Category Archives: GDPR

NIST Releases Privacy Risk Management Framework

Last week, NIST announced version 1.0 of its Privacy Framework, a tool designed to support organizations in managing their privacy risks.

In September 2019, NIST released a revised draft Privacy Policy when it called for public feedback. The organization had initially hoped to introduce version 1.0 by the end of 2019, but only on 16 January was it officially announced.

The NIST Privacy Framework has been designed to help organizations of all sizes manage privacy risks by focusing on three main aspects: privacy when developing a product or service, information on privacy practices and interinstitutional cooperation.

The architecture consists of three main components: the heart, the profiles and the implementation stages. The core provides a granular set of activities and results aimed at facilitating internal communication. Profiles represent the core functions, categories and sub-categories of an organisation. Finally, implementation levels help organizations optimize the resources needed for their target profile to be achieved.

NIST stated that the Privacy Framework is a collaborative mechanism not a statute or rule to mitigate threats and enforce compliance with existing legislation, like the GDPR and CCPA in California.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” said Naomi Lefkovitz

“If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The system should also make it easier for companies to keep up with technological developments and new uses for results, according to Lefkovitz.

“A class of personal data that we consider to be of low value today may have a whole new use in a couple of years, or you might have two classes of data that are not sensitive on their own, but if you put them together they suddenly may become sensitive as a unit,” she explained. “That’s why you need a framework for privacy risk management, not just a checklist of tasks: You need an approach that allows you to continually reevaluate and adjust to new risks.”

NIST states that the NIST cyber security system is intended to be complementary and both will be revised over time.

NIST Privacy System: An Business Risk Management Security Compliance Guide is accessible in PDF format on the NIST website.

The post NIST Releases Privacy Risk Management Framework appeared first on .

GDPR Regulators Have Imposed $126M in Fines Thus Far, Finds Survey

A new survey found that regulators have thus far imposed imposed $126 million worth of fines for data breaches and other GDPR infringements. According to DLA Piper’s GDPR Data Breach Survey, data protection regulators imposed €114 million (about US$126 million / £97 million) in GDPR-related fines between May 25, 2018 and January 27, 2020. The […]… Read More

The post GDPR Regulators Have Imposed $126M in Fines Thus Far, Finds Survey appeared first on The State of Security.

NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance

Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy. To help organizations keep this balance, the National Institute of Standards and Technology (NIST) is offering a new tool for managing privacy risk. Version 1.0 of the NIST Privacy Framework The agency has just released Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. … More

The post NIST Privacy Framework 1.0: Manage privacy risk, demonstrate compliance appeared first on Help Net Security.

What Website Owners Should Know About Terms and Conditions

All website owners should consider terms and conditions (T&Cs) to be a form of legal protection as they establish the responsibility and rights of the involved parties. T&Cs provide full security should anything go amiss and they also help you settle any disputes quickly without having to resort to the courts.

Is it a legal requirement to include T&Cs?
No, but it’s always best to include terms and conditions on your website as they will enable you to reduce your potential liabilities. It is essential that you let your customers or visitors know about their rights; if you’re not clear about your policies, they may dispute matters such as cancellation options, item returns and other rights, putting your company at a disadvantage. Additionally, if areas are unclear in your terms and conditions or even not mentioned, it may mean that you are liable to give your customer additional rights than are given under statutory.
Do you have to include GDPR provisions?
Website owners, even those outside the European Union (EU), should also consider incorporating the General Data Protection Regulation. Inserting a data protection clause can reassure your customers that their data will not be used for inappropriate purposes. You can include the majority of the GDPR obligations in your site’s privacy policy.

What should you include in the T&Cs?
If you are an online seller, it is essential to explain to customers the various processes involved, such as:
  • How to make a purchase
  • How to make a payment
  • How they will receive their products
  • How they can cancel orders
T&Cs help you establish boundaries by outlining what specific rights customers have. In return, you also inform them about your obligations as a seller and the limits of your legal liability.

What kind of protection can you expect from the T&Cs? It may not be uncommon for disputes to arise between you and your online customers or visitors. Therefore, it is essential to ensure that the terms and conditions are accessible, preferably on your website.

You also need to protect your website from copyright infringements. You can avoid potential disputes and confusion by specifying which sections are copyrighted and which are your intellectual property. You should also stipulate what visitors can do with your data. If there is any breach of your copyright or intellectual property, the terms and conditions should clearly explain how the problem will be resolved.

Are there standard T&Cs which apply to all websites?
There are general formats or templates of T&Cs that you can obtain for free online. However, there is always the possibility that these documents will not cover specific aspects of your business or will not include the relevant terms. If you omit an essential term from your website, you may find yourself vulnerable if a dispute arises. Therefore, it is critical that you customise your terms and conditions so they are suitable for your website and business.
  • Product and service offerings – No two businesses are alike, even if you sell the same products and services. For example, your competitor may only accept PayPal but you may allow other modes of payment.
  • Industry or target audience – In every industry, there are specific provisions that need to be included in the T&Cs. For example, customers may have a legal right to cancel or return their purchases within a specified period.
Can website owners enforce their T&Cs?
Your T&Cs are like any other enforceable contract. Nevertheless, you must ensure that they don’t contravene existing consumer laws or government regulations. Remember, you should only incorporate clauses that you can legally apply.

Conclusion
Terms and conditions are necessary for all businesses, including e-commerce sites. It is essential that you create T&Cs that are suitable for your products and services, and that they are legally enforceable. You also need to periodically review your T&Cs, especially if there have been any significant changes to your business structure or the law. Moreover, they must be accessible to your online customers and visitors. If they are not aware of your T&Cs, you may find it difficult to enforce them if a problem arises.

Written by Kerry Gibbs, a legal expert at BEB Contract and Legal Services.

Apps are sharing more of your data with ad industry than you may think

Apps like Grindr, Tinder and Happn are (over-)sharing data about sexuality, religion, and location with a shadowy network of data brokers. And it's not just dating apps that are doing it...

For privacy, 2020 is not for hindsight

It has been an exciting few years for privacy. The passing and enforcement of new laws (such as CCPA and GDPR) and modifications made to others have caused a flurry of activity across organizations of all sizes. Decisions have been made about how meeting the laws’ requirements by changing procedures and policies. Now it is […]

The post For privacy, 2020 is not for hindsight appeared first on Privacy Ref.

Cyber Attacks are the Norm

By Babur Nawaz Khan, Product Marketing, A10 Networks

As we 2019, its time to have a look at the year 2020 and what it would have in store for enterprises.

Since we are in the business of securing our enterprise customers’ infrastructures, we keep a close eye on how the security and encryption landscape is changing so we can help our customers to stay one step ahead.

In 2019, ransomware made a comeback, worldwide mobile operators made aggressive strides in the transformation to 5G, and GDPR achieved its first full year of implementation and the industry saw some of the largest fines ever given for massive data breaches experienced by enterprises.

2020 will no doubt continue to bring a host of the not new, like the continued rash of DDoS attacks on government entities and cloud and gaming services, to the new and emerging. Below are just a few of the trends we see coming next year.

Ransomware will increase globally through 2020
Ransomware attacks are gaining widespread popularity because they can now be launched even against smaller players. Even a small amount of data can be used to hold an entire organisation, city or even country for ransom. The trend of attacks levied against North American cities and city governments will only continue to grow.

We will see at least three new strains of ransomware types introduced:

  • Modular or multi-leveled/layered ransomware and malware attacks will become the norm as this evasion technique becomes more prevalent. Modular attacks use multiple trojans and viruses to start the attack before the actual malware or ransomware is eventually downloaded and launched 
  • 70% of all malware attacks will use encryption to evade security measures (encrypted malware attacks)
To no surprise, the cyber security skills gap will keep on widening. As a result, security teams will struggle with creating fool-proof policies and leveraging the full potential of their security investments

Slow Adoption of new Encryption Standards
Although TLS 1.3 was ratified by the Internet Engineering Taskforce in August of 2018, we won’t see widespread or mainstream adoption: less than 10% of websites worldwide will start using TLS 1.3. TLS 1.2 will remain relevant, and therefore will remain the leading TLS version in use globally since it has not been compromised yet, it supports PFS, and the industry is generally slow when it comes to adopting new standards. Conversely, Elliptical-curve cryptology (ECC) ciphers will see more than 80% adoption as older ciphers, such as RSA ciphers, are disappearing.

Decryption: It’s not a Choice Any Longer
TLS decryption will become mainstream as more attacks leverage encryption for infection and data breaches. Since decryption remains a compute-intensive process, firewall performance degradation will remain higher than 50% and most enterprises will continue to overpay for SSL decryption due to lack of skills within the security teams. To mitigate firewall performance challenges and lack of skilled staff, enterprises will have to adopt dedicated decryption solutions as a more efficient option as next-generation firewalls (NGFWs) continue to polish their on-board decryption capabilities

Cyber attacks are indeed the new normal. Each year brings new security threats, data breaches and operational challenges, ensuing that businesses, governments and consumers have to always be on their toes. 2020 won’t be any different, particularly with the transformation to 5G mobile networks and the dramatic rise in IoT, by both consumers and businesses. The potential for massive and widespread cyber threats expands exponentially.

Let’s hope that organisations, as well as security vendors, focus on better understanding the security needs of the industry, and invest in solutions and policies that would give them a better chance at defending against the ever-evolving cyber threat landscape.

MoJ Reports Over 400% Increase in Lost Laptops in Three Years

Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, today announced new findings from Freedom of Information (FoI) requests submitted to five government departments into the security of devices held by public sector employees. The Ministry of Justice (MoJ) lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018/19 compared with 229 between 2017/2018. The number of lost laptops alone, has risen from 45 in 2016/17 to 101 in 2017/18 and up to 201 in 2018/2019, an increase of more than 400% in three years.

FoI requests were submitted to the MoJ, Ministry of Education (MoE), Ministry of Defence (MoD), NHS Digital and NHS England during September-November 2019. Of the five government departments contacted, three out of five government departments responded. The MoE also reported 91 devices lost or stolen in 2019, whilst NHS Digital have lost 35 to date in 2019.

“Whilst devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, particularly given the fact these are government departments ultimately responsible for volumes of sensitive public data. A lost device can pose a significant risk to the government if it is not properly protected” said Jon Fielding, Managing Director, EMEA, Apricorn.

When questioned about the use of USB and other storage devices in the workplace, or when working remotely, all three departments confirmed that employees use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked. Each of the responding departments noted that all USB and storage devices are encrypted.

“Modern-day mobile working is designed to support the flexibility and efficiency increasingly required in 21st-century roles, but this also means that sensitive data is often stored on mobile and laptop devices. If a device that is not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with GDPR now in full force”, noted Fielding.

In a survey by Apricorn earlier this year, roughly a third (32%) of respondents said that their organisation had already experienced a data loss or breach as a direct result of mobile working and to add to this, 30% of respondents from organisations where the General Data Protection Regulation (GDPR) applies were concerned that mobile working is an area that will most likely cause them to be non-compliant.

All responding sectors did confirm that they have security policies in place that cover all mobile, storage and laptop devices.

“Knowing that these government departments have policies in place to protect sensitive data is somewhat reassuring, however, they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices. Corporately approved, hardware encrypted storage devices should be provided as standard. These should be whitelisted on the IT infrastructure, blocking access to all non-approved media. Should a device then ‘go missing’ the data cannot be accessed or used inappropriately” Fielding added.

About the FoI Requests
The research was conducted through Freedom of Information requests submitted through Whatdotheyknow.com. The requests, submitted between September and November 2019, along with the successful responses can be found at: https://www.whatdotheyknow.com/list/successful.

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.


Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.

Cyber Security Businesses: Solving Challenges Through New Technologies

From everyday transactions to transport planning, as our world becomes more dependent on technology, cybersecurity risks are becoming more common, and more dangerous. 

Luckily, there’s a range of cybersecurity businesses and start-ups attempting to solve this issue through innovative new technologies.

We look at some recent projects and partnering opportunities tackling cybersecurity challenges. 

Antivirus Software From Japan
Established in 2007, a Japanese company has developed security software to detect unknown threats. They have developed a heuristic application consisting of five engines to detect malware and protect users.

These engines include;
  • Static analyses
  • Sandbox runs programs on a virtual environment
  • Dynamic analyses (monitors the behaviour of currently running programs)
  • Machine learnings
  • Vulnerability attack protection
The advantage of this technology is that it does not depend on pattern files. So far, the programs have detected several major threats and the engines are regularly updated with the latest research and information. In addition, the software requires no signature, a benefit for companies who do not wish to have their data drawn into the cloud.

The company has been very successful in Japan and are now looking to expand into European markets with the help of a partner. Their ideal partner would be an Original Equipment Manufacturer (OEM) company working in Internet Security.

Protecting Data, Assets and Brands Against Global Cyber Attacks
A German company has developed an automated platform to deal with global cybersecurity threats more efficiently.

The technology allows users to;
  • Benefit from ad-hoc assistance in emergencies
  • Simplify their security processes
  • Safely share threat information with a range of stakeholders and organisations
  • Contribute to a collaborative database
Some of the benefits of this platform include;
  • Automated incident response management
  • Real-time alerts
  • Data fusion on a large scale
  • Easy integration
  • Secure collaboration
  • Varied deployment models
  • Helps users understand and monitor threats worldwide
The company is now looking for help with the commercialisation of the business. They are seeking European or Asian partners to aid with sales, marketing and delivery.

Helping SMEs Improve Their Information Security
A British company has developed a bespoke service for SMEs, helping them to improve their security and technology solutions.

This service includes;
  • IT/cybersecurity
  • Privacy/ GDPR
  • Business continuity
  • Disaster recovery
  • Collaboration technologies
  • Blockchain/IoT/AI/Cloud computing
The company prides itself on strong face-to-face communication and their ability to tailor services to meet the needs of specific clients. They are currently looking to make commercial partnerships with businesses looking to improve their cybersecurity.

24/7 Security and Events Management
An Israeli company has developed a new solution to help organisations manage internal and external cyber threats. This real-time technology is available worldwide and offers a reliable, individualised service.

The service includes;
  • Risk assessments
  • Forensics
  • Compliance
  • A flexible pricing model
The advantage of a 24/7 security service is that users can speak to security specialists at any time, and alerts are handled in real-time.

The company is looking for commercial agents in the cybersecurity sector to expand their client base.

Enterprise Europe Network: Connecting Businesses and Partners Worldwide
Enterprise Europe Network (EEN) helps businesses, academia and research institutions connect, expand into new markets and transform ideas into marketable products.

Discover more cybersecurity businesses and partnership opportunities part of the EEN network for an insight into the future of online security.

These new rules were meant to protect our privacy. They don’t work | Stephanie Hare

The data protection laws introduced last year are failing us – and our children

Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction. Not what we were promised last year, when the European Union’s General Data Protection Regulation, commonly known as the GDPR, came into effect.

The GDPR was billed as the gold standard of data protection, offering the strongest data rights in the world. It has forced companies everywhere to modify their operating models, often at great cost. It inspired the state of California to pass a similar law and where California leads, the rest of the US often follows; there have been calls for a federal version of the GDPR.

Most websites nudge us into clicking 'I consent' by making it harder for us not to

Advances in computing processing power and AI will allow those who have our data to do much more with it, and so with us

Continue reading...