In a move that is likely to shock corporations in Europe and beyond, the Information Commissioner’s Office (ICO) has fined British Airways (BA) just over £183 million, due to a 2018 data breach in which personal data belonging to 500,000 of its’ customers was compromised. The move marks the first large fine handed down to a company since the General Data Protection Regulation (GDPR) took effect in May of last year and, shockingly, was less than 50% of the maximum fine that the ICO could have set for BA.Read more
The flow of data between the United States and the EU may be at risk as tensions are rising around Privacy Shield. If you haven’t been living under a rock for the last two years, you will likely have heard of the GDPR – the EU data protection regulation that now fiercely protects EU citizen data, whether in the hands of a non-EU or EU-based organisation. You may have wondered, then, how companies in places like the US are still able to legally hold and process EU data without falling foul of the GDPR, and the answer is Privacy Shield. Privacy Shield is a framework that allows companies on both sides of the Atlantic to transfer data while complying with the GDPR. However, this may all soon change, with Members of the European Parliament calling for Privacy Shield to be brought up to scratch or invalidated.
Privacy Shield’s predecessor, Safe Harbour, was already invalidated in 2016 after it was ruled to be inadequate by the EU
It seems that everyone in the cyber security sphere is talking about ransomware these days. Last year, attacks such as WannaCry, NotPetya and BadRabbit took the business world by storm, costing billions in damages. Ransomware is by no means a new threat (it has been around since at least 2005), but it is one of the fastest growing and most costly. Cyber crime is constantly changing, and criminals keep creating news ways to steal money. Ransomware has gotten increasingly sophisticated since 2005, but the people using and deploying it haven’t necessarily – now some cyber criminals are making more money selling high-tech ransomware strains to non-technical criminals than if they were to conduct the attacks themselves. The result is that more and more ‘hackers’ have access to ransomware and need very little technical know-how to operate it, leading to more and more ransomware attacks each year. It may come as a surprise, then, to hear that the FBI received less reports of ransomware attacks in 2017 than in 2016 and 2015, despite the increase in attacks.
The FBI reported just 1,783 reports of ransomware attacks in 2017, compared to 2,673 in 2016 and 2,453 in 2015.
Data transfer between the EU and US had come under fire in the Irish courts, due to a dispute in the clause Facebook Ireland uses to send data back to its international parent, Facebook US. EU data protection and privacy laws are among the strongest in the world, and as such, any data pertaining to EU citizens cannot be transferred outside Europe without strong assurances in place that the data will be processed under EU-compliant terms. While the US data protection laws are considered inadequate for European data, many international tech companies circumvent this using a model known as “standard contractual clauses”, whereby the parent company (Facebook US, in this example) enters into a contract with their EU subsidiary (Facebook Ireland) which pledges to meet the EU’s strict rules. Ireland is home to the European headquarters of 9 out of 10 of the of the world’s largest social media companies, and standard contractual clauses have been considered legally acceptable by the EU since 2001.
Ireland is home to 9/10 of the world’s largest social media companies (including Facebook), making it a crucial link between EU and US regulations.
With the EU General Data Protection Regulation (GDPR) only 8 months away from coming into force, surveys are showing that many businesses across the UK and Ireland are still confused about exactly what the regulation means for them, and may be unprepared for GDPR. A survey conducted of over 1000 IT decision makers revealed that 64% were unaware that customers’ birth dates are considered personally identifiable information (PII), which is especially worrying as any mishandling of such data could constitute a breach of the GDPR and result in fines of up to €20 million. 42% did not realise that email marketing databases contained PII, 32% did not consider physical addresses to be and 21% did not even consider customer email addresses to be PII. In contrast, 85% of these survey respondents reported that they have reviewed the GDPR requirement thoroughly and 79% believe they have done everything they need to do to secure their data. This disparity marks a worrying trend for businesses, big or small.