InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documentscontaining screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Here are our five key data privacy trends for this year.
1. There will be more public awareness of privacy rights
This year, we will see growing public awareness of privacy rights. There is a proliferation of information about data breaches, including commentary in the press regarding data breaches and class action suits, such as the one filed against British Airways.
All of this information is helping consumers become more aware of their rights.
Likewise, the collection by major private and public-sector organisations, as well as employers, of location- and health-related data will also drive employee and consumer awareness of data privacy.
The fact that employers must have a lawful reason for processing personal data means that even on the simple interface of employee–employer relationships, there is a growing awareness of individuals’ rights concerning data.
There is also an increased focus on supervisory authority decisions surrounding DSARs (data subject access requests), and the role they play in taking forward an employment law case.
Over the next year or two, DSARs will likely become a standard preliminary step in any employment-related legal action.
2. Brexit will continue to cause headaches
Brexit, of course, is the biggest immediate issue for UK and EU organisations, and they need to understand the relevance of the UK GDPR (General Data Protection Regulation) – which is embedded in the DPA (Data Protection Act) 2018 as a localised version of the EU GDPR.
For example, references to the EU scope have been changed to the UK, and sections that relate to the actions of the EDPB (European Data Protection Board) have been removed, because its decisions are no longer applicable in the UK.
Organisations operating in the UK and the EU are subject to both regulations, and must keep an eye on the differences in the way they are interpreted and how that affects their compliance requirements.
3. We shouldn’t expect an adequacy decision imminently
Another big concern for organisations operating in the UK and the EU is how to transfer personal data between the UK and the EU.
For data to be transferred freely, there needs to be an adequacy decision made by the EU in respect of the UK data protection regime. On the face of it, that should be straightforward, because its rules mirror those of the EU GDPR.
But in practical terms, it’s not quite as straightforward – not least because there’s an intersection between the UK government’s bulk collection of personal data and the restrictions placed on that under the EU GDPR.
Currently, personal data can continue between the EU and the UK for a minimum of four months – until 30 April. If both parties agree, that can be extended for another two months.
In that period, the EU must decide whether to grant an adequacy decision to the UK. If it does, the UK will be adequate in the same way that the Channel Islands are, and personal data will be able to be moved between the EU and the UK freely.
The UK has already granted an adequacy finding in respect of the EU – so that’s not an issue for moving data from the UK to the EU.
4. GDPR enforcement will be more consistent
In the EU, the approach to enforcing the GDPR is continuing to mature. In the 18 months after the Regulation took effect, there wasn’t much in the way of major decisions, but in the past year there has been a growing number of decisions on a wide range of issues.
In some cases, the fines were miniscule, but in others the penalties were large.
It’s clear that supervisory authorities are paying attention to the requirements of the GDPR – not just relating to data breaches but also violations of its data protection requirements.
We can expect to see supervisory authorities act with greater cohesion and make swifter decisions.
Although the UK’s ICO (Information Commissioner’s Office) has no obligation to follow through with decisions made in the EU, it will almost certainly pay attention to what is happening in the EU.
5. Cookie laws will come under greater scrutiny
From the perspective of most marketers and website users, cookies are a pain in the neck, but they are becoming an increasingly important part of data privacy.
So, cookies – and in particular the way organisations gain consent for their use – will become a significant issue in the EU and the UK.
Current regulations indicate that they apply whenever organisations provide a service into the EU, so we’ll see more websites, wherever they are based, displaying big banners asking visitors to accept and review their cookie collection practices.
Likewise, people will increasingly review these practices to see whether organisations are getting legitimate consent and therefore meeting their regulatory requirements.
Meet your data privacy requirements with IT Governance
One of our experts will guide you through the privacy and Agile roadmap, helping you understand how to incorporate privacy by design in your products and services.
One of the new features in iOS 14 is the ability to change the default email or browser app to a third-party alternative such as Chrome, Edge, or Outlook. A bug in the first public release of iOS 14, however, causes your default browser or mail app setting to reset to Mail or Safari when […]
In the version of iOS 14 released to the public this week, there is a massive caveat to the new default browser and settings. If you reboot your iPhone or iPad, the default app setting will reset to Apple’s first-party Mail and Safari applications.
What this means is that if you set Chrome as the default browser, but then your iPhone dies or you need to reboot it, Safari will once again become the default browser app until you go back into the Settings app and make the change again. The same applies to email apps such as Microsoft Outlook and Spark as well.
This is almost certainly some sort of bug on Apple’s side, because it is affecting email and browser apps from multiple companies including Google, Microsoft, and Readdle. On Twitter, a Google Chrome engineer has acknowledged the problem, though the ball is likely in Apple’s court to roll out some sort of fix — unless this is bizarrely the intended behavior.
Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).
The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:
Building new IT systems to store or access personal data;
Needing to comply to regulatory or contractual requirements;
Developing internal policies or strategies with privacy implications;
Collaborating with an external party that involves data sharing; or
Existing data is used for new purposes.
Privacy by design and the GDPR
The upcoming EU General Data Protection Regulation (GDPR) will supersede the DPA. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.
Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.
Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.
Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.
The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.
ISO 27001 has long been regarded as the information security standard to protect a company’s sensitive information, but more recently law firms have been viewing it as a key competitive differentiator in their field.
Key selling point
Shook, Hardy & Bacon achieved ISO 27001 certification last year and described the standard as a key selling point for their firm. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” says the firm’s chair, John Murphy.
Strengthened position in the legal market
Murphy continues that certifying to ISO 27001 has strengthened SHB’s position in the legal market and that prospective clients ask the firms they’re evaluating about their data security policies and procedures; some even specifically ask firms whether they have an ISO 27001 certification.
Certification to ISO 27001 has been achieved by at least 12 large law firms, half of which are based in the United Kingdom, and another 16 US firms were identified as “working toward or investigating certification” (International Legal Technology Association’s LegalSEC conference, June 2014).
The importance of data security in the legal sector
Having worked with some of the top law firms in the country – including Eversheds, Freshfields, and Slaughter and May – we know how important data security is to those in the legal sector.
In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.
Why is it so important for organizations to keep personal information safe?
Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust. The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.
POPI’s challenges
The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.
PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.
One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.
How to prepare for POPI
IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.
Peter Scheer @ SFChronicle.com on June 12, 2013 – Open Forum on NSA’s snooping
First came news accounts of the government’s use of armed drones in the targeted killing of terrorists abroad. Then came the revelations about government surveillance programs, breathtaking in their scale, tapping into data on phone calls, e-mails, Internet searches and more.
These activities are, in fact, linked.
The use of drones to target America’s enemies represents the fruition of technological evolution in weapon accuracy. Though America’s previous military conflicts have been characterized by military strategies that often maximized enemy casualties (think of the “body counts” during the Vietnam War), the technology of drones makes possible the highly discriminate targeting of selected individuals, with minimal civilian casualties.
U.S. intelligence gathering has evolved in the opposite direction. Before data mining, and especially before the end of the Cold War, intelligence gathering was focused narrowly on selected institutions or individuals. America knew who its enemies were; the objective of espionage operations, from wiretaps to infiltration by American spies, was to find out what they were doing: with whom they were communicating, their capacities and plans.
In recent years, by contrast, the focus has shifted to intercepting and analyzing mountains of data in order to discern patterns of activity that could lead to the identification of individual enemies. Intelligence gathering has evolved from the penetration of known groups or individuals to the sifting and mining of Big Data – potentially including information on all U.S. citizens, or all foreign customers of Google, Facebook, et al. – in order to identify individuals or groups that are plotting attacks against Americans.
The logic of warfare and intelligence has flipped. Warfare has shifted from the scaling of military operations to the selective targeting of individual enemies. Intelligence gathering has shifted from the targeting of known threats to wholesale data mining for the purpose of finding terrorists.
The resulting paradigms, in turn, go a long way to account for our collective discomfort with the government’s activities in these areas. Americans are understandably distressed over the targeted killing of suspected terrorists because the very individualized nature of the drone attacks converts acts of war into de facto executions – and that, in turn, gives rise to demands for high standards of proof and due process.
Similarly, intelligence activities that gather data widely, without fact-based suspicions about specific individuals to whom the data pertain, are seen as intrusive and subject to abuse. The needle-in-a-haystack approach to intelligence gathering is fundamentally at odds with Americans’ understanding of the Constitution’s promise to safeguard them against “unreasonable” government searches. There is nothing reasonable about giving government secret access to phone calls and e-mails of tens of millions of Americans.
Our fear of these changes is reinforced by the absence of transparency surrounding drone strikes – specifically, the protocols for selecting targets – and intelligence operations that cast a broad net in which U.S. citizens are caught. This is why Americans remain supportive of, and thankful for, an independent and free press.
Peter Scheer, a lawyer and writer, is executive director of the First Amendment Coalition. FAC has filed suit against the U.S. Justice Department for access to classified legal memos analyzing the use of drones to target suspected terrorists. The views expressed here are Scheer’s alone and do not necessarily reflect the opinions of the FAC board of directors.
At the beginning of September, there was an addition to the Data Breach Notification laws of California. S.B. 24 was signed into law and will take effect the first day of 2012. This law will require specific actions be taken in the event of a data breach. Those actions include a standardized notification process and a notification sent to the Attorney General of California (if the breach affects 500 or more California residents.)
Why is this relevant to you or yours customers? If you encrypt your customer’s personal information, you do not have to make the appropriate notifications, because you have safe guarded your customers’ data. This keeps you out of the press, out of lawsuits and helps you handle your customers’ data responsibly.
The ruling in the Patco Construction vs. People’s United Bank case set precedence, because the judge basically ruled that the bank’s below par security was sufficient for small business — and Patco (small business) was held liable for paying for the fraud that was a result of an average bank security. To know more details of the case, Brian Krebs has written a great post on this case.
Baed on these two cases it is hard to know how the next online banking fraud case will be decided and on which precedence. I guess the courts are still trying to figure out how to decide these complex cases and where to set the due diligence bar for the banks.
Your personal info is manageable and controlable most of the time as far as privacy is concern , until you have to use it for commercial use (to apply cxredit card, to apply for bank account or to apply for a job). then it depends on these commercial entities how they are goning to use, share, manage or secure your personal information. Most of the laws regarding privacy tells you how your privacy being violated but they leave to us how to make these commercial entities to protect our personal information or stop them from selling it to the highest bidder.
Below are the some of the privacy protection laws for consumers which you need to be aware of:
Privacy act of 1974: this legoslation prohibits the federal government from creating secret database on individuals and limits how agencies can share information. This give you the right to request your information and to sue the government for failing to follow the Act. This might be important to know for the people who are on the no fly list database. For more details check out http://www.epic.com/privacy/1974act/
Fair Credit Reporting Act: FCRA lets you access your cedit bureau records and corrects inaccuracies and it alos allows you to obtain free credit resport every year.
Telephone Consumer Protection Act: This law does not provides a whole lot of protection against telemarketing calls but TCPA made it illegal to send unsolicited fax advertisement.
Family Educational Rights and Privacy Act: FERPA limits sharing of the students and lets you opt out.
Gramm leach Bliley Act: GLBA allows you to tell your bank to stop sharing your information with third parties.
Health Insurance Portability and Privacy Act: HIPAA gives you access to your medical records and limits the disclosure of medical information by health care entity or provider
