Data Breach Preparation and Response in Accordance With GDPR

Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.

The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).

GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.

So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What type of personal data breaches exist?

  • Confidentiality breach
  • Availability breach
  • Integrity breach

It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.

Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.

Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as:

  • Loss of control over their personal data or limitation of their rights
  • Discrimination
  • Identity theft or fraud
  • Financial loss

What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:

  1. The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
  2. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  3. The controller shall document any personal data breaches.
  4. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.

How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.

First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

Below is a data breach response plan quick checklist to help with this preparation:

Information to be included Yes/No Comments
What a data breach is and how staff can identify one    
Clear escalation procedures and reporting lines for suspected data breaches    
Members of the data breach response team, including roles, reporting lines and responsibilities    
Details of any external expertise that should be engaged in particular circumstances    
How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions    
An approach for conducting assessments    
Processes that outline when and how individuals are notified    
Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted    
Processes for responding to incidents that involve another entity    
A record-keeping policy to ensure that breaches are documented    
Requirements under agreements with third parties such as insurance policies or service agreements    
A strategy identifying and addressing any weaknesses in data handling that contributed to the breach    
Regular reviewing and testing of the plan    
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan    


Recommendations on next steps:

An effective data breach response generally follows a four-step process — contain, assess, notify and review:

  1. Contain the data breach to prevent any further compromise of personal information.
  2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
  3. Notify individuals and the Commissioner if required. If the breach is an “eligible data breach” under the NDB scheme, it may be mandatory for the entity to notify.
  4. Review the incident and consider what actions can be taken to prevent future breaches.

How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.

Editor’s noteISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.

Laszlo Dellei, MBA,CISA, CGEIT, CRISC, C|CISO

[ISACA Now Blog]

GDPR Can’t Fix Stupid

GDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born. This bureaucracy can be compared to a super tanker and those who would violate the law to speedboats. While the super tanker takes miles to make a simple course adjustment, speed boats can dance around the super tank with little fear of a collision.

Sure, there will be times when a speedboat captain makes a mistake and collides with the super tanker resulting in the organization being penalized, but my current expectation is that the organizations that will ultimately pay the potential fine of 4 percent of global turnover will be few and far between. I say this because the GDPR, for all its good intentions, was created by humans, and lawyers will quickly find the loopholes, unintentionally created by the humans, to keep their customers from paying significant fines. Moreover, I simply do not believe that many of the organizations charged with enforcing the GDPR currently have the required manpower and skills to successfully enforce the law. Add to this the fact that Working Party 29 continues to provide guidance on what different sections of the law mean and, at least in the short term, we have a construct that may be difficult to enforce.

That said, I think the GDPR could have a very positive effect on the events we have recently seen involving Facebook, Cambridge Analytica and the political decisions they are claimed to have influenced. GDPR clearly lays out individual’s rights and a primary focus of data privacy and information security professionals should be training colleagues, family, and friends about those rights under this law and the threats that attempt to undermine their rights. The key to success is education, for it is only education that can fix stupid. We, the world, must add critical thinking to educational programs at all levels. An educated population, with solid critical thinking skills, will significantly improve our ability to reduce the effectiveness of fake news and to take back our democracies from the forces that would use our data and opinions against us.

Despite these observations, don’t despair. GDPR is a well-intended regulation that has the potential to change the way the world views data privacy. This value will be derived, however, through education rather than through fines. We must all understand that we do not have to accept our employers, governments or, perhaps worst of all, non-governmental organizations that attempt to sway public opinion on crucial political decisions, misusing our data. We have options. We can inform ourselves using multiple accredited sources. We must demand that our rights are respected.  We should confront those who spread fake news, both in the internet but also at our own dinner table. Most importantly, we can vote, with a few mouse clicks, and can close our accounts on those social media platforms which exploit our data for their gain. We must all understand that data privacy is a universal right and thinking critically about what those with access to our data will do with it is the ultimate safeguard for our data, our privacy and ultimately for our democracies.

Author’s note: The author’s views are his own and do not necessarily reflect the views of his employer.

Scott Rosenmeier, Senior Manager Information Security, CISA, CISM, CRISC, CGEIT, CISSP-ISSMP/ISSAP TUEV SUED certified DPO (Germany)

[ISACA Now Blog]

Should CISOs Expand Their Portfolios?

CISOs have traditionally focused on the triad of “Confidentiality, Integrity and Availability.” Recently, emphasis has been placed on confidentiality, hackers and zero-day attacks. However, industry trends now require that focus to broaden to all business information risks within organizations.

Since information is a key part of almost all business transactions, information risks are becoming pervasive. The trends I want to highlight include increased need for Security departments to partner with business colleagues to understand risks from their point of view, and increased importance of integrity and availability.

Integrity
In my mind, integrity issues go back to the ChoicePoint data breach in 2005. This breach did not result from a zero-day attack. It was carried out by fraudulent customers using fake accounts. This falls under the “data integrity” mandate. At the time, many would have thought that this breach was outside of the scope of information security. But this needs to change today.

Such incidents have taken off in recent years. Fake news incidents have regularly made headlines. The potential effects of fake information on SEO results also have been highlighted. Consider the reports of identity “theft” using synthetic identities. Or the recent scandal at Kobe Steel over the internal falsification of quality data.

After the Yahoo breaches cost that company US $300M, cybersecurity assessments have become a more important part of M&A transactions. This type of assessment has to mitigate business risk. Is the firm’s risk posture what it says it is? Class action lawsuitsin the state of Michigan for faulty software algorithms bring up another information business risk. Software development errors may have real human life consequences as well as business consequences.

Availability
In the recent volatile financial market, several investment firms suffered outages, even in our era of scalable, virtualized application architectures. Ransomware attacks last year led to real money being lost from victims, not from ransoms, but from outages. The largest ever DDoS attack recently was reported. These attacks are likely to continue to be common.

Confidentiality
This is still an important issue, but the diversity of incidents is increasing. An ex-Expedia employee pleaded guilty to stealingcompany information to facilitate his insider trading of company stock. Better keyless entry systems now facilitate faster theft by car thieves, not just theft of information. In 2016, steelmaker ThyssenKrupp lost trade secrets to cyber criminals. A large retailer recently was hit with a $27 million fine for stealing a small contractor’s intellectual property. Instead of just stealing IDs, criminals are now stealing whole systems and the intellectual property that goes along with those systems.

These incidents highlight newer ways to misuse information resources and adversely affect a business. More longstanding hacker attacks using technology are not going away; traditional technology controls are still needed to mitigate these risks and significant progress has been made in doing so. But these newer incidents highlight threats in which the misuse case and consequences are highly entwined with the business. To find these risks, CISOs will need, more than ever, to understand the business they are protecting and the risks that are seen by senior management. Security controls will need to be more integrated in business operations to be effective.

A recent presentation by Facebook CISO Alex Stamos also highlighted these issues. In his talk, Stamos distinguishes between two components of technology risk: traditional InfoSec and “abuse.” He defines abuse as “technically correct use of a technology to cause harm.” In his view, the abuse category of risk is much broader than the traditional InfoSec concerns. Some of his solutions to better manage the abuse category of risk include broadening the focus of security practitioners and increasing empathy toward business users and leaders.

My own conclusion is: if the issue involves company information, and misuse can affect the company’s risk posture, then CISOs need to play an active role in mitigating that risk.

Frederick Scholl, Ph.D., CISM

[ISACA Now Blog]

CCSK obtains course mapping approval under IMDA’s CITREP+ Programme

SINGAPORE – March 21, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, is pleased to announce that its Certificate of Cloud Security Knowledge (CCSK) course has successfully completed course mapping under CITREP+

Through this recognition, attendees who are Singapore citizens and permanent residents can attend the 3-day CCSK training course at subsidised costs under the Critical Infocomm Technology Resource Programme Plus (CITREP+) as a part of TechSkills Accelerator (TeSA), a programme which supports local professionals and working professionals to continuously reskill and stay abreast of the latest in-demand technical skills, to remain valued and competitive in Singapore. Singaporeans and permanent residents are also eligible for CITREP+ funding to take the CCSK examination.

“We look forward to seeing greater awareness, as well as deeper knowledge and understanding of cloud security in Singapore,” said Dr. Hing-Yan Lee, Executive Vice-President of CSA APAC. “With it, we expect increased cloud adoption towards achieving Singapore’s cloud vision of sharpening its overall competitiveness, as well as enhancing the vibrancy and growth of Singapore’s ICT sector through the development of a cloud ecosystem.”

There are several authorized CCSK training providers in Singapore. One of these is HP Education (HPE). Another authorized CCSK training provider is NTUC Leaning Hub Pte Ltd (LHUB) & RapidStart Pte Ltd. CSA plans to appoint more training providers to conduct CCSK training in Singapore.

Mr. Kwek Kok Kwong, CEO of LHUB shared, “Singapore is one of the most connected nations in the world. Digital technology is evolving everywhere, and it is becoming increasingly important to adopt measures that ensures security in the cyberspace. Time and again, we see cyber-attacks and it is crucial that we step up awareness of security amongst cloud users. We are therefore happy to partner with CSA to equip and deepen the necessary skillsets for individuals, in a bid to provide organisations with broader security capabilities when adopting cloud computing solutions for their businesses.”

“We are excited to announce our partnership with CSA which will continue to broaden our offerings in Cloud Computing Technology. There’s no doubt about the growing demand for skills and expertise in Cloud Computing and this partnership will enable us to join forces and collaborate with CSA together to address local industry needs”, said Dr Anton Ravindran CEO of Rapidstart Pte Ltd.”

Going forward, CSA will map CCSK to the Skills Framework for ICT, which is a guide for individuals, employers and training providers to promote ICT skills mastery and lifelong learning. The Skills Framework for ICT is also part of TeSA, an initiative of SkillsFuture. The framework can be used by employers to develop career maps and articulate job requirements, used by individuals to guide their skills identification and development to stay relevant, and used by training providers to devise ICT courses. Some critical skill areas include network and infrastructure, software development and engineering, data and analytics, cyber-security.

Since CSA first released CCSK in 2010, thousands of IT and security professionals have taken the opportunity to upgrade their skill sets and enhance their careers by obtaining the CCSK. Certification Magazine has listed CCSK at #1 on the Average Salary Survey 2016. CIO.com, Top Ten Cloud Computing Certifications, says: “This is the mother of all cloud computing security certifications. The Certificate of Cloud Security Knowledge certification is vendor-neutral, and certifies competency in key cloud security areas.”

In addition to the CCSK, CSA together with (ISC)2 has developed the Certified Cloud Security Professional (CSSP), which recognizes IT and information security leaders who have the knowledge and competency to apply best practices to cloud security architecture, design, operations and service orchestration.

About TechSkills Accelerator (TeSA)

The TechSkills Accelerator (TeSA) is a tripartite initiative between the government, industry and the National Trades Union Congress (NTUC), to build and develop a skilled Information and Communications Technology (ICT) workforce for the Singapore economy, and to enhance employability outcomes for individuals.

The Infocomm Media Development Authority (IMDA), which drives TeSA for ICT professional development, takes an integrated approach to ICT skills acquisition and practitioner training – in core ICT skills and in sector-specific ICT skills – and enhance employability outcomes through place and train programmes, and career advisory services. As of November 2017, TeSA has enabled more than 21,000 ICT professionals to upskill and reskill themselves.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

What is Standalone Virtual Reality, and Why Are Enterprises Betting On It?

If you are interested in virtual reality, you surely know that the buzzword of 2018 is “standalone.” All the major VR companies are betting on standalone VR devices: HTC Vive China president Alvin Wang Graylin announced in a recent interview that his goal for 2018 is to see standalone devices becoming successful and Oculus’ Hugo Barra has expressed a similar opinion.

But what are standalone VR devices? And why do all of these important people believe in them? Let me answer these questions for you.

What is a standalone VR device?
The typical virtual reality headset can come in two flavors:

  • Connected to a PC for an expensive, high performance experience (e.g. Oculus Rift and HTC Vive);
  • Integrated with your mobile phone for a cheap, low quality experience (e.g. Gear VR and Daydream).


Figure 1 Oculus Go standalone headset (Image credit: Oculus)

Standalone VR sits somewhere in the middle between these two extremes: it is a good quality experience, for an affordable price. But its peculiarity is that standalone VR headsets do not require anything else to work: they don’t need a phone or a PC; they work out of the box. A standalone device is similar to a mobile VR headset, but it already includes all the required electronical parts, it already embeds the display, the processing power and all the other hardware inside. It is a computer on its own.


Figure 2 Vive Focus device (Image credit: HTC Vive)

This means that the user can buy it, unbox it and then put it on his/her head to start living VR experiences immediately.

Why are all the companies betting on them?
Standalones offer a lot of clear advantages over the other available VR devices:

  • They are affordable. A standalone VR headset costs less than a Samsung phone plus GearVR or than an Oculus Rift plus VR-ready PC. Some standalones are really cheap: the upcoming Oculus Go, for instance, will cost only US $200, and this will let a lot of people afford entering virtual reality;
  • They are easy to use. They don’t require setups of any kind. Every person can use them, even without technological expertise. The user just has to just put the device on his/her head. This means that virtual reality may exit the techie realm and enter into the consumers domain;
  • They are handy. It is very easy to carry a headset with you by just putting it in your backpack;
  • They come in various flavors, like:
    • very cheap standalone devices, such as the Oculus Go and Pico Goblin, that offer a very basic experience;
    • more expensive devices that let the user move inside virtual reality, like the Vive Focus and Lenovo Mirage Solo;
    • Oculus Santa Cruz and Pico Neo that offer an expensive experience but with the ability to move and interact within the virtual world.

In my previous post, I highlighted how price and ease of use are two of the pain points of virtual reality. Standalone devices can solve both. They can make virtual reality mainstream and can be the key to eventually get 1 billion people in virtual reality, as Mark Zuckerberg wants. That’s why always more companies are betting on this form factor.

But …
There’s a big issue that I want to highlight: in the very short term, standalones are VR-only devices, so they require people to spend money just to experience virtual reality. But the general consumer still doesn’t understand the purpose of VR and, in fact, a lot of free Cardboards and Gear VRs gather dust on the shelves. This means that the various manufacturers will have to convince people why they need to spend money to have VR.

Standalone devices will be important for VR widespread diffusion. But, as you can see, the road to mainstream adoption is still long.

Antony Vitillo, AR/VR Consultant and Blogger

[ISACA Now Blog]

English
Exit mobile version