Amazon has become the latest corporation to suffer an embarrassing data breach. In attempting to comply with a data request, they instead sent a German user 1700 audio recordings of someone else. Rather than complying with GDPR, they ended up breaching it – and there are lessons to be learned from this Amazon data breach.
- According to Amazon, the breach happened because of a one-time staff error. Even so, the company is still liable under GDPR and could face a heavy fine. This demonstrates the importance of staff training in data protection – a breach can come from anyone!
- The user who was sent the audio files contacted Amazon to inform them but received no answer. A quick response is paramount; a data breach has to be reported to the ICO within three days to be compliant with the law. Instead of addressing the issue rapidly, Amazon may have made the situation worse.
- By listening to the audio files, it was possible to figure out a lot about the user whose data it was. C’t magazine was able to work out a variety of sensitive details about the victim, enough that they were able to contact him and ask him about the leak. Even small pieces of data, put together, can provide a detailed picture about a user.
- The victim of this data breach was apparently not informed about it by Amazon. This is again a major issue, as it would leave him vulnerable should anyone want to use his data maliciously. However, because he was unaware of the breach, he was unable to take measures to protect himself.
- There are questions to be asked here are about the reliability and safety of keeping virtual assistants in our homes. The audio files were captured through an Amazon Echo device; if our lives are being constantly recorded and these kinds of breaches are possible, then it leaves us exposed.
While the most disturbing element here is the potential risk to the user, there’s no doubt that Amazon made a bad series of errors. Its response to the data breach was slow, and it didn’t take sufficient measures to inform either the victim or data protection controllers.
This event also demonstrates the importance of staff training. With a better awareness of data protection, the staff error that led to this breach might have never occurred in the first place.
If you’d like to ensure that your company or organisation is secure from breaches, take a look at Activa Consulting’s Staff Training services, which are designed to help employees meet their obligations for GDPR and potentially keep you from facing substantial fines and penalties.
Working in multiple different ways, on top of multiple applications, and on multiple privacy notices, is no small job. A further job of implementing GDPR, and a vital one, is the need for staff training. EVERYBODY needs to be trained so they know how to identify a data subject request.
Staff will need to know whether they need to do privacy by design. Essentially, whenever new project or product from the organisation comes out, the staff will need to make sure whether this new product comes under a Privacy Impact Assessment (PIA). This is to ensure their privacy is integrated with regards to the new product.
We need to ask lawyers if we need to apply PIA retrospectively on data if the client hasn’t done it before
“A further job of the implementation process, and a vital one, is the need for staff training. EVERYBODY needs to be trained so they know how to identify a data subject request.”
Staff Accountability – Staff members need to know who is responsible for what data and data protection. Often, a Data Protection Officer (DPO) may be required. Previous versions of the GDPR have included and excluded the need for a DPO if an organisation has more than 250 employees, however in a small company which processes a lot of data, it could be considered prudent to have one anyway. In a multinational organisation, an EU based DPO is required, which raises issues over Brexit for UK companies with European offices. However individual local offices may be covered by compliance functions to support the governance function.”
It is vital that the staff then do what they need to do. Easier said than done. Use of internal audits and compliance guides will help the staff in this respect. Once those are handed out, it’s business as usual.
You may want to invite the local regulator, known in the UK as the Information Commissioner’s Office (ICO). Though this is not compulsory, it can give larger organisations a peace of mind.
“You may want to invite the local regulator, known in the UK as the Information Commissioner’s Office (ICO). Though this is not compulsory, it can give larger organisations a peace of mind.”
Once you’ve done all that, you’re all done.
Depending on how the company runs projects from GPMO (Group Project Management Office), they might not conduct assurance themselves. You can just do a simple walk through to make sure all stakeholders have what they thought they wanted, but in smaller organisations, audits can be part of a project. This will depend on this scope of work as to whether an activity is in or out.
Equally, there should be in or out scope for third parties. This means whether you need to conduct any compliance work with those third parties, or external auditors. You just need to feel comfortable that they are fulfilling what they’ve said they’ll do.