January 23, 2019

Data Privacy and Protection Roundup: January 2019 Edition


Last year was the year of data scandals, GDPR, data vulnerabilities, and companies coming out to announce their data breaches. From a look into EU organizations complying with GDPR to tactics for preventing data breaches, here is a roundup of recently trending data privacy and protection articles.

Popular Tactics to Avoid a Data Breach

It is generally accepted that encrypting sensitive data protects the organization, but most people in the security business don’t realize that not all encryption is equal. Data is still at risk, even while using NIST-approved algorithms with the major key sizes available. With all other things being equal in the cryptographic sense, the two major design decisions that matter when encrypting data are:

  1. Where the data is being cryptographically processed?
  2. How are cryptographic keys being managed?

Though the details and complexity of cryptography may seem taxing, it is vital to recognize that an encryption solution provides a stronghold of defense against determined attackers. It is crucial for companies to give both application-level encryption and key management the proper attention.

Encryption is the best practice to follow and is the strong authentication, which should be the first line of defense. Robust authentication is the skill to use different cryptographic keys combined with secure hardware (in the possession of the user) to approve that the user is who they claim to be.

With strong authentication as the first line of defense with application-level encryption backing it up, if an attacker manages to slip past network defenses there would be very little opportunity to compromise the sensitive data.

No security technology is absolutely unassailable, but if implemented correctly, the strong security technologies raise the bar sufficiently high to influence a majority of attackers to go for comparatively easier targets.

InfoSecurity Magazine

Strengthening Your GDPR Compliance

A lot of organizations have some wrong notions about how to comply with the new data protection and privacy regulation act GDPR and what would non-compliance cost them. Companies are making some major oversights that can have some serious implications. Numerous companies are of an opinion that GDPR applies mainly to the customer data. It is not just limited to that; its protections also apply to their own employee data as well as to the data about their customers’ customers. Here are the top suggestions on how organizations can improve their GDPR program.

  • Always authenticate customers’ identities
  • Stay on top of third parties
  • Similar regulations all over the world
  • Develop a plan to help customers after an incident
  • All companies need to comply
  • Rethink your concept of a data breach

Dark Reading

Singapore Government Partners with HackerOne to Launch Bug Bounty Program

The Government Technology Agency of Singapore (GovTech) and the Cyber Security Agency of Singapore (CSA) recently announced that they’re partnering with the hacker-powered security platform HackerOne to jointly work with the hackers for government bug bounty initiative. The new bug bounty program is part of the Singapore government’s ongoing commitment to protect its citizens as well as secure government network systems. This hacking challenge will offer a financial reward to the hackers for discovering and reporting potential vulnerabilities.

“Singapore is again setting an example for the rest of the world to follow by taking decisive steps towards securing their vital digital assets,” said Marten Mickos, CEO of HackerOne. “Only governments that take cybersecurity seriously can reduce their risk of breach and interruption of digital systems. Singapore’s continued commitment to collaboration in cybersecurity is something that will help propel the industry’s progress just as much as it will contribute to protecting Singapore citizen and resident data.”

HackerOne is known to help organizations find and fix the potential vulnerabilities beforehand to avoid being exploited by cybercriminals. This hacking platform provider says that it has a wide range of client base, including the US Department of Defense, General Motors, Google, and over 1,200 other organizations.


Survey Findings: Merely 29% of EU Organizations Are Complying with GDPR

Even after six months of the deadline, only 29 percent of EU-based organizations have wholly implemented the EU’s General Data Protection Regulation (GDPR), which leaves them susceptible to major penalties, according to a report from IT Governance.

Almost 60 percent of the 210 firms that were surveyed across EU industries said they were aware of the changes to data subject access requests (DSARs), but only 29 percent said they had any plans to adapt their processes for addressing those changes.

“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply,” Alan Calder, founder and executive chairman of IT Governance, said in a press release. “May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey. The time is now.”

In terms of security, only 61 percent of organizations said they have implemented basic rules to address data security and breach management. Although merely 29 percent of respondents said they considered themselves compliant with GDPR, about 50 percent said they had procedures in place to notify their supervisory authority in addition to individuals should a breach occur, according to the report.

Tech Republic

Privacy and Security A Priority in NIST Risk Management Framework Update

The National Institute of Standards and Technology released the final version of its Risk Management Framework (RMF) that addressed both privacy and security concerns around IT risk management. All federal agencies are required to follow the framework, according to a notice from the Office of Management and Budget. The framework outlines the need for collaboration on assessments and plans for privacy and security, as crucial to authorization decisions.

Officials said that the update’s main objectives will aid organizations, “simplify RMF execution, employ innovative approaches for managing risk, and increase the level of automation when carrying out specific tasks.”

EU’s GDPR and the Facebook scandal about how data is used has shifted the healthy security conversation into a more privacy-centered focus. NIST officials said the RMF is “the first NIST publication to address security and privacy risk management in an integrated, robust, and flexible methodology.”

The revised RMF reflects the increasing trend, at NIST and more broadly in both the public and private sectors, toward approaching risk management and risk assessment as an inclusive, enterprise-wide responsibility rather than as a series of distinct activities divided into the subject matter silos.

Tech Republic

More Than 150 European Companies Participate in New FPF Study

FPF conducted a study of the companies enrolled under the US-EU Privacy Shield program and determined that about 152 European headquartered companies are active Privacy Shield Participants. This number is now more than the 114 EU companies that were active Privacy Shield Participants last year. These European companies depend on the programs to transfer data to their US subsidiaries or to the essential vendors who support their business needs.

The European Commission recently published its second annual review of the EU-US Privacy Shield, finding that “the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US.” The decision advocates a key data transfer agreement to support transatlantic trade and ensure meaningful privacy safeguards for the consumers. It is also good news for EU employees as well as for the companies, many of whom rely on the agreement to retain and pay staff. The Commission’s evaluation illustrated a key next step to support the Privacy Shield arrangement, i.e., urging the US government to appoint a permanent ombudsperson by the end of February 2019.

Moreover, FPF research determined that more than 1,150 companies, almost a third of the total number analyzed, use Privacy Shield to process their own human resources data. Obstructing the flow of HR data between the US and EU would mean delays for EU citizens who receive their paychecks or a decline in global hiring by the US companies. Consequently, employees win when the Privacy Shield is maintained and grows.

Future of Privacy Forum

Google Designates Ireland as Data Service Location in Europe

Google recently announced some changes to its terms of service and privacy policy, which now designates Ireland as the location of its data services in Europe.

The update is scheduled to take effect on January 22, 2019, and the company says the change won’t affect any features or operation of its services in Europe. For the users living in the European Economic Area and Switzerland, the company’s subsidiary in Dublin, “Google Ireland Limited,” will simply become the official “service provider.”

“We’re making the data controller change to facilitate engagement with EU data protection authorities via the GDPR’s ‘One Stop Shop’ mechanism, which was created to ensure consistency of regulatory decisions for companies and EU citizens,” wrote Anne Rooney, public policy manager for Google Ireland. “It’s important to note these changes do not in any way alter how our products work or how we collect or process user data within our services.”

Venture Beat

In 2019, How Stringent Will the Impact of GDPR Be?

GDPR implies a lot of responsibilities on companies about how they handle people’s data. These responsibilities include not using people’s personal data in any manner without proper authorization or a reason. That can, for example, be a court order, definite consent, or if processing is necessary to execute or prepare a contract with the person, such as a background check before leasing them an apartment.

Companies are also prescribed to have transparent data processing, appropriate data security, and notify affected data subjects within 72 hours of a breach or face penalties. This last obligation is great, but it hasn’t had much impact in 2018 as there’s been a lot of big data breaches, most of which didn’t even notify affected users within the 72-hour period.

GDPR’s impact in 2018 can be projected for greater awareness regarding the handling of personal data that encourages companies to change their approach. To do that, better enforcement is required, which will be coming soon. Furthermore, GDPR’s impact will keep growing in 2019, when the legislation’s full capabilities will be realized.

The Next Web

Share on social media
  • Apr'24 Breach Report-01
    PKWARE April 17, 2024
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024