The 4th Annual Privacy & Data Protection Ireland 2009 seminar is due to be held on the 18th and 19th of February 2009. I will be giving and Interactive case study on Identity Theft at the seminar. As a speaker I am happy to be able to pass on a discounted rate to those of you who wish to register and attend the event. Up until the 1st of December you can register for one or both days of the seminar and achieve significant savings on the normal fees.
If you book early for one day the fee will be €400, after the 1st of December that will rise to €575. If you book for both days before the 1st of December the cost to you will be €750 instead of the normal €950. There are some excellent speakers addressing the event and if you have an interest in data protection and/or privacy then you should attend. Booking forms and more information is available at the seminar’s website.
It has been an interesting week to say the least with regards to information security breaches in Ireland. First we heard of the responses to Ruairi Quinn’s question as to how many portable devices belonging to government departments have gone missing this year. So far over 45 devices have been lost. Damien Mulley has a breakdown as to what was lost. Then on Friday the HSE reports that it lost another laptop which reports claim leaves the personal details of thousands of HSE staff at risk of identity theft.
To cap it all the Irish Timesreports that the Minister for Justice Dermot Ahern is now considering introducing mandatory breach disclosure laws. Having been an advocate for the introduction of such laws I welcome these moves. However, as Digital Rights Irelandpoints out the proposed laws appear to have a number of shortcomings such as being restricted to only portable devices. This means that breaches such as the exposure of people’s CVs on the Jobs.ie website earlier this year would not need to be reported. Also it appears the minister wants to concentrate on major breaches. It will be interesting to see what a major breach is defined as. Will that be dependent on the type of data exposed or the number of records?
I attended the Irish ISACA Chapter’s conference on Friday and a number of people asked me for my reaction to the above. So let me take this post as an opportunity to share my thoughts on breach disclosure;
Digital Rights Ireland have reproduced an excellent article discussing the impact the Data Protection Act has on our rights to privacy. The article was Published in the Irish Daily Mail written by Fergal Crehan, a barrister specialising in Internet law. It is also interesting to note that the UK Information Commissioner, their version of the Data Protection Commissioner, has called the UK implementation of Data Retention “a step too far“.
All of the above laws have been introduced to protect us from the threats posed by serious crime and terrorism but at the cost of the erosion of our rights to privacy and liberty. While we need to introduce measures to protect us from those threats we need to do so in a way that protects the rights of all citizens and we should use this as a turning point to ensure that the appropriate safeguards are put in place.
The Digital Ireland Supplement of Thursday’s Irish Independent ran an article on the increasing risk of identify theft posed by the way people use, or rather misuse, their privacy when online. SiliconRepublic.Com have published the article online.
I am quoted in the piece highlighting that most identity theft is committed by someone close to the victim, i.e. a relative or friend. However, with the explosion of online social networking sites, people willingly given away lots of personal details to organisations and how we dispose of our data.
It is an interesting read and well done to Marie Boran and John Kennedy. They link to a very humorous BBC video on the subject of identity theft.
The video is excellent but does provide an interesting discussion point. Is identity theft the fault of the consumer or the bank? Who at the end of the day should pay for someone who is not you getting their hands on your money?
With regards to privacy on online social networks, Famous Pete Wood Security (hi Pete !!) steered me to this interesting insight into your privacy on Facebook.
The Data Protection Commissioner yesterday published his annual report for 2007. The report is yet another compelling read and shows how our privacy is being gradually eroded in the name of commerce and the fight against serious crime and terrorism. Indeed this is perhaps best reflected in the words of the commissioner himself “Have we not succumbed to terror and submitted to extremism when we lose the liberty to live our lives without constant intrusion by the State in the name of security?”
Since 2006 the number of new complaints registered increased from 659 to 1,037, these are in addition to the 20,000 phone and 4,000 email enquiries received by his office. Within the report the commissioner highlights a number of case studies that make worthwhile reading for us all to ensure we do not make the same mistakes;
The use made by Baxter Healthcare of two medical reports relating to a former employee;
The inappropriate use of CCTV footage by the West Wood Club in Sandymount and covert CCTV by the Gresham Hotel in Dublin;
Suspension of the operations of a cold-call marketing operation by Newtel communications;
Inappropriate disclosure of employee information by Aer Lingus;
A very serious case of inappropriate access to personal information held by the Revenue Commissioners;
The failure to supply a reasonable means for opting-out from email direct marketing by Ryanair.
Extensive engagement with Eircom following the receipt of a large number of complaints in relation to unwanted marketing telephone calls. This resulted in a €35,000 donation by Eircom to charity to resolve the complaints.
Excessive information of local residents retained by Croke Park
Unsolicited email marketing by Tesco arising from technical difficulties
In the report the Data Protection Commissioner also outlines what he see as the top ten threats to privacy. The report also highlights a trend in voluntary breach disclosure which is a positive move. However, further reading shows that eleven, yes a grand total of eleven, organisations notified the Data Protection Commissioner’s office of a breach. That is less than one breach a month which in my opinion is well below the number of actual breaches that are occurring and once again reinforces the need for mandatory breach disclosure laws in Ireland.
Having dealt with the DPC’s office on a number of occasions I have to say that each query has been dealt with in a professional and efficient manner. If your company processes personal data of staff or customers then do not hesitate to seek guidance from the Data Protection Commissioner’s office. Failing that, why not simply head over the the Data Protection Commissioner’s website and have a look at the below video;
Below is a round up of news stories relating to information security that we have collated from the past few days. For ease of use we have categorised the stories under the most appropriate headings. If there are other stories that may be of interest please let us know via the comments feature.
Below is a round up of news stories relating to information security that we have collated from the past few days. For ease of use we have categorised the stories under the most appropriate headings. If there are other stories that may be of interest please let us know via the comments feature.
Reports are breaking this morning about the theft of a laptop in New York that contained the data on over 170,000 people who have used the services of the Irish Blood Transfusion Board between July and October of 2007. The IBTS state that the data were sent to a US software development company based in New York as part of a software upgrade of the IBTS systems. The data were sent by disc and encrypted with 256 AES encryption.
It is not clear whether the data were then copied from that disc onto the laptop or whether the data remained on the disc which in turn was in the laptop. Either way the data were lost when an employee of the US software firm was mugged outside their home and the laptop taken.
While data encrypted to the 256 AES standard may be sufficient to protect the data from the average mugger, those with more technical abilities may be able to access the data. This is dependant on how data were encrypted, for example was it with the Winzip utility or a commercial encryption package? It is also dependant on how strong the password used to encrypt the data is. If it is a simple to guess password then the data can be compromised.
Although this breach could have been made public by the US software company under data breach disclosure laws in the state of New York, we should give credit to the IBTS for how they have disclosed the breach to the Irish media and public. Unlike other government bodies who only made the public aware of their breaches as a result of a parliamentary question.
There are still some questions that still need to be addressed and should be considered by all companies looking to transfer data abroad for whatever purposes;
Why was live data used in a test environment? There are many tools available now that can anonymous data for testing purposes.
Was this data transferred out of the Irish jurisdiction in accordance with the Data Protection Act?
What agreements were in place to ensure the security of the data while in the possession of the US company?
Could these arrangements be audited to ensure they were being adhered to?
Did this employee really need to have the data at home? Did they need to have all the data or would a subset have sufficed?
What controls were in place to ensure unencrypted copies of the data were not left unprotected? For example someone importing the data into an Excel spreadsheet?
What arrangements were in place to securely delete the data once it was no longer required?
The next ISSA Ireland meeting is scheduled for this coming Friday, the 22nd February, at 12:00 p.m. in the Ballsbridge Court Hotel (formerly the Berkeley Court Hotel). The topic for this meeting is “Security Breach Reporting and Impact”. Those of you who are regularly readers of our Blog and newsletter will know that this is a topic close to our hearts. This meeting is open to all.
Six years ago this month California Senate Bill 1386 was introduced, requiring businesses to inform California residents of security breaches involving their personal information. SB1386 became a model for mandatory reporting legislation across the US and today over three quarters of states have enacted breach reporting legislation. In Europe there have been calls for similar legislation and many organisations have chosen to disclose breaches involving customer or employee data, while other breaches have come to light due to reporting requirements in other jurisdictions. On Friday February 22nd ISSA will host a lunchtime seminar on this topic, looking at the impact of mandatory breach reporting in the United States, both positive and negative, and considering the potential for mandatory reporting in Europe.
Our featured speaker will be Phil Dunkelberger, CEO of PGP Corporation and long-time supporter of ISSA. Phil is a well-known Silicon Valley entrepreneur and headed the original “PGP Inc” start-up formed in 1996 to commercialise PGP encryption. Following the purchase and subsequent abandonment of the PGP technology by Network Associates, Phil led a buy-out in 2002 and formed PGP Corporation which has since launched a highly-successful suite of encryption products and grown to over 300 employees.
On February 22nd Phil will present the results of a PGP survey on the cost of security breaches in the UK. The research, conducted with the Ponemon Institute, examined the financial impact of breaches involving customer records, ranging in scale from 2,500 to over 125,000 customer records. This report is certain to spur further debate regarding data loss incidents and this event will provide a first look at this valuable data.
In addition to his role with PGP, Phil is a director of the Cyber Security Industry Alliance (CSIA), a lobbying group that aims to shape US and EU public policy around information security. Based on his knowledge of EU initiatives in this area we have asked Phil to provide a view on the potential for mandatory reporting within the EU, in particular looking at the proposed requirement for breach disclosure in the telecoms and ISP sectors and whether these could lead to wider reporting.
Following Phil’s presentation we will have an open discussion on the potential benefits and negative consequences of breach disclosure, an idea which we know has many strong proponents and opponents among our members.
This event will be held in the Grosvenor Suite of the Ballsbridge Court Hotel (formerly the Berkeley Court) and will begin at 12 noon, with lunch provided. To register please email info@issaireland.org.
I look forward to seeing some of you there and hopefully engaging in some lively and interesting debate.
MEETING UPDATE – ADDITIONAL SPEAKER ANNOUNCED;
ISSA IRELAND is pleased to announce a second speaker for our chapter meeting on this Friday, Feb 22nd. Achim Klabunde is a policy officeer with the European Commission in Brussels where he is responsible for privacy and trust within the Directorate General for Information Society and Media. He is the EC’s key representative in discussions on breach reporting and has led the development of proposals for mandatory disclosure in the ISP and telecoms sectors.
We are very grateful to Achim for taking the time to travel to Dublin for this event and hope you can attend to hear his views on breach reporting in the EU, as well as an overview of the current proposals which directly affect ISPs and telecom providers.
This week sees the launch of Ireland’s third national security awareness campaign, makeITsecure. The makeITsecure website has been revamped with updated content to help people understand the threats they face and provides hints and tips on how to keep themselves secure online.
For the first time this year’s campaign is also an all-Ireland event with activities happening on both sides of the border with the culmination of events leading to the national security day on February 15th.
I would urge you to encourage friends and family to visit the makeITsecure website so that they can be made aware of how to surf safely. While you are at it why not make an announcement to your work colleagues to make them aware of this year’s campaign. If we can get people to behave more safely when browsing the Internet at home and be more aware of identity theft, then those good practises should carry over into the workplace to make your job that bit easier. This could also be an opportunity for you to organise some security awareness events within your company to help promote better security awareness and to benefit from the publicity the makeITsecure campaign will generate.
Below is a round up of news stories relating to information security that we have collated from the past few days. For ease of use we have categorised the stories under the most appropriate headings. If there are other stories that may be of interest please let us know via the comments feature.
This week sees the launch of Ireland’s third national security awareness campaign,