and
  2. assess requests for the PDPC to make determinations on complex or novel compliance issues under the PDPA.

1. Unsolicited commercial messages

Scope

The new legislation will apply to messages sent to a user’s instant messaging identifier, where a sender has to be first added by a user. It will also apply to messages sent via MMS audio files and video files sent using instant messaging identifiers. However, it will not apply to in-app notifications or a mobile phone’s notifications.

Time period for effecting withdrawal requests

This will be eventually streamlined to a reduced period of 10 business days, via two distinct phases:

In the first phase, the withdrawal period for the Do Not Call provisions under the PDPA will be reduced from 30 to 21 calendar days. The pricing mechanism for Do Not Call registry checks will also be reviewed. However, for any spam unsubscribe requests, this will remain unchanged at 10 business days.

In the second phase, any withdrawal whether under the Do Not Call or spam control provisions will need to be effected within 10 business days.

Continue Reading

ICO publishes security guidance on encryption and passwords

Earlier this month, the Information Commissioner’s Office (ICO) published security guidance in its guide to the General Data Protection Regulation (GDPR).

The guidance focuses specifically on encryption and passwords. It suggests points to be considered during implementation and offers some helpful “dos and don’ts”.

Encryption

Article 32 of the GDPR specifies encryption as an example of an appropriate technical and organisational measure. The guidance states four things that should be considered when implementing encryption:

  1. The algorithm. This should be appropriate for its use and should be assessed regularly to ensure that it remains appropriate;
  2. The key size. This should be large enough to protect against an attack, and its appropriateness should be assessed regularly;
  3. The software. The ICO states that this should meet current standards such as FIPS 140-2 and FIPS 197; and
  4. The security of the key. The ICO provides that keys must be kept securely and businesses should have processes in place to generate new keys when necessary.

The ICO makes clear that, depending on the context of the incident, regulatory action may be pursued where data is lost or destroyed and it was not encrypted.

Continue Reading

LexBlog