The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime in the United Kingdom was £500,000.

Background

Bounty was a pregnancy and parenting support club. It provided information packs and goody bags to mothers in exchange for personal data. It also provided a mobile app for users to track their pregnancies, as well as offering a new-born portrait service. Its portrait service was the largest in-hospital service of its kind in the United Kingdom.

Bounty had a data protection policy on its website. The data protection policy stated that Bounty: (i) collected personal data for marketing purposes; and (ii) might share personal data with selected third parties. The data protection policy stated that users might receive communications from Bounty or a third party. However, the policy did not specifically identify third parties or the types of third parties that personal data would be shared with.

Bounty also collected personal data using hard copy cards completed in maternity wards. These cards stated that recipients consented to Bounty processing their personal data if the cards were filled in. The cards also briefly outlined the possibility that personal data could be shared by Bounty. However, again, no detail about third party recipients was included. Recipients were obligated to provide their names and postal addresses when filling the cards in. To avail of Bounty’s services, recipients had no choice but to provide some personal data.
Continue Reading Sharing a Bounty of Personal Data? ICO issues £400,000 fine against UK pregnancy and parenting club for illegally sharing personal data

Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies’ incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?

Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.

The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week.
Continue Reading Thinking about Bugs