Free tools and resources for Data Protection Officers!

Tag Archives for " cybersecurity "

German schools ban Office 365 due to privacy concerns

The German state of Hesse has ruled it’s illegal for its schools to use Office 365 after years of debate over whether the country’s schools and institutions should use Microsoft tools at all.

The Hesse Office for Data Protection and Information Freedom says the standard configuration in Office 365 could potentially make students’ and teachers’ personal data available to US officials. In addition to the information that users provide when they’re working in Office 365, the platform sends telemetry data back to the US.

Source: German Schools Ban Office 365, Cite Privacy Concerns

ICO intends to fine Marriott International, Inc more than £99m for data breach

Marriott International has received a notification from the Information Commissioner’s Office (ICO) of its intention to fine the company £99,200,396.

In November 2018, Marriott had disclosed that their Starwood reservation database had been compromised between 2014 and 2018. The breach resulted in approximately 339 million guest records globally being exposed.

Source: ICO intends to fine Marriott International, Inc more than £99m for data breach

How Microsoft Plan to Empower Users to Own and Control Personal Data

Microsoft presented a vast blockchain-related plan: a decentralized identity (DID) network built atop of the bitcoin network, which can potentially empower users all over the internet to take control over their personal data and content.

Titled the Identity Overlay Network (ION), the infrastructure lets users obtain control over their own data via the management of their Public Key Infrastructure (PKI).

DID allows users to control their own data and content — including login details and photos, which is not currently possible on most social media platforms that store such data on their private, centralized servers.

Full article: Decentralized Identity: How Microsoft (and Others) Plan to Empower Users to Own and Control Personal Data

The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency

On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification).

he Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance.

In addition, the Cybersecurity Act provides for a new permanent mandate for the EU Agency for Cybersecurity (ENISA) with new responsibilities.

Source: The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency

Apple is making corporate ‘BYOD’ programs less invasive to user privacy

When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device.

But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.

Source: Apple is making corporate ‘BYOD’ programs less invasive to user privacy | TechCrunch

Google rolled out secure data sharing tool

Google has rolled out the open-source tool to help organizations work together with confidential data sets while raising the bar for privacy. Private Join and Compute helps solve problem of securely sharing sensitive data with other parties.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. v

Source: Google Online Security Blog: Helping organizations do more without collecting more data

Civil liberties group challenges ‘Bulk hacking’ by UK spy agencies

“Bulk hacking” powers exploited by the intelligence services to access electronic devices represent an illegal intrusion into the private lives of millions of people, the high court has been told.

In its latest challenge to the 2016 Investigatory Powers Act (IPA), the civil rights organisation Liberty has argued that government surveillance practices breach human rights law.

Source: ‘Bulk hacking’ by UK spy agencies is illegal, high court told

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

Cybersecurity certification gets an EU revamp

A new EU Regulation on cybersecurity promises a more coordinated approach across Europe. The new law will set up a framework for the establishment of European cybersecurity certification schemes.

The intention is to prevent “certification shopping” based on different levels of stringency among member states. Certification will be voluntary initially, but regular assessments will be carried out to determine whether certification of particular products or services should become compulsory.

Source: Cybersecurity certification gets an EU revamp