Posted by Armando Becerra on October 8, 2013 · 4 Comments
On January 14, 2013, the UK Information Commissioner’s Office imposed Sony PlayStation Network a monetary penalty of GBP 250,000 for its serious breach of the UK Data Protection Act – a penalty Sony eventually decided not to appeal in July. The penalty comes after the company was hacked in April 2011, compromising the personal information of millions of its customers. In this article, I highlight why the ICO made a brilliant move and interpretation of the Act.
Filed under Armando Becerra, Comments, English, Europe, European Union, United Kingdom · Tagged with accountability, data breach, data security breaches, Information Commissioner’s Office, monetary penalty, Sony PlayStation Network, UK Data Protection Act of 1998, vulnerability
Posted by anniecbai on September 22, 2013 · Leave a Comment
Recent massive data breaches lead us to discuss the movement for new thinking, new strategies and new leadership amongst IT security. In the new paradigm, flat-out prevention is no longer the goal. Companies need to pursue nuanced risk-management decisions that protect yet allow them to do business.
Filed under Annie C. Bai, English, Europe, European Union, Germany, Opinions · Tagged with Anonymous, BYOD, cybersecurity, cyberthreat, data breach, data security, Federal Office for Information Security (Germany), hackers, insider data breach, IT security, OVH, risk management, security breach, spearphishing, Ubuntu, Vodafone, Vodafone Deutschland
The European Network and Information Security Agency has recently published a report on data breach notifications in the European Union. ENISA surveyed data protection authorities, telecommunications regulatory authorities and telecom operators from different countries in the EU, but also from other non-EU countries such as the United States.
Using the various stakeholders’ responses, the report helps understand the practices and challenges of the future mandatory data breach notification regime, and aims to assist public authorities and private organizations in the EU as they implement data breach notification policies by providing a set of recommendations.
(Résumé aussi disponible en français)
Filed under Cédric Laurant, English, Europe, European Union, Farid Bouguettaya, Non-EU, Outlines, Reports & Surveys · Tagged with "Telecom Package", Article 29 Data Protection Working Party, best practices, black lists, breach mitigation measures, data breach, data breach inventory, data breach notification, data breach notification policy, data breach notification procedures, data breaches, data ombudsman, data protection, data protection officer, data security, data security breaches, deterrence measures, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, EU Regulation 460/2004/EC, European Commission, European data protection authorities, European Data Protection Supervisor, European Network and Information Security Agency, financial sector, fines, Germany, guidelines, healthcare sector, Information Commissioner Office (UK), information security, information security policy, Internet service providers, media exposure, monetary penalties, negative publicity, Norway, personal data, publicly available electronic communications services, regulatory authorities, Royal Decree (No. 1720/2007) (Spain), security document, Spain, technical implementing measures, telecommunications operators, telecommunications sector, Turkey, undue delay, United Kingdom, United States
A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States
The Sony PlayStation Network Hacking Case (An Analysis of the UK ICO’s Resolution)
Posted by Armando Becerra on October 8, 2013 · 4 Comments
On January 14, 2013, the UK Information Commissioner’s Office imposed Sony PlayStation Network a monetary penalty of GBP 250,000 for its serious breach of the UK Data Protection Act – a penalty Sony eventually decided not to appeal in July. The penalty comes after the company was hacked in April 2011, compromising the personal information of millions of its customers. In this article, I highlight why the ICO made a brilliant move and interpretation of the Act.
Rate this:
Filed under Armando Becerra, Comments, English, Europe, European Union, United Kingdom · Tagged with accountability, data breach, data security breaches, Information Commissioner’s Office, monetary penalty, Sony PlayStation Network, UK Data Protection Act of 1998, vulnerability