Wondering where DPA and GDPR overlap? The Yahoo! ruling by ICO can provide some clarity
A recent investigation by the Information Commissioner’s Office (ICO) highlights an interesting aspect of the current system. Although the ruling against Yahoo! was announced on 12th June 2018, three weeks after the enactment of the General Data Protection Regulation (GDPR), the incident was considered under the Data Protection Act 1998. This is because the breach actually occurred in November 2014, although it was not publicly disclosed until September 2016, almost two years after the attack compromising 515,121 accounts had taken place. Investigated under the DPA, the fine was a modest £250,000. Naturally this would have been significantly larger had it been judged under GDPR.
However, this does mean that today’s organisations can take their foot off the gas. At the time of the investigation taking place, although it was considered under the DPA, the ICO still expects to see adherence to GDPR going forward.
This isn’t ‘new’ news to the SRM team. We had anticipated the issue and had submitted this question to the ICO months ago:
If a breach occurred before 25th May but is not discovered until after GDPR becomes effective, will the breach be considered under the DPA 1998 (when it occurred) or under GDPR (when it was discovered)?
We received this reply from the ICO:
It is likely in this instance that the breach would be assessed under the DPA, the legislation in force at the time of the breach. However, we would expect the processing of information at the time the breach was discovered to be GDPR compliant. Therefore any lessons learned or actions taken as a result of the breach would need to be in line with the GDPR.
So what does this mean in simpler terms? It means that from 25th May 2018 every aspect of an organisation’s networks and infrastructure is required to be managed in line with the requirements of GDPR. This applies even if the actual breach is judged under the rules of the old Data Protection Act (1998).
The most important point is that a notifiable breach must be reported to the ICO without undue delay, but no later than 72 hours after becoming aware of it. So even if a breach actually occurred prior to 25th May, as soon as the breach is discovered, the new 3 day reporting timescale must be adhered to. The organisation’s systems will then be scrutinised through the prism of GDPR.
Should it not be possible to obtain all of the necessary information within 72 hours, the required information can be provided in phases, as long as the investigation is conducted as a priority. The breach still needs to be reported to the ICO when the organisation becomes aware of it, and they must submit any further information at their earliest convenience.
Having a Retained Forensics engagement in place makes the whole process significantly more efficient. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR.
For more information on GDPR see our website.
To find out more about Retained Forensics, register for SRM’s free webinar: Incident Response & Forensic Expertise: would your business survive a cyber-attack or security breach?
Or read our blog:
The GDPR compliance fallacy
The key to GDPR is common sense
The key to GDPR is common sense
by Tom Fairfax, Managing Director
It is not often that EU-wide legislation is likened to a children’s story. Consider, however, the story of Goldilocks and the three bears. When it comes to the General Data Protection Regulation there are three types of organisation. There are those who are running around in a state of panic, going completely over the top, deleting all their data and sending frenzied emails to their databases. There are others who are simply doing nothing. Then there is the third group which is following and communicating a measured plan and, in short, doing it just right. The key is common sense.
The fact is that most people probably need to be doing something. There is a clear obligation to act and doing nothing is simply not an option. The policy of ‘let’s wait and see’ or corporate procrastination will only lead to tears at bedtime. GDPR builds on existing Data Protection legislation, protecting the rights of individuals and their data and this means that every organisation from a small voluntary group to a large multinational must have an enacted plan or risk falling foul of the regulation.
Organisations and individuals alike should already have a clear idea of what they need to do. If they haven’t they should step back and think about what personal data they hold and why. Many of us may still be holding unnecessary levels of personal data; many of us will have failed to consider what data we actually need and many may have failed to get appropriate permissions. For the majority of organisations it may be necessary (and possibly desirable) to have a robust data weeding project. Some data, however, is likely to be held for legitimate operational purposes, and in some cases, its wanton destruction may disenfranchise stakeholders.
Common sense should prevail. Data collection, storage and processing should be driven by a business need and supported by appropriate permissions. It is also necessary to think hard about when information actually becomes redundant and to have a sensible process to pick this up and delete it. This is not new: we should really have been doing this anyway. The ‘just right’ group will have worked out what they need to do and will have made a plan.
The important thing to remember is that whilst GDPR does not actually have an explicit compliance programme, its key intent is to ensure the safety of personal data. For those wrestling with widespread compliance, those following the compliance guidelines of regulatory bodies such as the Payment Card Industry, Mifid II (for the financial industry) or the international standards such as ISO 27001 will have done much of the work already and will just need to understand the gaps that exist.
If a system is properly safeguarded with an inbuilt process of compliance, maintenance and development through these recognised compliance processes then many of the principles of GDPR will likely be adhered to. The job of the Data Protection Officer (DPO) or Chief Information Security Officer (CISO) is to complete due diligence to ensure this is the case. Professional expert guidance will provide these key individuals with the support they require in making these judgement calls.
It is not sufficient to simply draw up a policy, however, no matter how detailed, informed or expert it may be. Plans and policies simply demonstrate management intent. If the plan is not disseminated and implemented and if clear, understandable guidelines are not provided in a timely way, even those with a meticulous plan will simply be left with cold porridge.
How PCI compliance puts you on course for GDPR
For a long time the General Data Protection Regulation has been looming on the horizon but in just a few short days it will arrive; a permanent aspect of the data protection landscape. From 25th May 2018 this European-wide data protection will be a legal requirement for virtually every UK organisation. The task should not be overwhelming; particularly for those who are already PCI compliant, or working towards it. This is because the PCI compliance process means they are already well on course for GDPR. All that remains is an identification of gaps to bring systems and policies in line with GDPR.
The important thing to bear in mind at this stage is that the GDPR, although aimed at the entirety of an organisation and largely enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but very little in the way of a solid action plan.
PCI DSS on the other hand offers a detailed framework upon which to build, specifying what needs to be done and how, and even giving regular updates and guidance on reviews. The two complement each other and therefore the GDPR will be best enacted alongside the existing PCI DSS. A further aspect to note, is that a PCI breach will also be a GDPR breach, since the information on your cardholder data environment is subject to regulation by GDPR.
GDPR should not be seen in a negative way. It is a positive piece of legislation which will help to build trust. Similarly, PCI DSS compliance provides you and your customers with peace of mind that data is secure. This is the metaphorical carrot. There is also a stick: those who do not comply and suffer a breach will face loss of customer trust, enforced PFI investigations and fines.
For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Once you have identified the data that GDPR affects, applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. There will still be a few gaps to fully adhere to GDPR so professional advice will be of benefit.
And for those who aren’t PCI compliant? Seeking guidance from a qualified advisor and reviewing the gaps in their documentation, policies, training, IT systems and processes should be a pressing matter.
With one of the largest QSA teams in Europe, SRM provide unrivalled technical and compliance expertise within the PCI arena. Our GDPR team provide a business-focused service to organisations at all ends of the GDPR-readiness spectrum. For help and support, or to discuss any aspect of PCI DSS compliance or GDPR contact Mark Nordstrom at firstname.lastname@example.org or 03450 21 21 51.
To gauge your level of GDPR readiness, complete our free GDPR Self Assessment Questionnaire
For more information on our GDPR services, visit our GDPR page.
To view a recording of our webinar GDPR: the roles of manual and automated penetration testing, click here.
Read more on GDPR related blogs.
PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?
More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.
The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.
So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.
Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.
If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.
SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.
Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.
For more information on SRM’s PCI services please visit our website.
Or visit our blog:
Network intrusions are on the increase: time to engage a Retained Forensic specialist
Penetration testing: man vs machine
We already know that the concept of thinking like a potential hacker is the basis of penetration testing. But merely thinking like a hacker is not enough. We must also act like a hacker. They do not simply rely on their own intuitive genius to breach the systems of target organisations. They use a combination of automated tools and human intelligence to deliver their devastating results. So we must emulate this approach to secure our own defences. It is not a question of man or machine; like the hackers we must use a synergy of both.
When the whole HBO Game of Thrones attack occurred last August Mr Smith of the so-called White Hat Hackers issued a statement which made the point that his organisation invested $400 – $500,000 dollars a year on purchasing automated exploit tools. They then used the information this provided to arm their human hackers with the information required to further develop and exploit the weaknesses they discovered.
So when we at SRM develop a penetration testing strategy we use both automated tools and manual testing to deliver the best results.
Automation has a vital role to play and lays the groundwork for the penetration test. No human can deliver the rapid results that an automated tool can. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, it identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.
To take the analogy a step further, the penetration test, conducted by highly-trained and experienced individuals, then opens the doors that have been identified and explores deep into the underlying infrastructure to examine what is lurking behind them. At the most sophisticated level of penetration testing (Red Team engagement) we then turn that thought process on its head and also test the procedural, social and physical components to replicate the wider view of an attack. Using an adversarial mind set, we think like a motivated hacker and help to develop strategy and policy making which anticipates as yet unconsidered vulnerabilities.
To find out more about the synergy of automated and manual penetration testing, see our pre-recorded webinar in conjunction with AppCheck, our automated tool partner. In this 30 minute webinar which took place on 8th March, Andrew Linn of SRM and James Nelson of AppCheck explain how both man and machine have a role to play in a resilient defence strategy.
To log in to the webinar GDPR: the roles of manual and automated penetration testing, click here.
Or visit our blog:
What is Red Team engagement?
If prevention is to be an achievable goal we cannot rely on static defences
Or see our website Test and Exercise pages.