Privacy and Cybersecurity Law 

The ICO have been discussing data breach reporting under GDPR in a new webinar.

Here are the key points:

• GDPR introduces mandatory breach reporting.  This applies to accidental breaches and internal breaches – not just those that are deliberate or are about losing personal data externally.  Don’t forget about integrity and availability breaches (e.g. damage to records due to fire or flood as well as ransomware).  Temporary loss of data, according to EDPB Guidance can be a personal data breach.
• This does not mean that you have to report all general breaches of GDPR (eg. failure to present a suitable privacy notice).  Breach reporting only applies to breach of confidentiality, integrity or availability of data: the so-called the “CIA Triad”.  Similarly, breach notifications do not apply in relation to records relating to deceased persons (not covered by GDPR).
• The 72 hour timeline kicks in from “awareness” of the breach.  This equates to having a “reasonable degree of certainty” that the breach has occurred.  The ICO gave an example of a customer who complains that he/she has received someone else’s information.  This would constitute “awareness”.  It may be less clear, at the initial stage, whether an IT issue has resulted in a personal data breach as that may require more forensic/detailed investigation.
• In addition to deciding whether or not to notify a breach, you should always undertake a risk assessment to identify the scope and extent of the breach, contain it and stop it repeating or harming individuals.  This risk assessment will also impact the shape of the overall response.
• If a personal data breach has occurred and you are aware of it, it is then necessary to decide the level of risk associated with it to determine whether or not to notify the ICO.  In order to require notification, there should be more than a remote chance of harm.  If there is more than a remote chance of harm, then this would make the risk to rights and freedoms of individuals likely, triggering Article 33.  Equally, mere inconvenience is not enough.
• Article 33 sets out a number of pieces of information that should be provided with a notification.  It’s no excuse not to be able to provide this, even within 72 hour timeline.  So basic information will be required even if further information will be provided later as permitted by GDPR.
• The 72 hour deadline is “72 real hours” – so this includes evenings and weekends.  If a breach comes to your attention on Friday morning, it will need to be reported by Monday afternoon.  Extra resources are likely to be required to respond promptly.
• The ICO response will be quick (same day/next day) for serious breaches.  Less serious breaches may mean the ICO gets back to you in a couple weeks.
• You can report a breach by phone (available during working hours), or web form (available 24/7).  You don’t have to use the official ICO web form, but the ICO prefers it if you do as it contains all the relevant information.
• You always have to record breaches in your data breach log – the ICO can come and inspect this later if they wish.
• The ICO acknowledge the risk of “notification fatigue” and say that that’s the reason why notification to data subjects under Article 34 is only required where there is a likely high risk to rights and freedoms of relevant individuals.
• The sectors that have typically notified data breaches since 25 May are health, education, general business, local government and some law firms.
• The ICO repeat their general advice that “not every breach needs to be reported”.  It’s also the controller’s decision as to whether or not to report.  They also mention practical points such as an example where someone reported a loss of payslips and rang back a couple of hours later to say they had found them!  Better not to do this.
• The webinar also covered a number of live questions: One question was whether to report the situation where access rights to particular data have been inappropriately broad, but there is no evidence of actual unauthorised access.  The ICO think that this could be reportable if the situation had been allowed to last for a long time so there is, therefore, a significant risk of unauthorised access.  Presumably, if this happened for a short time, you could argue that the likelihood of unauthorised access was very limited.
• Someone else asked about data sent to an old address and then finding that the data subject had moved addresses without telling the controller.  This is not a breach of security, although you could separately ask yourself whether sending sensitive information by post is an appropriate security risk in the first place.

The Information Commissioner’s Office have released their Annual Report for 2018.  This blog summarises the key messages.

Information Commissioner’s Thoughts

Elizabeth Denham highlights the following in her foreword to the Report.

• The ICO has been involved in producing significant GDPR guidance in the last 12 months and has also run an internal change management process to ensure it is up to the demands placed upon it by GDPR (think: extra staff, new breach reporting functions and helplines).
• The ICO’s pay levels have fallen out of step with the rest of the public sector.  UK Government has given the ICO 3-year pay flexibility and some salaries have increased.
• The ICO has taken decisive action on nuisance calls and misuse of personal data.
• The ICO began investigation of over 30 organisations in relation to use of personal data and analytics for political campaigns.
• The ICO launched a “Why Your Data Matters” campaign – designed to work as a series of adaptable messages that organisations can tailor to inform their own customers of their data rights.

The Laws that the ICO Regulates

The Report refers to the Data Protection Act 1998 and the new Data Protection Act 2018 as well as the Freedom of Information Act 2000.

But don’t forget about the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. The ICO is also an authority to which organisations can report cyber incidents under the new Network and Information Systems Regulations 2018 (NIS).

Key Guides

The ICO has produced a Guide to GDPR – definitely worth a read.

The ICO has also produced an introduction to the Data Protection Bill and a Guide to the Law Enforcement Directive as well as significant other guidance.

The ICO have also supported other bodies in producing their own GDPR guidance:

• Direct Marketing Association;
• The National Health Service (NHS);
• The Health Research Authority; and
• The Department for Education.

There is also a new guidance on international transfers to reflect the Privacy Shield and guidance on the new case law on the concept of “disproportionate effort” in the Subject Access Code of Practice.

Data Sharing Codes of Practice

The ICO engaged with UK Government on data sharing codes arising from the Digital Economy Act 2017. This includes the publicly available register of information sharing agreements.

ANPR

Automatic Number Plate Recognition data used to be retained for 2 years. The ICO and the Surveillance Camera Commissioner raised concerns and the UK police have agreed to reduce the retention period to one year.

Participation in Global Networks

The ICO led the 2017 Global Privacy Enforcement Network Sweep with 24 regulators around the world looking at the control users have over their personal information. Privacy Notices of 455 websites that were assessed and often found inadequate.

Civil Monetary Penalties – Fines

The ICO issued 11 fines for serious security failures. The joint highest fine ever (£400k) was served on Carphone Warehouse.  There were significant fines for nuisance callers and spammers.

Criminal Investigations

The ICO launched 19 prosecutions and gained 18 convictions for data theft under the old Section 55 Data Protection Act 1998.

It also ran two investigations into acquisition of data in the Automotive Repair Industry and alleged breaches of Section 55 DPA 1998 by clients tasking private investigators to unlawfully obtain personal data. The case law involving the prosecution of private investigators and clients continues.

Self Reported Data Breaches

The number of self report breaches has increased by 29%. Under GDPR it is mandatory to report data breaches to the ICO.  There has been a significant spike in GDPR breach notification since 25 May 2018.

The sector that reported the largest number of breaches was health (37% of all cases).

Telephone Preference Service (TPS)

This is the central UK opt out register where individuals can object to telemarketing calls. In January 2017, the ICO took over responsibility for running TPS.  This enables quicker receipt and assessment of intelligence for ICO enforcement teams.

Funding/Notification Fees

Registration/notification fees collected in the last year totalled £21 million. This regime has, with effect from 25 May 2018, been replaced by a new fee regime which will be used to fund the ICO going forward.

Helpline calls

For obvious reasons, there has also been a spike in calls to the ICO helpline. Call numbers have increased by 24.1%.  Live chat has increased by 61.5%.  Written advice has increased by 40%.  Needless to say, the ICO is expanding its operations and recruiting more staff.

Brexit

We think the ICO has probably got enough of it on its plate with GDPR, e-privacy and all the new guidance. Then there’s Brexit!  There’s actually little comment on Brexit in the Annual Report other than to flag that it is one of the issues for the ICO.  Then again much of the detail on this has yet to be worked out.

The Commissioner concludes in her “foreword” that “the ICO is the proactive digital regulator the UK needs for ongoing challenges of upholding information rights in the digital world”.

Much more work to be done!

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the first undertaking and fine involving text message violations under Canada’s Anti-Spam Legislation (CASL). This first, involves Quebec-based 514-BILLETS, a ticket broker for sporting and cultural events.

Between July 2014 and January 2016, the CRTC alleges 514-BILLETS sent text messages to recipients without their consent. The CRTC also alleges the company sent text messages without information that identified who sent the messages as well as failed to provide information to recipients that would allow them to easily contact 514-BILLETS.

514-BILLETS has agreed to pay  a total of $100,000 in compensation, appoint a compliance officer and institute a CASL-compliance program. 514-BILLETS will pay $75,000 in the form of $10 rebate couples to 7,500 clients and $25,000 to the Receiver General of Canada.

The CRTC’s media release can be read here.

The federal government released an Order in Council, dated March 26, 2018, announcing that the mandatory data-breach notification rules will come into force on November 1, on the recommendation of Navdeep Bains, Minister of Industry, Science and Economic Development.

After nearly three years, sections 10, 11, and 14, subsections 17(1) and (4) and sections 19 and 22 to 25 of the Digital Privacy Act, Chapter 32 will come into effect to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal government released the proposed breach reporting rules in September 2017 and advised at that time that the proposed regulations will be delayed coming into force after their publications, meant to “give regulated organizations time to adjust their policies and procedures accordingly and ensure that systems are in place to track and record all breaches of security safeguards that they experience.”

With the amendment, PIPEDA will contain provisions requiring organizations to notify affected individuals and organizations of breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner. It also creates offences in relation to the contravention of certain obligations respecting breaches of security safeguards. Among the changes, the new rules will also give the privacy commissioner the power to enter into a “compliance agreement” with an organization in certain circumstance to ensure the organization’s compliance with PIPEDA.

Stay tuned for further updates.

On March 15, 2018, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016. These threat actors, according to the joint alert, have used this campaign to engage in reconnaissance missions and to obtain operational control of industrial control processes and systems.

The joint alert identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are those “peripheral organizations such as trusted third-party suppliers with less secure networks.” The threat actors use the “staging” targets’ networks as “pivot points and malware repositories when targeting their final intended victims,” the intended targets. Once compromised, the staging targets are used to download source code from intended targets’ websites and to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on “network and organizational design and control system capabilities within organizations.”

The joint alert identifies a variety of tactics used by the threat actors, including spear-phishing campaigns, watering-hole domain attacks, and collecting publicly available information:

• Spear-Phishing. Through spear-phishing, the threat actors use email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server, which allows the threat actor to gain access to user credentials. With user credentials, and using a password-cracking technique, “the threat actors are able to masquerade as authorized users in environments that use single-factor authentication.”
• Watering-Hole. Through watering-hole attacks, the threat actors compromise “the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.” These watering-holes host legitimate content developed by reputable organizations, but the threat actor alters the website to contain and reference malicious content. The threat actors use legitimate credentials to access and directly modify the website content. Once on the website, the victim provides credentials.
• Public Information. The threat actors review information “posted to company websites, especially information that may appear to be innocuous, [to gain access to] operationally sensitive information.” In one example, the threat actors downloaded a small photo from a publicly accessible human resources page, which when expanded was “a high-resolution photo that displayed control systems equipment models and status information in the background.”

Once threat actors gain access to the network, the DHS and FBI warn they conduct “reconnaissance operations within the network,” including “identifying and browsing file servers within the intended victim’s network.” Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.

Takeaways

The new joint alert highlights the dynamic threat landscape facing organizations. Although the alert provides technical advice concerning the identification and deterrence of the ongoing attacks, it also provides best practices applicable to the campaign. Many of the recommendations apply outside of the critical sector industries, and provide a timely reminder that all organizations should review their cybersecurity practices and policies on an ongoing basis. Some of the recommended best practices include:

• Reviewing your existing third party contracts to determine cybersecurity vulnerabilities and protections;
• Monitoring VPN logs for abnormal activity;
• Deploying web and email filters on the network;
• Ensuring proper training to inform end users on proper email and web usage;
• Establishing a complex password policy;
• Using multi-factor authentication;
• Assigning appropriate personnel to review logs;
• Completing “independent security (as opposed to compliance) risk review”; and
• Preparing a robust incident response plan.

If you or your organization is looking to create new, or update existing cybersecurity policies or practices, or you have any questions about this joint alert and how your organization may be impacted, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.