At the PrivSec London conference last week, we heard from Sheila Fitzpatrick, a global expert in privacy and compliance. Here’s our pick of what she had to say and her advice about GDPR, the culture shift it has already brought about, and data privacy and security.
Anonymising data doesn’t truly make data safe, because someone in the organisation still has access to the original data. You need to really think about why your company is getting and using data – achieving an ‘improved user experience’ is not a good enough excuse. Companies often think that security is the same thing as privacy, and point enquiries about privacy to security protocols – but this is an ‘instant fail’ in Fitzpatrick’s book.
Companies in many other countries don’t realise they’re still subject to other countries’ Data Protection laws such as GDPR – and many countries are also planning laws that will exceed its requirements. GDPR created an awareness of changing legal focus from data security to the lawful bases for processing data, which in turn became the impetus for new laws across the world – as well as adding new technologies which also created privacy issues.
GDPR became the biggest revenue generator since Y2K – and there are a lot of solutions in the market. Companies often like to believe that they can buy ‘compliance in a box’, which is impossible and shows a lack of understanding of privacy; they often throw technology at the problem and assume that innovation will provide a better user experience.
They think that privacy will become irrelevant as a result of this approach; that it can be addressed through a simple checkbox, or that they have a “legitimate interest” in processing personal data. However, this probably isn’t true if the basis can’t be explained on a page clearly. It also shouldn’t be forgotten that if consent is ambiguous, it’s invalid under GDPR.
Big Data is problematic for GDPR compliance on many fronts, and so are AI and Smart Cities: it’s difficult to meet consumer rights demands for example, and to maintain anonymity where necessary.
You need to always be honest about what you’re doing; if you can’t, you’ve got a problem. Be upfront about your use of third parties who receive data from you, and don’t let vendors dictate terms to you as their terms can put you in breach. Privacy improvements give a competitive advantage and failing to comply can damage reputations badly.
Our thanks to Sheila Fitzpatrick for these insights and for giving an engaging and thought-provoking talk.
From what we heard at the PrivSec London conference this week, it was clear that a culture shift is needed in many – maybe most – companies coming into the new decade. Our thanks go to the guest speakers who provided these insights – you can see a full list of those whose talks we attended at the end of this article.
Here are some culture shifts that companies need to be making in order to keep up with changing legislation and guidelines:
CULTURE SHIFT #1: Have a plan for privacy and cybersecurity, with people and budgets allocated to it.
CULTURE SHIFT #2: Don’t assume that privacy = cybersecurity, you’ll fail if you assume it’s a tech matter. Do a dummy run of a data breach at your organisation – it’ll probably throw up some significant issues.
CULTURE SHIFT #3: To get buy-in across the organisation, explain Privacy and Cybersecurity matters in the business terms of each department or stakeholder group’s business goals, such as making money, reputation protection, and so on.
CULTURE SHIFT #4: Getting your data into one place (e.g. the cloud) makes it more controllable in one place with a lot of access but is also where the biggest risk lies. Work out what you’ve got and what you are moving to the cloud – delete as much as you can of your data set defensively, use the infrastructure and systems there to look after every piece of information in one system and apply policies across everything.
CULTURE SHIFT #5: Get tighter on checking, stating and enabling opt-outs for all the cookies working on your website(s), such as trackers: many of these may be coming from your third-party hosting provider rather than your own web developers and plugins! ‘Continued browsing’ or browser settings aren’t adequate to demonstrate consents anymore under the latest government guidances.
CULTURE SHIFT #6: For businesses, ethics ARE sustainability. They’re about only using data for transparent, legitimate reasons that genuinely improve the user experience and give users control over the data held about them and how it is used. They’re about not ruining trust or making customers uneasy about using your business or website or platform.
Our thanks to the following guest speakers at PrivSec London 2020:
- Steve Wright, Partner, Privacy Culture Ltd, previously DPO for Bank of England, also John Lewis and Unilever previously
- Baroness Neville-Rolfe, EU Committee member
- Sheila Firtzpatrick, Fitzpatrick & Associates
- Dave Horton, Solutions Engineer at OneTrust
- Shaab Al-Baghdadi, OnlineDPO; Emily Johnson, Microsoft, Bill Karazsia, Fortive; Joao Torres Barreiro, Wills Towers Watson;
- Charlie Wijsman, Accenture Global Data Privacy Lead
- Damine Larrey, Microsoft; Dominic Johnston, Epiq Global; Damian Murphy, Lighthouse Global
- Alberto Quesada, Global Head of Group Data Management, BNP Paribas
- John Richardson, DMA, and formerly the Telephone Preference Service; Giorgia Vulcan, EU Privacy Counsel for the EU DPO Office, Coca-Cola; Or Lechner, Luminati Networks; Marie Bradley, Adam & Eve; Magali Fey, Anonos
Ben Hawes, Benchmark initiative
- Joan Keevil, Professional e-Learning Expert, SAI Global
- David Clarke, Founder, GDPR Technology Forum; Beth Brookner, Privacy Counsel and Data Protection Officer, GVC Ladbrokes Coral; Steve Windle, Incident Response Lead for Europe & Latin America, Accenture; Cosimo Monda, Director, Maastricht European Centre on Privacy and Cybersecurity; Simon Hall, Privacy Consultant & DPO Coach, AwarePrivacy
- Stuart Aston, National Security Officer, Microsoft
- Greg Van Der Gaast, Head of Information Security, University of Salford
- Meera Narendra, Journalist, Data Protection World Forum; Dr Shavana Musa, Legal Consultant and Academic, The University of Manchester; Victoria Guilloit, Partner, Privacy Culture; Ally Pinkerton, Group Head of Information Security Governance & Assurance, Group Information Security Office, Bupa
A Microsoft data breach left a customer database exposed online last month, with 250 million entries involved. Microsoft revealed that the database, which stored anonymised user analytics, was left without protection between 5th December and 31st December.
The information on the database included email addresses, IP addresses, and details of support cases. While Microsoft stated that the majority these records didn’t contain personal user information, these details could still be used maliciously.
According to a report from ZDNet.com:
The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year’s Eve.
“I have been in touch with the Microsoft team helping and supporting them to properly investigate it,” Diachenko told ZDNet.
You can read the full article from ZDNet by clicking here.
While this is a worrying security breach, the positive news is that Microsoft have responded it well – and reports that it “found no malicious use” of the data.
The company not only worked immediately to plug the breach on New Year’s Eve, but has also already begun notifying users who had been affected by it. This hopefully means that the impact should be minimal.
Unsure how your organisation ought to respond to a data breach? Our GDPR Consultants can help – get in touch with us today for our professional expertise!
Facebook has a poor record when it comes to data protection, and that trend continues. It’s usually user data that has been at risk, but this time it’s their employees’ data as payroll data is stolen.
The details were stolen last month when a thief stole unencrypted hard drives from a Facebook payroll staffer’s car. According to Bloomberg:
The hard drives, which were unencrypted, included payroll data like employee names, bank account numbers and the last four digits of employees’ social security numbers, according to an email Facebook shared with staff Friday morning. The drives also included compensation information, including salaries, bonus amounts, and some equity details.
In total, the drives contained personal data for about 29,000 U.S. employees who worked at Facebook in 2018, a spokeswoman confirmed.
The theft occurred on November 17th, but it was some time before employees were notified. It wasn’t confirmed that the hard drives contained Facebook payroll information until November 29th and those affected weren’t told until December 13th.
This is far too long a gap, especially given the sensitive nature of the information. Facebook have, however, started taking steps to limit the damage. Bloomberg’s report states:
The employee who was robbed is a member of Facebook’s payroll department, and wasn’t supposed to have taken the hard drives outside the office. “We have taken appropriate disciplinary action,” the spokeswoman said. “We won’t be discussing individual personnel details.”
Facebook is still working with law enforcement to recover the information, though none of the hard drives have been found. In an email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service.
Click here to read the full article from Bloomberg.
This breach should be a stark reminder that basic mistakes can lead to serious data breaches. Simple lapses from staff members can have the direst consequences.
Facebook itself made several mistakes here. The member of staff should have been made more aware of their responsibilities, and further steps should have been taken to protect the data, such as encrypting the hard drives.
The company’s response should also have been much swifter, identifying exactly what data had been stolen and notifying those affected sooner.
If you’re concerned about these kind of lapses, make sure your staff are aware of their responsibilities with staff training from Activa Consulting, or get our expert advice on data protection with our consultancy services.
E3 (the Electronic Entertainment Expo) is one of the biggest events in the calendar for video gaming – but it’s recently been revealed that a data breach at this year’s event left data exposed for over 2000 people.
This E3 data breach came as a result of a spreadsheet that was published on the event’s website and made publicly available.
As reported by Kotaku:
The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.
You can read Kotaku’s full report on the story here: https://kotaku.com/e3-expo-leaks-the-personal-information-of-over-2-000-jo-1836936908
While the ESA moved quickly to plug this breach and limit the danger to users, they made a crucial mistake. They deleted the page containing the link to the spreadsheet – but after the story broke in the news, it was found that the spreadsheet itself was still accessible.
This E3 data breach could potentially be very costly for ESA. With journalists attending the event from all over the world, they could find themselves subject to investigations and penalties under multiple different data protection laws, including GDPR.
Kotaku also updated their report to note that ESA provided the following statement:
In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.
We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.
But with the data already out there, the damage has likely already been done.
Contact us straight away if you’re concerned about the possibility of a data breach at your organisation. Under GDPR, the fines can be severe: up 20 20 million euros or 4% of annual turnover per breach!
A new investigation by Delphix has uncovered some worrying information about GDPR non-compliance in the UK, with many businesses unaware of their failings to meet their obligations under GDPR.
Despite the fines and penalties involved in GDPR non-compliance – as can be seen from the recent British Airways fine – many organisations seemed unaware of the need to be careful with personal data.
Employees revealed that they are often unaware of whether they are GDPR compliant or not, with some showing little concern about the matter. One chief information security officer (CISO) even admitted to lying to their CEO about the company’s compliance levels.
As reported by DataCentreNews:
“These confessions should come as a wake-up call to the C-suite,” says Delphix CTO Eric Shrock.
“It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is,” he adds.
“Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster.”
You can read the full article from DataCentreNews here: https://datacentrenews.eu/story/ceos-falsely-led-to-believe-company-is-gdpr-compliant-delphix
That data protection awareness is not better at the very highest levels of business should be a major concern. It’s often at these levels that people have the most access to personal data.
Data protection and awareness of GDPR should always be incorporated into business processes by design and default. By implementing this philosophy, the kinds of lapses that Delphix uncovered are much less likely to occur.
It’s also important that data protection training be carried out across the entire organisation, from both the lowest level employee to the highest. Anybody within an organisation can be responsible for a data breach; improving awareness of a company’s GDPR non-compliance starts by educating the workforce.
Here at Activa Consulting, we offer a range of staff training options, both in-person and online, to help minimise the risk of data breaches and the resulting fines. If you’re concerned about your compliance levels, get in touch with us today!