What a week it’s been! On Wednesday I was fortunate enough to go to my first Children’s Adventure Farm Trust Ladies Event. It was super to be able to support such an amazing Charity and to have a thoroughly lovely afternoon. If you haven’t heard of them before CAFT provide holidays and fun day trips for terminally ill, disabled and socially disadvantaged children providing them a much needed break away from their circumstances (https://caft.co.uk/ ). Thursday was an unexpected speaking gig about Data Protection for the Altrincham and Sale Chamber of Commerce’s Breakfast Matters. Hence Thursday Thoughts on a Friday (I promise I started writing on Thursday).
So other than the 6 hour outage from Facebook, Instagram and WhatsApp what else has happened this week? There’s a new data sharing code of practice from the UK ICO and you also still have the opportunity to comment on “Data :a new direction” the planned changes to the UK GDPR. Also news of fines for smaller organisations across Europe which we should all take heed of to make sure we don’t also fall foul of the regulators for the same thing. On the hacking front I see there has been a cyber-attack on the start-up Fantasy Football Hub. Finally an interesting ruling on whether or not it is a data controller’s fault if the customer puts the wrong email down and the controller therefore sends emails to a third party.
Facebook, WhatsApp and Insta – What Happened
Facebook Insta and WhatsApp were down for 6 hours this week. Media outlets report that this was because the company suffered a “faulty configuration change”. An update right at the back end caused a networking issue which stopped their servers being able to tell the Border Gateway Protocol where it was. Usually employees can make the changes they need to via the company network but this was down because they use the Facebook server and the login via Facebook was of course not working either. To compound issues further there were reports that staff were unable to get into buildings because their security passes weren't working. One would hope systems will be put in place to ensure this doesn’t happen in the future. Certainly something we can all learn from – a physical “key” so you can get into the building or a hard copy of key systems or processes (like the fire evacuation plan) would feature high on the risk register.
UK GDPR Changes
There is still time to comment on the proposed changes to UK GDPR. The consultation on the planned changes “Data: A new direction” is open until 11.45pm on 19th November: https://www.gov.uk/government/consultations/data-a-new-direction
New data sharing code of practice came into force this week
There is a new UK code this week that helps organisations understand how to share data responsibly. The code and it’s associated resources will guide individuals, organisations and businesses through steps they should take to protect an individual’s privacy while sharing data. It includes a simple small business guide, myth buster as well as FAQs and case studies. You will find the code at https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-a-code-of-practice/?utm_source=hootsuite&utm_medium=linkedin&utm_term=&utm_content=&utm_campaign=datasharing
Fantasy Football Hub suffer a data breach
The start-up business Fantasy Football Hub suffered a cyber-attack after a criminal managed to access their WordPress administrator dashboard and downloaded usernames, emails, site financial reports, and affiliate payment records. The company are working with Action Fraud, the police, the ICO, their hosting company, and security firms on the issue. The company is warning users to assume any non-payment information they provided as part of the sign-up process has been compromised. No bank details have been compromised as these are handled by PayPal and Stripe.
EU Cyber Defence Capabilities
This week the European Parliament in Strasbourg debated the EU’s cybersecurity defence policy. As a result MEPs have called for “connected products, associated services and supply chains, to be made secure-by-design, resilient to cyber incidents, and quickly patched if vulnerabilities are discovered”. They have also called for national laws to he “harmonised” and for legislation to be brought forward that mandates cybersecurity requirements for apps software and operating systems be put in place by 2023.
Is it a Data Breach If The Customer Enters the Wrong Email Address
Norwegian Data Protection Authority has issued a ruling on Data Breaches that ecommerce organisations will be interested in. The question answered is “if the customer enters the wrong email address and the company sends the invoice to that email address which is received by a third party is it a data breach?”. The answer is no. According to the Authority "the fault for registering the wrong email address lies with the complainant.”
Consequences of Ransomware attacks against hospitals
Research has revealed that patients are the directly affected by ransomware attacks against hospitals. Because they end having to stay longer, have delays to tests and procedures which can cause an increase in patient deaths. According to the NCSC weekly threat report over a third of hospitals who had suffered such an attack reported an increase in patient complications following medical procedures, 7/10 saw delays in procedures and tests, and a similar number reported patients staying longer in hospital.
New guidance for securing VPNs
The US National Security Agency have published new guidance which aims to assist organisations when securing their Virtual private networks. The NCSC recommends” organisations familiarise themselves with its VPN guidance, which offers practical advice on how to choose, deploy and configure devices securely”.
Cloud Services are Vulnerable To Attack Through The Software Supply Chain
A warning this week that Cloud services have flaws of their own. Researchers have highlighted vulnerabilities in the supply chain where critical software development flaws left customers vulnerable to a SolarWinds style attack. Researchers found they could escalate their privileges all the way to administrator access highlighting the importance of setting role-based access policies
Fines Around Europe
Many small business owners I speak to struggle to relate to the larger data protection/PECR fines such as the one last week from the Luxembourg authorities. Here are a selection of fines from around Europe most of which are for infringements by smaller businesses and provide some relatable examples of the sorts of things that businesses need to get a grip of to avoid similar action being taken against them.
UK ICO
The ICO imposed an enforcement notice and a fine of £20,000 on Your Home Improvements Ltd after the company made 1,718 unsolicited direct marketing calls to individuals who were registered with the Telephone Preference Service.
Spanish (AEPD) fines
The Spanish authorities have been busy in the last month issuing 7 fines for a range of infringements from processing without letting the data subject know, CCCTV infringements, failure to appoint a DPO and sharing personal information with another organisation without getting permission to do so. Here is the list of fines:
Boiler making and Welding business - €5000 for processing a person’s information that had been passed to them by another organisation without the individual’s consent. The company who disclosed the information were also fined €5000
Store owner €1,000 for failure to display signage warning that video surveillance was taking place.
Store owner €2,000 because his video surveillance covered the street and other areas even though this was not necessary.
Online Poker company €10,000 for failure to appoint a DPO.
Bar owner €3,000 for publishing images of an accident in the bar from security cameras via WhatsApp and a digital newspaper (this was not the reason the data was collected).
An unnamed organisation €3,000 for failing to inform data subjects why their data was being processed.
Denmark (Datatilsynet)
The Danish DPA fined the Danish Cancer Society €107,000 for failure to have an appropriate security system in place. The personal data of at least 1,448 individuals was compromised (including sensitive personal health data) following computer thefts and two phishing attacks . A breach had previously occurred in August 2018 after which the organisation had promised to install multifactor authentication, but had failed to do so.
Norway (Datatilsynet)
The Norwegian DPA fined a toll company, €496,000 for processing personal data including a photo of a car’s number plate via a processor in China. The company were used to manually process images because the optical character recognition system could not identify the number plates concerned. The company had failed to carry out a risk assessment before the processor in China commenced processing, there was no processor contract to cover the transfer of the personal data to China and a large amount of personal data was affected.
Germany
The Data Protection Authority of Hamburg fined Vattenfall Europe Sales €900,000 for failing to notify approximately 500,000 customers that they would be screening contract inquiries for a special contact against their list of previous clients in order to prevent 'bonus shopping'. The DPA judged that this was a violation of the company's transparency and information obligations.