Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
EU Court dismantles Privacy Shield: what’s next for EU-US data sharing?
|No doubting the summer’s big data protection news: the European Court of Justice (ECJ) has invalidated Privacy Shield, the EU-US data sharing mechanism. Following the legal case dubbed ‘Schrems II’ after the Austrian privacy campaigner Max Schrems, the ECJ struck out the agreement. In its ruling, the court said it didn’t sufficiently protect European citizens’ data as it allowed US intelligence services access to it. But with an estimated 5,300 companies potentially affected, many SMEs, what will a new data sharing regime look like? The European Data Protection Board followed up with a six-page FAQ. Although there are alternative transfer mechanisms to Privacy Shield, such as standard contractual clauses and binding corporate rules, the EDPB said organisations must account for the CJEU’s assessment of US law.
The ECJ’s decision looks likely to have far-reaching consequences. Brian Honan wrote that it would have implications for many cloud-based companies and for US companies operating in the EU who need to transfer personal data back to the US. The BBC and Washington Post noted how Privacy Shield had underpinned transatlantic digital trade. TechCrunch’s report noted that the decision refers to bulk transfers and doesn’t concern ‘necessary’ data transfers such as sending an email to book a hotel room, for example. BH Consulting COO Valerie Lyons wrote an analysis of the ruling along with key questions.
The people problem: security’s evergreen challenge
Good security is a mix of people, process and technology, and the ‘people’ element can cause significant challenges. Some of this undoubtedly stems from the longstanding industry cliché that ‘humans are the weakest link’. For his publication ‘In Defence of the Human Factor’, psychologist Dr Ciaran McMahon unpicks this line of thinking. He argues that it’s a negative stereotype that stops professionals from engaging with the problem in a meaningful way. The publication is free to download from Frontiers in Psychology and the author hopes it will be useful to the security community.
Twitter takeover offers lessons for security professionals
Last month, hackers took over dozens of high-profile Twitter accounts to promote a bitcoin scam that netted them $120,000. After the scam was discovered and stopped, Twitter said the attackers had targeted some of its employees in a “coordinated social engineering attack” to take control of the accounts. Initial commentary from security experts said this showed the importance of having multi-factor authentication to guard against such a takeover. However Twitter subsequently said the attackers were able to get around two-factor controls. Authorities later arrested three suspects for the attacks, with the alleged ringleader a 17-year-old male.
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here