Tag Archives: Data Protection

Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

Employers Have a Legal Duty to Protect Employee Data

The cybersecurity standard of care is getting clearer: if you collect sensitive data, you must take reasonable measures to protect it.

Recently, in Dittman v. UPMC, the Pennsylvania Supreme Court ruled that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. This decision paves the way for a much broader application because the case was decided based on the mere act of collecting and storing sensitive information (and not the employer/employee context).

The Facts

The case relates to a data breach of the University of Pittsburgh Medical Center’s (UPMC) network and the theft of sensitive personal information belonging to more than 60,000 employees (e.g., Social Security numbers, confidential tax information, and bank account information). The employees sued but lost in the trial court, which held that Pennsylvania law did not recognize a duty to secure employee data stored on internet-accessible computers. Continue reading Employers Have a Legal Duty to Protect Employee Data

How Will Brexit Affect Privacy Laws?


Brexit European flag jigsaw puzzle with British flag missing piece

What kind of impact will Brexit have on your organization’s privacy practices?

The United Kingdom held a much anticipated referendum on June 23, 2016 to decide whether or not to continue its membership in the European Union. In a close vote, the UK opted to withdraw its membership and leave the EU. Companies operating in the UK are now faced with the question of what needs to be done to make sure they’re still in line with data protection laws so there’s no disruption to business operations.

Withdrawal Process

Before getting too antsy over new or changing data protection laws, it’s important to keep in mind Britain will probably need a minimum of two years to complete its withdrawal from the EU.

After the vote, Britain’s next move is to follow the steps in Article 50 of the Treaty on European Union and provide formal notice, which will trigger a two year transition period. With UK Prime Minister Cameron resigning, it’s expected that notice will be served once his replacement is in place.

By leaving the EU, Britain takes on the burden of rewriting many of its laws, including standards relating to privacy and data protection.

Data Protection Changes

In terms of data protection requirements, any changes to the standards won’t be felt immediately. With the EU’s General Data Protection Regulation (GDPR) scheduled to become law on May 25, 2018, chances are the UK will have some overlap under the GDPR.

Obviously, businesses will want to trade with the EU, so the UK will most likely look to implement a data protection framework similar to the GDPR. In order for data to continue to flow from the EU to the UK, they will need to be recognized by the EU as an “adequate” jurisdiction.

A stated by the UK Information Commissioner Office, “If the UK wants to trade with the Single Market on equal terms … UK data protection standards would have to be equivalent to the EU’s GDPR framework starting in 2018.”

Mass Surveillance

At first glance, it appears the key issue for the UK to address in their data protection standards will be mass surveillance. As previously noted, the Safe Harbor framework between the EU and US collapsed based on Snowden’s revelations about the NSA’s mass surveillance tactics.

In those same documents, Snowden shed light on the mass surveillance practices of the UK’s GCHQ intelligence agency. The UK government will have to prove that its current practices don’t infringe on the human rights of EU citizens

and that they provide “essentially equivalent” safeguards for EU citizens’ information as EU member states. But as we’re seeing with the US-EU Privacy Shield, many privacy and surveillance changes will be needed to meet this standard.

Key Takeaways

In the end, data protection standards aren’t likely going to be affected… at least not right away. The two year withdrawal process gives privacy professionals a good window to become familiar with and prepare for any changes.

It sounds like we’re going to see another Safe Harbor situation. The UK is going to have to work with the EU to develop a data protection framework that will allow free flow of data from the EU.

For the time being, organizations should continue preparing for the GDPR to take effect. The best approach is to make sure your organization has a data protection framework in place that’s aimed at meeting the standards set out in the GDPR.

Florida Data Protection Law: CADRA

Florida’s new data protection law, the Computer Abuse and Data Recovery Act (CADRA), becomes effective October 1, 2015.

The purpose of this new law is to provide a civil remedy to business owners who suffer harm or loss resulting from unauthorized access to computer systems and business data. The law was also created to offer a framework for other legislation to provide businesses the right to recover damages.

What is protected under CADRA?

To be protected under CADRA, certain ‘technological access barriers’ (TABs) must be in place to protect computers and data. Access control methods include passwords, security codes, tokens, or similar measures.

When is CADRA violated?

An individual violates CADRA when he or she “knowingly and with intent to cause harm or loss” including:

  • Obtains information from a TAB-protected computer without authorization and causes harm or loss;
  • Causes the transmission of a program, code, or command to a TAB-protected computer and causes harm or loss; or
  • Traffics in any TAB through which access to a protected computer might be gained without authorization.

Who is an authorized user?

Directors, officers, employees, and others are authorized users when they have express permission from the business owner to access TAB-protected computers. The authorization status is striped when the relationship between the individual and business ends.

What remedies does CADRA allow?

CADRA allows business owners to recover certain damages including:

  • Lost profits
  • Economic damages
  • Profits gained by the violator
  • Reasonable attorneys’ fees
  • Injunctive relief to prevent further harm and recover the stolen information

Financial Services Firm Suffers Insider Attack

Morgan Stanley, one of the largest financial services firms in the world, recently reported a breach of customer information. The highlight of the breach was that an employee stole data from over 350,000 customer accounts. The company says information for about 900 of the accounts was posted online.

Stolen data is reported to not include account passwords or Social Security numbers. Morgan Stanley is notifying all potentially affected clients and providing fraud monitoring.

This serves as a wake-up call to organizations about the dangers of insider attacks. Such attacks cost US companies $40 billion in 2013 alone.

Best Practices to Reduce Risk

Insider attacks are often difficult to identify or even notice for IT professionals. While no single measure will prevent such attacks, implementing the following best practices can help reduce risks.

  • Increase restrictions on highly sensitive data. Files with sensitive data should be locked behind passcodes and security systems, with trusted employees and business partners having access. Using cryptographic computer code to encrypt the contents of the files is also recommended.
  • Segment networks. Information that is not necessary on the company network should be segregated and located elsewhere.
  • Prevent files from being copied to USB media. This has been commonly done by blocking USB ports with liquid cement, as well as removing cameras from screens of laptops and desktop computers.
  • Perform background checks on employees. This is especially necessary for new employees who will have access to sensitive data.