Category : News

The Unwitting Enemy Within

Meet David. David works in sales and is out on the road at coffee shops and customer sites a lot. He receives an email from his IT team telling him his account is about to expire and to click on the link to ensure his access continues.

The information in the email looks bonafide and all seems above board. David clicks on the link, enters in his credentials and thinks no more of it. Little did David know that a hacker was behind the email and had he taken a little more care with looking at the email, and thinking back to the education and emails his company provides

Unbeknownst to David, as soon as he entered is credentials, a malicious script was activated in the background, which hijacked his session.

Ian doesn’t mean any harm. He’s trying his best. But his best isn’t good enough, because this year Ian singlehandedly caused a data breach that cost his company more than £20,000.

Back in February, Ian fell foul of a phishing attack when a seemingly innocuous email from that well-loved search engine ‘Gloogle’ landed in his inbox.

Ian knew to avoid malicious emails – after all, he’d yawned through his organisation’s mandatory staff awareness training when he joined two years ago.

But this email was from Trish in HR (via Gloogle), and Ian could trust Trish. Or so he thought. So, no alarm bells rang when, upon clicking to view the ‘project management folder’, he was prompted to re-enter his login details.

Unbeknown to Ian, this email wasn’t from Trish. This email was from a hacker, and as Ian entered his user credentials into ‘Gloogle Docs’, a malicious script activated in the background – hijacking his user session cookie, resulting in a reflected XSS attack.

In one fell swoop, the hacker gained access to all of Ian’s user data, including login credentials and company credit card numbers.

Unfortunately for Ian’s employer, the breach wasn’t immediately detected, and it took six weeks before the finance department noticed the influx of fraudulent transactions.

The GDPR and Data Retention

The GDPR is coming soon and its a game changer. One of the areas it looks at is how you store your data and it will be under scrutiny. Its important that your business knows and fully understands the regulations in their entirety.

Data Retention, in terms of a business, by definition is:

The continued storage of an organisation’s data for compliance or business reasons. In most cases, a business is retaining an individuals personal data.

 “Personal Data means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

The retention of data has the following concerns:

  • Legal and privacy
  • Economics and need-to-know
  • Permissible means of storage, access and encryption

If you are a business that handles personal data, you need to be able to answer the following questions:

  • Do you know and understand the GDPR?
  • Who has the responsibility for dealing with the data?
  • What categories does the data store come under with regards to data protection?
  • Other than data protection laws, what other rules, codes or practices should be considered?
  • When should data be retained and when should it be deleted?
  • When would certain data be made exempt from the general deletion principles?

Are you GDPR compliant?

Article 5 of the GDPR, states:

  1. Personal data shall be:
    1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
    2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
    3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
    4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
    5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
    6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

In conclusion, from the above, it is not totally clear about the period of time you can retain data, but you need to have a Data Retention Policy, ensure the relevant people in your business know about it, and also have the relevant processes and documentation in place to show destruction of data.

You will also need to consider the purpose of the information that you hold. Securely delete information that is no longer needed and update, archive or securely delete information that goes out of date.

Find out more information about data retention from the ICO:

The ICO, GDPR & Data Protection in Numbers

Some interesting facts and statistics on the ICO for the last couple of years. Leading up to the GDPR implementation in the next few months time, the fines are going to increase and every business should be aware of whats upcoming.

The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

During 2016/2017 the ICO issued fines topping £3.5 million under the Data Protection Act and Privacy of Electronic Communication Regulations. (1)

 

The ICO dealt with a record 20,919 data-protection complaints and self-reported incidents across all sectors in that time span to 31st March, a rise of 14% on the previous 12 months. (2)

Data published by the ICO in May 2017 for 2016/17 revealed:

  • The ICO dealt with a record 20,919 data-protection complaints and self-reported incidents across all sectors in the year to 31st March, a rise of 14% on the previous 12 months
  • In 2016/17 the ICO was alerted to 2,565 breaches of data-protection law by the organisations involved, an increase of 31.5% on the year before
  • Of those breaches, 4% – approximately 103 cases – involved charities, making charities the sector with the joint fifth-highest proportion of self-reported incidents, alongside solicitors and policing
  • Charities were responsible for 4% of the self-reported data-protection incidents that were handled by the ICO in 2016/17
  • The health sector accounted for 41% of self-reported incidents, local government accounted for 11%, general business for 9% and education for 6%
  • The ICO finished dealing with 2,445 self-reported incidents in 2016/17 and handed out monetary penalties in 17% of cases
  • In 1,680 cases no action was required, in 638 cases the data controller was required to act and in 68 cases an improvement plan was agreed between the ICO and the data controller
  • In a statement, the ICO said it had become easier for organisations and the public to alert the regulator to concerns because of its new live chat services and online reporting tool for the public and new self-assessment tools for organisations

 

The ICO also published statistics about the number of issues it had dealt with in relation to marketing and nuisance calls across all sectors. It received 167,018 complaints about marketing that broke the Privacy and Electronic Communications Regulations 2003 and handed out a record 23 fines, totalling more than £1.92m, for what it called “a range of unlawful marketing activities”. (3)

Since January 2017 the ICO have kept us informed of the developments leading up to the new General Data Protection Regulation (GDPR) enforcement which is due on 25th May 2018.

Find out the full details on the ICO’s ‘What’s new?

 

ICO fee and registration changes for 2018

As the countdown continues to the implementation of the GDPR taking effect in May this year, the ICO are notifying businesses about the change in fees. Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay a notification fee, based on their size, of either £35 or £500.

Find out more about the new ICO fee changes here.