Once More Into The Breach

It has been an interesting week to say the least with regards to information security breaches in Ireland.  First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year.  So far over 45 devices have been lost.  Damien Mulley has a breakdown as to what was lost.  Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.

To cap it all the Irish Times reports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws.  Having been an advocate for the introduction of such laws I welcome these moves.  However, as Digital Rights Ireland points out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices.  This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported.  Also it appears the minister wants to concentrate on major breaches.  It will be interesting to see what a major breach is defined as.  Will that be dependent on the type of data exposed or the number of records? 

I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above.  So let me take this post as an opportunity to share my thoughts on breach disclosure;

Continue reading

Irish Times Adds Her Voice to Calls for Data Breach Disclosure Laws

Thanks to Digitial Rights Ireland for pointing me in the direction of today’s Irish Time’s editorial calling for the introduction of Data Breach Disclosure laws.  It is good to see this issue get such a public platform and raise the awareness as to why I and Digital Rights Ireland have been calling for such laws to be introduced.

The editorial was written by Karlin Lillington.  If you have not visited her Blog I recommend you do, Karlin provides some excellent coverage on technical issues and their implications to society.

Irish Ways and Irish Laws

 I am regularly asked by clients, training course attendees and contacts in non-Irish companies looking to expaned into Ireland what is the most relevant legislation relating to information security for organisations in Ireland.  So here is my top list of legislation that you should be concerned about regarding information security and your business in Ireland; I hasten to point out that I am no legal expert and that the information below is purely for guidance and should be verified with your own legal team.  If anyone else I have forgotten any items then please let me know ;

The ones of concern to most companies would be The Data Protection Act, 1988 & Data Protection (Amendment) Act 2003.  Under the above an organisation is obliged to ensure the confidentiality of personal information of customers and staff. This means ensuring that information is available only to those who need it and only for the purposes gathered.

So for example if you buy something of a shop and they ask for your mobile number to facilitate delivery this is all they are allowed to use that data for. If you then get a SMS message from them advertising new services they are in breach of the Data Protection Act and could face fines of up to €3,000 per message.

Similarly if your organisation was to misuse personal information in a similar manner you could face the same fines. You can also face fines for not securing the information properly. The Data Protection Commissioner have a good video on their site outlining the obligations

You also need to be aware of the European Convention on Human Rights

Under the above everyone has the right to privacy in all their communications.  This means that a company cannot read employee’s emails or monitor their phone calls or their Internet usage.  In order to do so you need to make staff aware of this in an Acceptable Usage Policy so that in effect waive this right.

The Employment Equality Act 1998 obliges you to provide a safe working environment for all without fear of discrimination. An area that could be of issue is if a member of staff feels they are being sexually harassed due to the content other members’ of staff view on their computer. It is important that all staff are aware of what they are allowed and not allowed to do when using organisational resources such as computers and what type behaviour is acceptable. This would be outlined in an Acceptable usage Policy. Ideally this should then be managed and monitored to ensure people are not breaching the policy and disciplinary action taken where appropriate.

The Copyright and Related Rights Act 2000.

Under this act any copyrighted material found on your systems could result in a prosecution against the directors of the company and NOT the individual who violated the agreement. So if a member of staff copies the latest Spiderman movie onto their PC it is the board of directors that could face prosecution and not the individual.

Finally you are also obliged to protect credit card data in accordance with the PCI DSS Credit Card standard. This is a standard produced by the credit card companies to ensure retailers secure credit card information belonging to customers. If you are found to be in violation of this standard which resulted in credit card information being compromised the organisation will face increased credit card charges, possible fines and will have sanctions such as annual third party audits enforced on the organisation.

UPDATE – 22/05/08
For those of you based in the United States the following post on “10 ways you might be breaking the law with your computer” may be of interest.

Latest Information Security News Roundup

newspaper.jpgBelow is a round up of news stories relating to information security that we have collated from the past few days.  For ease of use we have categorised the stories under the most appropriate headings.  If there are other stories that may be of interest please let us know via the comments feature.

 

Continue reading

Irish Data Retention to Include Emails and Internet Browsing

Last night’s RTE news coverage had a piece highlighting the Irish Government’s decision to extend the current data retention legislation to include details of emails, internet chat messages and internet access.  While the content of emails and chat messages will not be stored, the proposed legislation will force ISPs to record who sent/recieved an email and the date and time it was sent.  Yesterday’s Irish Time’s also had an article on this issue written by Karlin Lillington

Karlin’s piece in yesterday’s Irish Times provides an excellent overview of the impact this proposed legislation could have.  In particular her riposte to the “if you have nothing to hide you have nothing to fear” argument posted in one of the comments is well worth reading.

Data retention can be an important tool in fighting crime and terrorism.  Keeping the details of who talked/wrote to whom at particular times can be very useful in traffic analysis to build a profile of command and control structures.  But equally important is maintaining the privacy of the individuals that we are trying to protect.  The recent rash of data losses by government departments in the UK, most notably the loss of 25 million records of child benefit recipients, and of misuse of information held in the Irish Department of Family and Social Affairs highlight how fragile this protection can be.

Mistakes can also be made as highlighted by the wrongful arrest of a man in India who ended up with 50 days in jail over police tracing the wrong internet address. 

In our struggle to maintain a free and democratic society we need to ensure that the laws we introduce and the steps we take to protect those freedoms don’t in themselves become tools to be used against us.  We need assurances that appropriate safeguards, controls, accountability and transparency are maintained at all times and that any misuse of the information will be dealt with swiftly and severely.  Unfortunately the proposed legislation is not clear on what these measures, if any, are.

For those who believe the “I’ve got nothing to hide so therefore I need not worry about government plans to increase surveillance”.  A read of the 25 page paper titled “I’ve Got Nothing To Hide And Other Misunderstandings of Privacy” by Professor Daniel Solove from the George Washington University Law School which explores this argument and highlights the flaws in this reply is well worth a read.

According to Privacy International‘s latest report there is already “systemic failure to uphold safeguards” relating to privacy within Ireland.  We need to ensure that in our fight to combat crime and terrorism we do not further undermine those safeguards.

Update 21/1/08

SiliconRepublic.com covers Digital Rights Ireland’s response to this issue.  Meanwhile I came across this example of misuse of large Government databases by trusted staff “Corrupt US Customs agent sentenced for data deals“.

Call for Breach Disclosure Laws in Ireland

broken-link.JPGThe Friday edition of the Irish Times dated the 31st of August 2007 contains an article where Brian Honan, Senior Consultant for BH Consulting, states that at the forthcoming “Privacy in the 21st Century” seminar, which is part of Global Security Week, he will be calling on the Irish Government to look at implementing breach disclosure laws similar to those in place within certain states within the United States.  In the article Brian highlights that while we have very effective data protection laws in Ireland there are no laws compelling organisations to inform clients if their data has been accessed as a result of a security breach.  The full article is available online on the Irish Times website (paid subscription required), on TMCnet or a summary is available on ElectricNews.Net (ENN).

Global Security Week Seminar to be Held In Dublin

gsw07logo.jpgGlobal Security Week, in conjunction with VigiTrust and BH Consulting, is pleased to announce a seminar on the theme of “Privacy in the 21st Century” to be held on 5th September 2007. The theme this year is intended to highlight how businesses and individuals can better protect personal information however it might be stored (paper or any type of electronic format such as mobile computing devices, portable storage devices and multiple types of servers).

To discuss this topic, we are delighted to confirm the following key note speakers:

Office of the Data Protection Commissioner – Tony Delaney, Assistant Commissioner

Microsoft EMEA – Caspar Bowden, Chief Privacy Advisor EMEA

A panel discussion will follow, whereby the speakers will answer questions from the audience.

The seminar will be hosted at Jurys Croke Park on Wednesday the 5th of September from 2:00 p.m. Registration is open to anyone concerned with Privacy issues and places can be booked by contacting either Brian Honan on 01-4404065, [email protected]  or Mathieu Gorge on 01-4100864, [email protected].

AGENDA

Time

Topic

Speaker

14:00-14:15

Introduction

Brian Honan, BH Consulting

14:15 – 15:15

Data Protection – Businesses rights and responsibilities          

Tony Delaney, Assistant Commissioner, Office of the Data Protection Commissioner

15:15 – 15:30

Coffee

  

15:30 – 16:00

Privacy and User-Centric Identity Management: The Laws of Identity and the Identity Metasystem

Caspar Bowden, Chief Privacy Advisor EMEA, Microsoft

16:00 – 16:20
 

How do security standards help increase privacy of personal and business information: PCI DSS.

Mathieu Gorge, VigiTrust

16:20 – 16:40
    

How do security standards help increase privacy of personal and business information: ISO 27001.

Brian Honan, BH Consulting

16:40 – 17:00

Privacy and Data Protection – How can businesses comply and follow best practice?

Panel Discussion with all speakers Chaired by Mathieu Gorge, VigiTrust

17:00 – 17:10

Close

Mathieu Gorge, VigiTrust

ISO 27001 As a Tool for Compliance

Knowlege Ireland recently published an article I wrote discussing how the ISO 27001 standard can be used as a foundation to help companies ensure they meet their compliance requirements, be that SOX, Basel II, PCI or the Data Protection Act.  The premise that I put forward is that having a certified Information Security Management System in place provides you with a strong basis which you can use to meet your compliance requirements. 

UPDATE : The article is available for download from our Whitepapers page.

I would be interested in hearing your thoughts on the matter and whether or not you agree with my observations.