Exploring the proper use of pseudonymisation related to personal data

In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organizations across Europe.

pseudonymisation personal data

Pseudonymisation and personal data challenges

The ENISA “Pseudonymisation techniques and best practices” report, amongst other, especially discusses the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery.

It also builds on specific use cases for the pseudonymisation of certain types of identifiers (IP address, email addresses, complex data sets).

pseudonymisation personal data

There is no easy solution

One of the main outcomes of the report is that there is no single easy solution to pseudonymisation that works for all approaches in all possible scenarios.

On the contrary, it requires a high level of competence in order to apply a robust pseudonymisation process, possibly reducing the threat of discrimination or re-identification attacks, while maintaining the degree of utility necessary for the processing of pseudonymised data.

The rise of continuous crowdsourced security testing for compliance

A large percentage of organizations and institutions are moving toward a rigorous, continuous testing model to ensure compliance, a Synack report reveals.

continuous crowdsourced security testing

As part of this shift toward continuous testing, organizations are utilizing crowdsourced security testing to achieve regulatory compliance and real security, with adoption expected to increase four-fold in 2020.

With new compliance frameworks such as GDPR and CCPA drastically increasing the cost of a breach, organizations are racing to protect their data. In an increasingly connected, highly regulated and digital world, business leaders and decision makers are turning to outside vendors that can ramp up quickly in a cost effective manner.

As a result, the crowdsourced security testing space – which has already gained credibility for its significantly better ROI than more traditional, less frequent, and less secure methods – has surpassed all estimates and will continue to do so in 2020 and beyond.

“The rapid embrace of crowdsourced security testing has happened because it is proven to work better than traditional security testing methods and addresses the ever growing talent gap within organizations,” said Synack CTO Mark Kuhr.

What is boosting continuous crowdsourced security testing?

The growth in crowdsourced security testing can be attributed to two major trends. The first: rapid development cycles. “Today’s security teams have shorter development cycles and dynamic environments that require rapid deployment and a continuous approach to security testing,” explains Kuhr. This explains the shift towards continuous, crowdsourced security testing for compliance purposes.

“Although we are seeing a move toward a 24/7, 365 security culture at organizations in a wide variety of industries and geographies, there is still ample room for improvement,” said Aisling MacRunnels, Synack’s CMO.

“Our survey found that on average, most security tests are lasting just 20 hours. As the number of cyber incidents continues to increase, it will be imperative for decision makers to implement security testing solutions on a continuous basis with 1500-2000 hours of testing a year.”

Secondly, organizations are looking to crowdsourced security due to tremendous pressure from boards and regulators to remain compliant and secure. Regulatory frameworks and best practices mentioned in the report including GDPR and HIPAA are increasingly requiring or recommending an annual or more frequent audit with penetration testing.

The advent of trusted and structured crowdsourced penetration testing solutions build on that trend by providing the very best of human intelligence with artificial intelligence on a continuous cadence.

“This shift toward continuous crowdsourced security testing will allow organizations and institutions to have the best of both worlds by procuring technology that offers efficient and effective results while fulfilling best practice standards such as NIST 800-53 to meet compliance objectives,” said Kuhr.

In addition to helping identify a set of security and compliance best practices for a diverse set of industries, the report found security testing is becoming part of an organization’s normal routine rather than a once-a-year check of the box focused only on compliance.

44% of organizations and institutions surveyed are performing security tests on a monthly or weekly basis, which suggests they are moving toward the more effective continuous model that crowdsourced solutions enable.

Other key findings

  • 63% of organizations agree that the most common use case for external vendors is to identify and reduce vulnerabilities, which is encouraged by different compliance frameworks and best practice standards
  • 52% of organizations experience unwanted cost and complexity due to overlap in functionality from using multiple security vendors, which is caused by poor budget allocation and overlap in vendor capabilities
  • 32% of compliance testing processes are expensive and difficult to scale, yet crowdsourced security testing solutions provide 147% higher ROI than a typical pen test and may decrease the burden of testing on organizations by reducing signal-noise ratio

Despite potential fines, GDPR compliance rate remains low

58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR within the one-month time limit set out in the regulation, reveals updated research from Talend.

GDPR compliance rate

GDPR compliance rate: 2018 and now

In September 2018, Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation. At that time, 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.

One year later, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement. Although the overall percentage of companies who reported compliance increased to 42%, the rate remains low 18 months after the regulation came into force.

“These new results show clearly that Data Subject Access Rights is still the Achilles’ heel of most organizations,” said Jean-Michel Franco, Senior Director of Data Governance Products at Talend. “To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted.”

Organizations are struggling to meet requests

The research revealed that only 29% of the public sector organizations surveyed could provide the data within the one-month limit. With an increasing use of data and new technologies – facial recognition, artificial intelligence – by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond.

The same observation applies to companies in the media and telecommunications industries. Only 32% of these organizations reported that they could provide the correct data on time.

Many firms barely reach an average success rate

Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes.

The same situation occurs with organizations in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered as the best performers as companies in that industry represent 38% of all the organizations who provided data in less than 16 days.

The lack of automation remains a barrier to success

One take-away from this new benchmark is the lack of automation in processing requests. One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place making it difficult to retrieve all necessary information.

Processing the requests thus remains very manual and often Involves the business users, e.g. the insurance representatives in the case of an insurance company. In addition, processing Subject Right Requests can be very costly; according to a recent Gartner survey, companies “spend, on average, more than $1,400 to answer a single SRR.”

GDPR compliance rate

ID proof and requesting process should be improved

The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification. Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email. The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files can’t be opened.

Growing complexity is driving operational changes to privacy programs

A majority of companies are adopting a single global data protection strategy to manage evolving privacy programs, and that managing the expanding ecosystem of third parties handling data has become a top priority, a TrustArc report reveals. Evolving ecosystem of partners, customers, and vendors driving risk assessment processes Vendor and third-party risk assessments ranked first among privacy assessments globally, with 78 percent of U.S. respondents reporting that they now conduct them. That figure indicates the … More

The post Growing complexity is driving operational changes to privacy programs appeared first on Help Net Security.

Top concerns for audit executives? Cyber risks and data governance

As organizations continue to collect customer and employee data, chief audit executives (CAEs) are increasingly concerned about how to govern and protect it. Gartner conducted interviews and surveys from across its global network of client organizations to identify the biggest risks facing boards, audit committees and executives in 2020. Data governance has risen to the top spot of CAEs’ audit concerns, up from second place in last year’s report, replacing cybersecurity preparedness. Increased regulatory scrutiny … More

The post Top concerns for audit executives? Cyber risks and data governance appeared first on Help Net Security.

Exploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

“Generally if it was an extremely large company — especially tech ones — they tended to do really well,” he told the BBC.

“Small companies tended to ignore me.

“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner’s overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother’s maiden name and the results of a criminal background check survey.

Why Isn’t GDPR Being Enforced?

Politico has a long article making the case that the lead GDPR regulator, Ireland, has too cozy a relationship with Silicon Valley tech companies to effectively regulate their privacy practices.

Despite its vows to beef up its threadbare regulatory apparatus, Ireland has a long history of catering to the very companies it is supposed to oversee, having wooed top Silicon Valley firms to the Emerald Isle with promises of low taxes, open access to top officials, and help securing funds to build glittering new headquarters.

Now, data-privacy experts and regulators in other countries alike are questioning Ireland’s commitment to policing imminent privacy concerns like Facebook’s reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp, and Google’s sharing of information across its burgeoning number of platforms.

This Week in Security News: Consumer Data and Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn what security issues and critical threats will impact consumer data this year. Also, learn about a malicious Adobe app targeting macOS systems.

Read on: 

Keys to Safeguarding Consumer Data in 2019

Trend Micro reports that there are certain security issues which will specifically impact consumer data, including phishing and fraud attacks. 

Linksys Partners with Trend Micro for Network Protection on Velop Wi-Fi Systems

Linksys and Trend Micro have partnered to deliver a security solution for home networks to give families an added layer of digital projection.

Collaborating with Law Enforcement to Tackle the Scourge of ATM Attacks

Trend Micro contributed to a new Europol report detailing guidelines on logical ATM attacks, in support of ongoing efforts by both law enforcement and the financial industry to stop ATM abuse. 

Report: Over 59,000 GDPR Data Breach Notifications, But Only 91 Fines

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

MacOS Malware Poses as Adobe Zii, Steals Credit Card Info and Mines Monero Cryptocurrency

Trend Micro found a malicious app posing as Adobe Zii (a tool used to crack Adobe products) targeting macOS systems to mine cryptocurrency and steal credit card information. 

Auto Engineers Warn Your Car Might be Easier to Hack Than You Think

As auto makers roll out more sophisticated features, the upgrades are also making cars more vulnerable to cyberattacks, according to a new report from the Ponemon Institute.

Managing Digital Footprints and Data Privacy

A massive data dump involving more than two billion user credentials was reported earlier this year. The ramifications of this dump is just the beginning for many of those whose data are included. 

Just Two Hacker Groups are Behind 60% of Stolen Cryptocurrency

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

EU Orders Recall of Children’s Smartwatch Over Severe Privacy Concerns

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children’s smartwatch produced by German electronics vendor ENOX.

Do you agree phishing and fraud attacks will be the main threats impacting consumer data in 2019? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Consumer Data and Malware appeared first on .

This Week in Security News: Ransomware and Cyber Threats

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about new routines for encryption of JobCrypter ransomware. Also, understand how Emotet has managed to evolve into one of the most notorious cyber threats in existence.

Read on:

Spotted: JobCrypter Ransomware Variant With New Encryption Routines, Captures Desktop Screenshots

A variant of JobCrypter ransomware was observed by Trend Micro using new routines for encryption and features the ability to send a screenshot of the victim’s desktop to an email address. 

For Industrial Robots, Hacking Risks Are On the Rise

In the future, industrial robots may create jobs, boost productivity and spur higher wages. But one thing seems more certain for now: They’re vulnerable to hackers.

Microsoft CEO Satya Nadella made a global call for countries to come together to create new GDPR-style data privacy laws

Microsoft CEO Satya Nadella is a major proponent of the the recent European data regulation GDPR, which came into force in May 2018.

Protecting Critical Infrastructure and Roadways: How Smart Cities Create New Risks

While advanced components to support utilities, critical infrastructure, and more can bring numerous benefits, these solutions also open both urban and rural areas to new risks and cyber threats.

DHS Releases Emergency Order to Prevent DNS Hijacking

The Department of Homeland Security has issued a rare “emergency” directive ordering federal civilian agencies to secure the login credentials for their internet domain records out of concern that they could be vulnerable to cyberattacks.

As BYOD Adoption and Mobile Threats Increase, Can Enterprise Data Security Keep Up?

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets and laptops.

Going In-depth with Emotet: Multilayer Operating Mechanisms

Over a period of just five years, Emotet has managed to evolve into one of the most notorious cyber threats in existence – one that causes incidents that cost up to $1 million dollars to rectify.

Online Casino Group Leaks Information on 108 Million Bets, Including User Details

An online casino group has leaked information on over 108 million bets, including details about customers’ personal information, deposits and withdrawals. 

Google Fined €50 Million for GDPR Violation in France

France’s data protection regulator, CNIL, has issued Google a €50 million fine (around $56.8 million USD) for failing to comply with its GDPR obligations. 

Security is the no. 1 IT barrier to cloud and SaaS adoption

More than 70% of tech professionals said security spending has increased in the past year, according to a Ping Identity report.

Millions of Financial Records Leaked at Texas-Based Data Firm

More than a decade’s worth of credit and mortgage records, many linked to some of the country’s largest banks and lenders, was temporarily exposed online.

What do you think are some other risks smart cities will create within the next years? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware and Cyber Threats appeared first on .

How UK’s GDPR law might not be judged ‘adequate’

If it has Data Protection Act’s defects, all bets are off

Comment Since 2005, I have tried to use Freedom of Information legislation to find out what is behind the “ongoing” infraction proceedings, commenced by the European Commission against the UK. This is because the UK’s Data Protection Act (DPA) is, according to the Commission, a defective implementation of Directive 95/46/EC.

So what are these defects? Should data protection practitioners know what they are?

Continue reading “How UK’s GDPR law might not be judged ‘adequate’”