Free tools and resources for Data Protection Officers!

Category Archives for "Security"

The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency

On June 27, 2019, the EU Regulation on Information and Communication Technology (Cybersecurity Act or Act) became effective introducing, for the first time, EU-wide rules for the cybersecurity certification of products and services (Certification).

he Certification may create a competitive advantage for companies that sell their products and services in the EU. Further, the Certification may act as a catalyst to the anticipated certifications for GDPR-compliance.

In addition, the Cybersecurity Act provides for a new permanent mandate for the EU Agency for Cybersecurity (ENISA) with new responsibilities.

Source: The EU Cybersecurity Act Introduces Certifications and the New Cybersecurity Agency

Apple is making corporate ‘BYOD’ programs less invasive to user privacy

When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device.

But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.

Source: Apple is making corporate ‘BYOD’ programs less invasive to user privacy | TechCrunch

The importance of consent and privacy when deploying voice biometrics

Whilst choice of voice biometrics for many companies operating large call-centres may the correct technological choice, its implementation doesn’t appear to have taken into account the data protection requirements that accompany biometrics in the relevant jurisdictions.

The GDPR is very specific about the use of biometrics and refers to it as an especially sensitive category of personal data that warrants extra protection.

Source: The importance of consent and privacy when deploying voice biometrics

Deidentification versus anonymization

Anonymization is hard. Just like cryptography, most people are not qualified to build their own.

Unlike cryptography, the research is far earlier-stage, and the pre-built code is virtually unavailable. That hasn’t stopped people from claiming certain datasets (like this ) are anonymized and (sadly) having them re-identified.

Full article: Deidentification versus anonymization

Google rolled out secure data sharing tool

Google has rolled out the open-source tool to help organizations work together with confidential data sets while raising the bar for privacy. Private Join and Compute helps solve problem of securely sharing sensitive data with other parties.

Using this cryptographic protocol, two parties can encrypt their identifiers and associated data, and then join them. They can then do certain types of calculations on the overlapping set of data to draw useful information from both datasets in aggregate. v

Source: Google Online Security Blog: Helping organizations do more without collecting more data

Human error still the major cause of data breaches

More than half of all executives (53%) and nearly three in 10 Small Business Owners (28%) who suffered a breach, reveal that human error or accidental loss by an external vendor/source was the cause of the data breach, according to a Shred-it survey conducted by Ipsos.

The report found that nearly half of all executives (47%) and one in three SBOs (31%) say human error or accidental loss by an employee/insider was the cause.

Source: Human error still the cause of many data breaches – Help Net Security

Users must receive specific and helpful information in case of a data breach

No generic information may be provided to users in case of a data breach, whilst specific guidance must be made available on how to prevent unlawful use of one’s personal data – in particular identity thefts.

This is the decision issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali) against one of Italy’s leading email service providers following the proceeding initiated after the company had notified the Garante of a data breach.

Source: Italian SA: Users must receive specific, helpful information in case of a data breach

Lithuanian DPA launches investigation into D-Link

In response to publicly available information, the Lithuanian data protection authority – State Data Protection Inspectorate – launched an self-initiated inquiry into the allegedly inappropriate processing of personal data by D-Link.

It is feared that D-Link equipment user passwords, browsing history or other information can be accessed by third countries’ servers through D-Link’s devices, allowing profiling and identification of consumers.

State Data Protection Inspectorate also noted that D-Link’s processing activity potentially amounts to a violation of the General Data Protection Regulation’s (GDPR) transparency principle.

Source: State Data Protection Inspectorate Launches D-Link Research | State Data Protection Inspectorate

Cybersecurity certification gets an EU revamp

A new EU Regulation on cybersecurity promises a more coordinated approach across Europe. The new law will set up a framework for the establishment of European cybersecurity certification schemes.

The intention is to prevent “certification shopping” based on different levels of stringency among member states. Certification will be voluntary initially, but regular assessments will be carried out to determine whether certification of particular products or services should become compulsory.

Source: Cybersecurity certification gets an EU revamp

Hackers are stealing personal medical data to impersonate your doctor

While personally identifiable information — full names, social security numbers, home addresses, dates of birth, credit card numbers — can be exploited by criminals to commit identity fraud, the theft of medical information can have equally serious impact on victims.

How hackers exploit medical data? Administrative paperwork — like medical licenses — to forge a doctor’s identity sells on the dark web for around $500.  Insurance provider’s login information can be used to steal victim’s identity to claim insurance. Forging health insurance cards, prescriptions, and drug labels with an intention to carry drugs through the airport. Using hacked personal health information against individuals who have health issues for extortion and other crimes.

Source: Hackers are stealing personal medical data to impersonate your doctor