Posted by anniecbai on June 8, 2013 · 1 Comment
Government data breaches run the gamut, but recently we are hearing about years-old security vulnerabilities that are not discovered by the government agencies themselves, but by outsiders. Plus, a review of the broad numbers regarding U.S. government data breaches of the past four years.
Filed under Annie C. Bai, Comments, English, North America, United States · Tagged with Adobe ColdFusion, computer security incident, contractor cybersecurity problem, cyber detection, cybersecurity, cybersecurity attacks, data breaches, data loss, data security, data vulnerabilities, database activity monitoring, Department of Homeland Security., employee privacy awareness, employee privacy training, Federal Information Security Management Act of 2002, government data breach, government-held personal information, hacking, hacktivists, National Archives and Records Administration, network protection, personal information, personally identifiable information, phishing, physical security measures, PII, segmentation measures, side-channel attack, Social Security Number, State of Washington, third-party discovery, third-party vulnerability, Transportation Security Administration, TSA, Unisys, United States, Washington State
The European Union is working on a revised set of rules for its data protection framework. The concept and principles of “privacy by design” has been incorporated in this draft. We will assess how data masking can be considered an effective data security measure and whether data masking fulfills privacy by design principles. Data masking is not encryption. It is a technique that provides for the replacement of real data with fictitious but realistic data in test environments.
Filed under Cédric Laurant, English, Europe, European Union, Joseph Santangelo, North America, Notes, United States · Tagged with advanced data masking, anonymization, basic data masking, data anonymization, data breaches, data masking, data protection, data protection by default, data security breaches, de-identification, encryption, EU General Data Protection Regulation, European Data Protection Supervisor, obfuscation, PbD, personal data, privacy by design, privacy professionals, privacy-protective technology, provisioning systems, redaction, scheduling systems, security breaches, sensitive information, technical and organizational measures, United States, US Federal Trade Commission
Posted by Cédric Laurant on November 11, 2011 · 1 Comment
“Is Your Company at Risk? New Digital Risks and Computer Attacks: Forensic and Data Protection Aspects – International Perspectives and the New Colombian Legislation.” A conference (in Spanish) about the recent Colombian data protection law, on Nov. 16, 2011 at the Universidad EAFIT in Medellin, Colombia.
Filed under Cédric Laurant, Colombia, Conferences, English, Español, Latin America, South America · Tagged with ASOTO Technology Group, Cedric Laurant Consulting, Colombia, computer forensics, cybercrime, cybersecurity, cyberwarfare, data protection, data protection law, European Union, information security, Latin America, privacy, public policy, security breaches, United States, Velasco & Calle d'Alleman
The European Network and Information Security Agency has recently published a report on data breach notifications in the European Union. ENISA surveyed data protection authorities, telecommunications regulatory authorities and telecom operators from different countries in the EU, but also from other non-EU countries such as the United States.
Using the various stakeholders’ responses, the report helps understand the practices and challenges of the future mandatory data breach notification regime, and aims to assist public authorities and private organizations in the EU as they implement data breach notification policies by providing a set of recommendations.
(Résumé aussi disponible en français)
Filed under Cédric Laurant, English, Europe, European Union, Farid Bouguettaya, Non-EU, Outlines, Reports & Surveys · Tagged with "Telecom Package", Article 29 Data Protection Working Party, best practices, black lists, breach mitigation measures, data breach, data breach inventory, data breach notification, data breach notification policy, data breach notification procedures, data breaches, data ombudsman, data protection, data protection officer, data security, data security breaches, deterrence measures, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, EU Regulation 460/2004/EC, European Commission, European data protection authorities, European Data Protection Supervisor, European Network and Information Security Agency, financial sector, fines, Germany, guidelines, healthcare sector, Information Commissioner Office (UK), information security, information security policy, Internet service providers, media exposure, monetary penalties, negative publicity, Norway, personal data, publicly available electronic communications services, regulatory authorities, Royal Decree (No. 1720/2007) (Spain), security document, Spain, technical implementing measures, telecommunications operators, telecommunications sector, Turkey, undue delay, United Kingdom, United States
A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” (a person within an organization who could be the controller or someone assisting the controller), or in the absence thereof, the French data protection authority (the Commission Nationale de l’Informatique et des Libertés), of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly.
(A French version of this article is also available in this blog.)
Filed under Cédric Laurant, Comments, Countries, English, EU Law, Europe, European Union, France, Marie-Andrée Weiss · Tagged with Act No. 78-17 of January 6 1978, Act on Data Processing Data Files and Individual Liberties, California, California Office of Privacy Protection, California Security Breach Notification Act, CNIL deliberation No. 81-94 of July 21 1981, Commission nationale de l’informatique et des libertés, contract, contractual clauses, data breach, data confidentiality, data controller, data protection correspondent, data security, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, French Data Protection Act, French Data Protection Authority, French National Assembly, French Senate, general IT security measures, personal data, security breach, security breach notification, technological protection measures, unauthorized access, United States
A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure.
Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
Filed under Cédric Laurant, Comments, English, EU Law, Europe, European Union, Germany, Marie-Andrée Weiss, Outlines · Tagged with adequate level of data protection, anonymization, Argentina, Article 26 (EU DP Dir.), Article 29 Working Party, BDSG, Binding corporate rules, Bundesdatenschutzgesetz, cloud computing, cloud service contract, cloud service provider, confidentiality, data controller, data processing security, Data Protection Authority, data protection law, data security, data security breaches, Datenschutzzentrum, Düsseldorfer Kreis, Dr. Thilo Weichert, encryption, EU Directive 95/46/EC, European Commission, European Privacy Seal, EuroPriSe, external audit, German Federal Data Protection Act, Germany, Google, IaaS, integrity, liability, PaaS, personal data, private cloud, pseudonym, public cloud, SaaS, Safe Harbor Framework, Safe Harbor self-certification, SAS 70, Security Service Level Agreement, standard contractual clauses, State of Schleswig-Holstein, Switzerland, third country, third party, United States, Yahoo
Canadian Industry Minister Tony Clement introduced a bill on May 25, the Safeguarding Canadian’s Personal Information Act (C-29), which would amend Canada’s national privacy legislation, the Personal Information and Electronic Documents Act of 1998 (“PIPEDA”). C-29 would introduce a security breach disclosure (also called “notification” in the United States) requirement in PIPEDA. Canada does not yet have such a law, contrary to the United States where the majority of states have enacted data breach notification statutes.
Filed under Canada, Canadian Law, Cédric Laurant, Comments, English, Marie-Andrée Weiss, North America, Outlines · Tagged with bad publicity, C-29, customer information, damage to reputation, data breach notification statute, data breaches, data security breaches, Facebook, humiliation, identity theft, information system, material breach, online reputation, PIPEDA, potential breaches, preemption, Privacy Commissioner of Canada, profile building companies, public confidence, reputation, search engines, security breach, security breach disclosure, security breach notification, sensitive information, significant harm, social networking sites, systemic problem, TJX, United States
The State of the State: U.S. Government Data Breaches
Posted by anniecbai on June 8, 2013 · 1 Comment
Government data breaches run the gamut, but recently we are hearing about years-old security vulnerabilities that are not discovered by the government agencies themselves, but by outsiders. Plus, a review of the broad numbers regarding U.S. government data breaches of the past four years.
Rate this:
Filed under Annie C. Bai, Comments, English, North America, United States · Tagged with Adobe ColdFusion, computer security incident, contractor cybersecurity problem, cyber detection, cybersecurity, cybersecurity attacks, data breaches, data loss, data security, data vulnerabilities, database activity monitoring, Department of Homeland Security., employee privacy awareness, employee privacy training, Federal Information Security Management Act of 2002, government data breach, government-held personal information, hacking, hacktivists, National Archives and Records Administration, network protection, personal information, personally identifiable information, phishing, physical security measures, PII, segmentation measures, side-channel attack, Social Security Number, State of Washington, third-party discovery, third-party vulnerability, Transportation Security Administration, TSA, Unisys, United States, Washington State