Category: Data Loss Prevention
The AI in cybersecurity market to generate $101.8 billion in 2030
The AI in cybersecurity market is projected to generate a revenue of $101.8 billion in 2030, increasing from $8.6 billion in 2019, progressing at a 25.7% CAGR during 2020-2030, ResearchAndMarkets reveals.
The market is categorized into threat intelligence, fraud detection/anti-fraud, security and vulnerability management, data loss prevention (DLP), identity and access management, intrusion detection/prevention system, antivirus/antimalware, unified threat management, and risk & compliance management, on the basis of application. The DLP category is expected to advance at the fastest pace during the forecast period.
Malicious attacks and cyber frauds growing rapidly
The number of malicious attacks and cyber frauds have risen considerably across the globe, which can be attributed to the surging penetration on internet and increasing utilization of cloud solutions.
Cyber fraud, including payment and identity card theft, account for more than 55% of all cybercrime and lead to major losses for organizations, if they are not mitigated. Owing to this, businesses these days are adopting advanced solutions for dealing with cybercrime in an efficient way.
This is further resulting in the growth of the global AI in cybersecurity market. AI-based solutions are capable of combating cyber frauds by reducing response time, identifying threats, refining techniques for distinguishing attacks that need immediate attention.
The number of cyber-attacks has also been growing because of the surging adoption of the BYOD policy all over the world. It has been observed that the policy aids in increasing productivity and further enhances employee satisfaction.
That being said, it also makes important company information and data vulnerable to cyber-attacks. Devices of employees have wide-ranging capabilities and IT departments are often not able to fully quality, evaluate, and approve each and every devices, which can pose high security threat to confidential data.
DLP systems utilized for enforcing data security policies
AI provides advanced protection via the machine learning technology, and hence offers complete endpoint security. The utilization of AI can efficiently aid in mitigating security threats and preventing attacks.
DLP plays a significant role in monitoring, identifying, and protecting the data in storage and in motion over the network. Certain specific data security policies are formulated in each organization and it is mandatory for the IT personnel to strictly follow them.
DLP systems are majorly utilized for enforcing data security policies in order to prevent unauthorized usage or access to confidential data. The fraud detection/anti-fraud category accounted for the major share of the market in 2019 and is predicted to dominate the market during the forecast period as well.
The AI in cybersecurity market by region
Geographically, the AI in cybersecurity market was led by North America in 2019, as stated by a the publisher report. A large number of companies are deploying cybersecurity solutions in the region, owing to the surging number of cyber-attacks.
Moreover, the presence of established players and high digitization rate are also leading to the growth of regional domain. The Asia-Pacific region is expected to progress at the fastest pace during the forecast period.
In conclusion, the market is growing due to increasing cybercrime across the globe and rising adoption of the BYOD policy.
Employees increasingly masking online activities
This year’s shift to a near 100% WFH workforce by the Global 5000 has significantly changed the behaviors of trusted insiders, a DTEX Systems report reveals.
Key findings include a 450% increase in employees circumventing security controls to intentionally mask online activities and 230% increase in behaviors that indicate intent to steal data.
The data was collected during interviews with hundreds of customers and Global 5000 organizations representing a diverse sample set of businesses that varied by size, industry, and geography.
“Our findings indicate that in 2020 the equilibrium of employee security and trust has been broadly disrupted and is currently in chaos,” said Mohan Koo, CTO at DTEX Systems.
“Trusted insiders once thought to be reliable and responsible are changing their behaviors and increasing the risk of data loss, external attack and regulatory compliance violations for their employers.”
Key findings
56% of companies reported remote workers actively bypassed security controls to intentionally obfuscate online activity. This is more than 4.5 times higher than 2019 which represents a 450% increase in the first eight months of 2020.
- More than 70% of the escalated incidents visible to the security and HR teams included at least one attempt to circumvent a second security control to exfiltrate data without detection.
- Companies reported remote workers most commonly attempted to intentionally bypass the corporate VPN to mask their online activities.
72% of companies surveyed saw data theft attempts by a departing employee wanting to take protected IP with them or a new employee looking to inject IP from a previous employer. This represents an increase of 2.3 times, or 230%, over similar behaviors seen in 2019.
Over 40% of incidents proactively detected flight risk behavior as well as abnormal reconnaissance or data aggregation activities.
The growth in premeditated data theft attempts and intentional activity masking behaviors by employees strongly suggests that companies are facing a heightened risk of data loss as virtual employment models become the norm, furloughs are extended and reduction-in-force actions continue.
The findings in this report highlight the lack of adoption and ineffectiveness of network and endpoint cybersecurity, employee monitoring and data loss prevention tools and suggest that organizations need to prioritize the human-element and workforce behavior in relation to data, process and machines as a pillar of their next-generation security and IT technology strategies.
Microsoft releases new encryption, data security enterprise tools
Microsoft has released (in public preview) several new enterprise security offerings to help companies meet the challenges of remote work.
Double Key Encryption for Microsoft 365
Secure information sharing is always a challenge, and Microsoft thinks it has the right solution for organizations in highly regulated industries (e.g., financial services, healthcare).
“Double Key Encryption (…) uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security,” the company explained.
“You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application.”
This Microsoft enterprise security solution allows organizations to migrate sensitive data to the cloud or share it via a cloud platform without relying solely on the provider’s encryption. Also, it makes sure that the cloud provider or collaborating third parties can’t have access to the sensitive data.
Microsoft Endpoint Data Loss Prevention
“Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud,” Alym Rayani, Senior Director, Microsoft 365, noted.
“Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies.”
Organizations can use it to prevent copying sensitive content to USB drives, printing of sensitive documents, uploading a sensitive file to a cloud service, an unallowed app accessing a sensitive file, etc.
When users attempt to do a risky action, they are alerted to the dangers and provided with a helpful explanation and guidance.
Insider Risk Management and Communication Compliance
Insider Risk Management is not a new offering from Microsoft, but has been augmented by new features that deliver new, quality insights related to the obfuscation, exfiltration, or infiltration of sensitive information.
“For those using Microsoft Defender Advanced Threat Protection (MDATP), we can now provide insights into whether someone is trying to evade security controls by disabling multi-factor authentication or installing unwanted software, which may indicate potentially malicious behavior,” explained Talhar Mir, Principal PM at Microsoft.
“Finally, one of the key early indicators as to whether someone may choose to participate in malicious activities is disgruntlement. In this release, we are further enhancing our native HR connector to allow organizations to choose whether they want to use additional HR insights that might indicate disgruntlement to initiate a policy.”
Communication Compliance has also been introduced earlier this year, but now offers enhanced insights and improved actions to help foster a culture of inclusion and safety within the organization.
Most companies suffered a cloud data breach in the past 18 months
Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals.
According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.
“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic.
“In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”
Excessive access permissions may go unnoticed
Driven by the dynamic and on-demand nature of public cloud infrastructure deployments, users and applications often accumulate access permissions beyond what is necessary for their legitimate needs.
Excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. These are a primary target for attackers as they can be used for malicious activities such as stealing sensitive data, delivering malware or causing damage such as disrupting critical processes and business operations.
Survey highlights
As part of the study, IDC surveyed 300 senior IT decision makers in the US across the Banking (12%), Insurance (10%), Healthcare (11%), Government (8%), Utilities (9%), Manufacturing (10%), Retail (9%), Media (11%), Software (10%) and Pharmaceutical (10%) sectors. Organizations ranged in size from 1,500 to more than 20,000 employees.
Some of the report’s key findings include:
- 79% of companies experienced at least one cloud data breach in the past 18 months, and 43% said they had 10 or more
- Top three cloud security threats are security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%)
- Top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%)
- Top cloud access security priorities are maintaining confidentiality of sensitive data (67%), regulatory compliance (61%) and providing the right level of access (53%)
- Top cloud access security challenges are insufficient personal/expertise (66%), integrating disparate security solutions (52%) and lack of solutions that can meet their needs (39%)
Solving the security challenges of remote working
Unprecedented times call for unprecedented actions and the ongoing COVID-19 pandemic has caused what is likely to be the biggest shift towards remote working that the world has ever seen. But, while the technology has been around for quite some time, recent events demonstrate just how few businesses are capable of switching from an office-based setup to a remote one in a fast, secure, and non-disruptive manner.
There’s a significant number of reasons why it is prudent to have a remote working infrastructure in place. Truth be told, “in the event of a global pandemic” probably wasn’t very high up most people’s list before 2020. In normal circumstances, common occurrences like adverse weather, transportation issues, and power outages can also severely affect the productivity of business if employees can’t access what they need outside the office.
That being said, proper implementation of any remote working program is key. In particular, the right security tools must be in place, otherwise businesses risk exposing themselves to a wide range of cyber threats.
This article examines some of the major considerations for any business looking to tackle the security challenges of remote working and implement a program that will enable employees to work both effectively and securely from anywhere.
Security challenges of remote working: Finding the right approach
Historically, office-based businesses have managed off-site workers through the use of virtual private networks (VPNs) and managed devices with installed software agents – also known as the mobile device management (MDM) approach. While still a relatively popular strategy today, it raises an increasing number of privacy concerns, mainly because it gives businesses the ability to monitor everything employees do on their device. VPN technology is also widely considered to be outdated and its complexity means skilled IT professionals are required to manage/maintain it properly.
For businesses without legacy technology to consider, a bring your own device (BYOD) approach is often preferable. Not only does it significantly reduce IT costs, but employees will always be able to work on their device in the event of unforeseen circumstances that prevent them from traveling to the office.
Unlike a managed device approach, employees using their own personal devices have more freedom over what and where they can view or download sensitive data, making robust security even more critical. Below are three security technologies that can be used to complement the flexibility a BYOD program provides:
1. Data loss prevention technology keeps businesses in control
One of the biggest issues with a BYOD approach is how to prevent sensitive data loss or theft from unmanaged devices. The use of data loss prevention (DLP) technology can significantly mitigate this, giving businesses much more control over their data than they would otherwise have. With DLP in place, any unauthorized attempts to access, copy or share sensitive information – whether intentional or not – will be prevented, keeping it out of the wrong hands and helping to prevent security breaches.
2. Behavioral analytics quickly detects suspicious user activity
Implementation of user and entity behavior analytics (UEBA) is a great way to quickly detect anomalous behavior that might indicate a potential security breach amongst your remote workforce. UEBA works by learning and establishing benchmarks for normal user behavior and then alerting security teams to any activity that deviates from that established norm. For instance, if a remote worker typically logs in from London but is suddenly seen to be logging in from Paris, particularly under the current circumstances, this would raise an immediate alert that something is amiss.
3. Agentless technology delivers robust security without breaching privacy
Employees using personal devices as part of a BYOD program can often be resistant to agent-based security tools being installed on them. Not only are some – like MDM – considered an invasion of privacy, but they can also impact device performance and functionality. Conversely, agentless security tools utilize cloud technology, meaning they require no installation but still give security teams the control they need to monitor, track and even wipe sensitive data if/when necessary.
Furthermore, because agentless security tools only monitor company data on the device, employees can be confident that their personal data and activity remain completely private. Leading agentless security solutions even include cloud based DLP as part of their offering, meaning businesses can cover multiple bases in one go.
Over the last few months, the pandemic has forced many businesses to fundamentally change the way they operate. For some, this switch to remote working has been quick and painless, but for many others, a lack of foresight or advanced planning has made it a significant challenge.
Of course, hindsight is a wonderful thing, but even in the midst of this pandemic, it’s not too late to change tack. By combining BYOD with powerful cloud security and analytics technology, businesses of all shapes and sizes can quickly establish an effective, secure remote working program, keeping the wheels of business turning when even the most unexpected things happen.
46% of SMBs have been targeted by ransomware, 73% have paid the ransom
Ransomware attacks are not at all unusual in the SMB community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom, Infrascale reveals.
Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack. And nearly a fifth of the total group said they feel their organization is unprepared for a ransomware attack.
The research is based on a survey of more than 500 C-level executives. CEOs represented 87% of the group. Almost all of the remainder was split between CIOs and CTOs.
“Ransomware is not a new phenomenon,” said Russell P. Reeder, CEO of Infrascale. “However, it is surprising how many businesses are unprepared for a ransomware attack. It is shocking that during a time in which the world should be coming together in the fight against COVID-19, criminals are preying on unsuspecting people and organizations for personal – usually financial – gain. And, in many cases, these bad actors are actually benefiting.
“With appropriate strategies using preventative measures like internet security and education, and protection measures like data backup and disaster recovery, you should never have to worry about paying ransomware.”
B2B orgs were more likely to be ransomware targets than B2Cs
Business-to-business (B2B) organizations were more likely to have experienced a ransomware attack than business-to-consumer (B2C) entities, according to the Infrascale survey results. Representatives from more than half (55%) of the B2Bs said they had been hit by ransomware.
But B2C organizations clearly are not immune to the ransomware risk. The research showed that more than a third (36%) of this group said they have been victims of ransomware attacks.
Time and resources often stand in the way of ransomware prevention
The majority of SMBs (83%) said they do feel prepared for a ransomware attack, with 10% more B2Bs (87%) expressing that sentiment than the B2C group (77%). However, 17% of the SMBs participating in the survey said they do not feel that their business is prepared for a ransomware attack.
Those SMBs that said they feel unprepared to contend with ransomware attackers indicated that time and resources are their next biggest enemies in this battle.
Almost a third (32%) of the SMBs said they simply have limited time to research ransomware mitigation solutions. The same share said their IT teams are so stretched that they feel their organizations don’t have the adequate resources to address the ransomware threat.
“There’s no question that the time and talent of IT professionals are at a premium today,” said Reeder. “But there are many solutions, with varying levels of protection, available to help businesses address ransomware.
“Many qualified third parties can do much of the heavy lifting in terms of implementation and setup. That makes it easier than ever for businesses to protect themselves from ransomware and avoid rewarding criminals by paying out costly ransoms.”
Paying a ransom offers no guarantees
A lack of ransomware protections is likely to cost these SMBs later. And, in some cases, SMBs may already have experienced the hassles and financial losses that ransomware creates.
The research shows that 78% of SMBs in the B2B category already have paid a ransom in a ransomware attack. The majority of B2C SMBs (63%) said they have done the same.
More than a quarter (26%) of the SMBs that said they have never paid a ransom said they would consider doing so. Of that group, 60% said they would pay ransom to get their files back quickly. And 53% said they would pay ransom to protect their company’s public image around data protection and recovery efforts.
SMBs that are open to paying a ransom might want to start saving now, as this is not an inexpensive proposition. Forty-three percent of SMBs said they have paid between $10,000 to $50,000 to ransomware attackers. Thirteen percent said they were forced to pay more than $100,000.
Paying a ransom does not guarantee that an organization will recover any or all of its data. Seventeen percent of the survey participants who said they paid ransoms to their ransomware attackers indicated they recovered only some of their organization’s data.
Those still unprepared should take steps toward prevention, education
The good news is that 72% of the SMB survey group said their organization currently has a plan in place to mitigate a ransomware attack. And the research suggests B2Bs (80%) are better prepared on this front than B2C organizations (62%).
However, 28% of SMBs said they do not have a plan to mitigate a ransomware attack. That puts these organizations – and their customers and other stakeholders – at significant risk. But these organizations can get started now to protect themselves from costly ransomware attacks.
“The best protection, of course, is prevention. And education is the key to its success,” said Reeder. “If something looks nefarious, it usually is. However, criminals are becoming increasingly sophisticated at making their attacks look legitimate. And again, at a time where people are in search of information and answers, the public’s fake-filters are at an all-time low.
“Next, of course, are protection strategies,” Reeder added. “Picking up on a potential attack in advance is ideal to prevent it from happening. However, if an organization is compromised, near-immediate remediation is top priority – and it shouldn’t be in the form of paying a ransom.
Google introduces new G Suite security options
Google has introduced new security options for G Suite customers, including Advanced Protection for enterprise users and access control for apps accessing G Suite data. Advanced Protection for high-risk users The Advanced Protection option was in beta since August 2019, and is now generally available to all G Suite editions and on by default. It allows admins to enforce a specific set of high-security policies for employees in their organization that are most at risk … More
The post Google introduces new G Suite security options appeared first on Help Net Security.
It Is Time To Think About Data Leakages.
Do You Know Data Leakages Are?
Do you know all the possible ways to take information out of company so that no one would know? I’m sure that there are means and methods for data leakage despite security controls.
Let’s think about how can we control this process better.
First, it’s necessary to understand that there no absolute controls around security. Even if a USB port is blocked, it’s still possible to write some data to USB, if there is system that controls outgoing mails, then it’s still possible to use some trick that intruder might use to send out important data out of the company.
So how to manage information security policies to prevent possible data leakages? Let’s list all possible ways to prevent leakage. There are two general categories – active and proactive security. These terms are sometime hard to understand in real word, so let’s discuss another approach. There are means that will help to prevent the fact of information leakage, and there are means that will help to find out, if information was leaked. Both methods should be considered when building information security at your company.
How to prevent information leakage. First, it’s necessary to apply a security policy which will guaranty the access to the certain data only for trusted persons, in this way you will always know who has access to the data, so it is easier to find possible intruder and to control your employees.
Second, consider all possible ways for information to be stolen, such as sent out by email, copies by some employee, stolen by some spyware software, copies to the external drive, etc. Think about all possible ways and think about risks applied. Try to minimize the risk for the most important data.
Let’s list some possible security issues and the ways how we can get rid of them.
Keyloggers and other spyware software. Keylogger is a program that works in background, records all keystrokes and send out information to third-party. The good idea is to start with firewall, which will allow access to the internet only for a certain programs.
Intruder insider your company. Statistics shows that there are some in most companies. The bad news is that these people might produce more damage that all other attackers. Make sure you know about what employee do, what he or she keeps on his hard disk and all you do comply with privacy policy of your company.
Hardware that might be dangerous. There are software that allows to lock USB ports, there are software that allows to block access to any other writeable media, consider installing these tools on computers and user accounts which doesn’t need to use this functions during their work.
Finally, the key principle about fighting information leakage is to be proactive. You don’t need to wait until some information will be stolen, being a little paranoid will help to save your business. It’s easy to install and integrate into the security policy some audit measures, that will regularly check your company for possible security holes, it’s simple, but it will work.
The Do’s and Don’ts To Avoid Data Breach
No matter what size of data you have, it is always on the target of cyber crooks to be attacked. There is always the risk of Data Breach. Some months back in the current year, Yahoo Japan informed the users that they been hit by a hack attack in which they have compromised the information of about 22 million people. Earlier that incident LivingSocial an online daily dealing website revealed that unfortunately hackers have stolen the personal information of almost half a billion of the customers. These two attacks show how big the concern of online crime has become. There is no country, city, area or even an individual in the world that can claim that he or she has no threat to his or data for getting breached.
Continue reading “The Do’s and Don’ts To Avoid Data Breach”
Data Loss Prevention (DLP) demand is growing
Read Why Data Loss Prevention (DLP) Demand Is Growing
With the importance in data security escalating, there has been an increased demand for the earliest approaches to securing data, namely data loss prevention, say experts.
Data loss prevention (DLP) is a term used to describe software products and strategies that help a network administrator control what data end users can transfer.
According to Trevor Coetzee, regional director, SA and Sub-Saharan Africa at Intel Security, there has been a revival of the DLP market locally and growth globally – in both data loss and data leakage prevention requirements – due to new privacy laws being implemented by countries across the world.
Many SA organisations are investigating solutions in preparation for the privacy laws like POPI within the country, says Coetzee.
Moreover, the demand is also being driven by the growing adoption of cloud services, data going across public cloud services, and increased focus on the insider threat that many organisations face on a daily basis, says Coetzee.
“We are also encountering, unlike what we have seen in the past with emerging technologies and capabilities, that SA companies are adopting cloud strategies and technologies at a surprisingly fast rate.
“As a result, they are now looking for numerous security solutions which align to their strategy – including DLP solutions.”
Research firm Markets and Markets agrees, saying one of the major factors that have helped the DLP market to grow is the increasing focus of organisations towards meeting regulatory and compliance requirements and data saved on public and private cloud.
Apart from this, factors such as increasing data breaches and cyber attacks are boosting the demand for DLP solutions, it adds.
Darryn O’Brien, country manager at Trend Micro Southern Africa, says organisations are realising that their data is no longer just information, but an asset which should be protected from the outside world.
It is this awareness that is driving the need for technologies and processes like DLP to address the situation, he adds.
Perry Hutton, Africa regional vice president at Fortinet, says the flow of data transactions into and out of the data centre, between data centres, or that is used and stored on a wide variety of devices is increasing at a dramatic pace.
During this process, the nature of the data changes, and comprehensive data loss prevention strategy is needed to address these different states, adds Hutton.
DLP strategies need to include not only business sensitive information but personal client and employee information too, as the loss of this data can be just as damaging to a business, says O’Brien. “In short it needs to be holistic and embrace all aspects of the business.”
Are you considering the protection that your data demands?
ITSecurity.Org can help you with your DLP requirements
By Regina Pazvakavambwa
Data Protection 03/02/15
- Tivium Ltd (a green deal energy company with a registered office in North London) has been prosecuted for failing to respond to an Information Notice issued by the ICO. The fine was
£5,000 with a £120 victim surcharge & prosecution costs of £489.85. The company appears to still be trading (apparently based in the North of England) but its website indicates that it is closed to new customers. - The ICO has taken enforcement action against high street and online shoe retailer Office [Office Holdings Ltd, based in the City of London] after the personal data of over one million customers was left exposed due to a hacking incident. The reasons for the ICO action were:-
1. The ICO was informed on 29th May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website.
2. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
3. Office explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected.
4. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
5. Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption, so as to put the project at risk.
6. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such, it would appear that the retention of this historic data, some of which may now be inaccurate, was over cautious and not strictly required.
7. Amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned and a new hosting infrastructure is in place.
8. At the time of the incident, Office’s public facing privacy policy did not contain any specific reference to retention periods and no formal data protection training was provided to staff. Office has since confirmed that both these matters are being addressed and that new policies will be formalised early in 2015.
Electronic Marketing
- An eye care company has been formally warned by the ICO to stop sending out nuisance text messages or face further action. The ICO has served an enforcement notice on Optical Express (Westfield) Ltd, after over 4,600 people registered concerns between September 2013 and April 2014. The concerns about the unsolicited messages were reported to the mobile networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing [this is a breach of Regulation 22 (2) of the Privacy & Electronic Communications Regulations 2003]. The Glasgow-based business which has branches across the UK had been sending out texts that included details of a competition to win free laser eye surgery.
European Union
- Pinsent Masons (a UK law firm) has published an article in Out-Law news and guidance entitled “Data Protection Officers – will EU businesses face an obligation to appoint one? The article gives a useful summary of the proposed Rules with regards to these Officers in the EU Data Protection Regulation, giving a good summary of the Commission’s view, the Parliament’s view and the (current) view from the
- Under the Council’s plans, no organisation would be under an obligation to appoint a Data Protection Officer (DPO) unless required to do so under other EU legislation or the national laws of individual EU member states. Instead, the Council said organisations “may” appoint a DPO and go on to list conditions that organisations electing to appoint a DPO would have to conform to. Many of the conditions are similar to those supported by the Commission and Parliament. They include that the DPO can act independently
Data Protection
- Pinsent Masons (a UK law firm) has published an article in Out-Law news & guidance entitled “US to create new data breach notification rules”. They reported that the US president Barack Obama had stated that US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data.
- Pinsent Masons reported that the proposal is part of a package of measures president Obama said are needed “…to protect the identities and privacy of the American people. We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused”
- Continuing with his Washington speech, president Obama stated; – “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies – and it’s costly, too, to have to comply with this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas”
- Clearly this new proposal will apply to Capita plc businesses (that process personal data) that are based in the USA. However, it will be interesting to see if these federal proposals help to ensure that Safe Harbour remains available to EU based businesses to transfer personal data to participating organisations in the USA. The future of Safe Harbour is currently under discussion between the European Commission and the US Department of Commerce.