Privacy and technology

From ‘Results and analysis’:

“The 2012 combined dataset represents the largest we have ever covered in any single year, spanning 47,000+ reported security incidents, 621 confirmed data disclosures, and at least 44 million compromised records (that we were able to quantify). Over the entire nine-year range of this study, that tally now exceeds 2,500 data disclosures and 1.1 billion compromised records.”

(Source: datasecuritylawjournal.com)

Abstract:

“This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the anticipated costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence – ‘Indicators of Impact.’ This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. The feasibility of the proposed framework and model is demonstrated through case studies of several publicly disclosed breach episodes.”

(Source: databreaches.net)

From the Executive Summary:

“As we had predicted throughout the year, 2012 broke the previous record in terms of number of reported data loss incidents. With 2,644 incidents recorded through mid-January 2013, 2012 more than doubled the previous highest year on record (2011). On a positive note, however, although the number of reported incidents increased, the number of records exposed decreased. Over 267 million records were exposed in the 2,644 incidents, significantly less than the 412 million records exposed in 2011.”

(Source: privacylives.com)

Uit ‘Inhoud en betekenis’:

“Dit besluit bevat een meldplicht voor certificatiedienstverleners ten aanzien van gekwalificeerde certificaten. Dit zijn certificaten waarvoor certificatiedienstverleners een registratieplicht hebben en waarop het toezicht in de Telecommunicatiewet betrekking heeft. Het betreft certificaten die geschikt zijn voor elektronische handtekeningen en waarbij die certificaten en de certificatiedienstverleners aan bij en krachtens de wet gestelde eisen moeten voldoen. Het besluit legt aan een certificatiedienstverlener de verplichting op een inbreuk op de veiligheid die of een verlies van integriteit dat aanzienlijke gevolgen voor de betrouwbaarheid of vertrouwelijkheid van door hem beheerde gekwalificeerde certificaten heeft of kan hebben onverwijld te melden aan de Onafhankelijke Post en Telecommunicatie Autoriteit (OPTA) en aan de Minister van Veiligheid en Justitie die voor het Nationale Cyber Security Centrum (NCSC) verantwoordelijk is.”

(Source: itenrecht.nl)

Section 1 of the Executive Order:

“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”

From ‘EU Cybersecurity plan to protect open internet and online freedom and opportunity’:

“The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS). The cybersecurity strategy – “An Open, Safe and Secure Cyberspace” - represents the EU’s comprehensive vision on how best to prevent and respond to cyber disruptions and attacks. This is to further European values of freedom and democracy and ensure the digital economy can safely grow. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence. […] The proposed NIS Directive is a key component of the overall strategy and would require all Member States, key internet enablers and critical infrastructure operators such as e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services to ensure a secure and trustworthy digital environment throughout the EU. The proposed Directive lays down measures including: (a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents; (b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews; (c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.”

From the decision:

“91. We […] find that a voluntary notification of a serious breach of the [Data Protection Principles] does not preclude the [Information Commissioner] from investigating the breach with a view to issuing an [Monetary Penalty Notice] as well as taking other enforcement action.”

(Source: dataprotector.blogspot.nl)

Uit de inleidende tekst:

“Dit kader is bedoeld als een handreiking om het mogelijk te maken dat kwetsbaarheden in ICT-systemen en producten op een verantwoorde manier worden gemeld en afgehandeld. Met de handreiking kunnen organisaties een eigen beleid op het gebied van responsible disclosure opstellen.”

(Source: security.nl)

From the Foreword by the Ausralian Attorney-General:

“In May 2008, the Australian Law Reform Commission (ARLC) concluded a 28-month inquiry into the effectiveness of the Privacy Act 1988 and related laws as a framework for the protection of privacy in Australia. In its report, the ALRC made 295 recommendations for reform in a range of areas, including creating unified privacy principles, updating our credit reporting system, and strengthening the powers of the Privacy Commissioner. The Government has responded to the majority of their recommendations through the introduction of the Privacy Amendment (Enhancing Privacy Protection) Bill in Parliament in May 2012. One of the ALRC’s other recommendations was that a mandatory data breach notification scheme be introduced. In responding to this recommendation, the threshold question that must be asked is whether the introduction of such a scheme is warranted.”

(Source: insideprivacy.com)

From ‘Trends and patterns’:

“If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 percent or 1,490,308 people. If all portable devices were encrypted from March 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people. It is clear that encryption of personal information on portable devices is still evolving and that more emphasis needs to be placed on accomplishing compliance with this feature of the law. It is also clear that compliance with the encryption requirement is a powerful tool to safeguard the personal information of millions of residents.”

(Source: privacylives.com)

From ‘Data breach notifications’:

“During 2011 my Office received 1167 data security breach notifications from 186 different organisations. This is a 300% increase in the numbers reported on in 2010 when we received 410 notifications. In 2009, before the introduction of the Code of Practice, the number of breach reports received by my Office was 119. As I stated in my Annual Report in 2010, I do not see this as an actual increase in the number of breaches occurring, rather a raised awareness of the need to notify my Office of a data security breach. […] 75% of reported breaches related to errors in postal mailing […]. In most cases, the breaches involved either multiple letters in the same envelope or a page relating to another individual incorrectly attached to a letter. These data security breaches are usually explained by human error. This shows that a large number of data security breaches could be prevented by simply taking a moment to examine documents prior to posting.”

(Source: privacylives.com)

From the executive summary:

“Negligent insiders and malicious attacks are the main causes of data breach. Thirtynine percent of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.”

(Source: insideprivacy.com)

Abstract:

“In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement. “

(Source: concurringopinions.com)

Uit ‘Doel van de regeling’:

“Met deze regeling wil Staatssecretaris Teeven […] bereiken dat bedrijven en overheid aan het College bescherming persoonsgegevens gaan melden dat zij zijn geconfronteerd met een lek in de beveiliging van hun geautomatiseerde verwerking van persoonsgegevens. Die melding moet alleen worden gedaan als aannemelijk is dat persoonsgegevens als gevolg van dat lek zijn blootgesteld aan een aanmerkelijke kans op verlies of onrechtmatige verwerking. “

(Source: bof.nl)

From the ‘Main findings’:

“We received at least partial responses to our Freedom of Information Act request from 350 Trusts, indicating that there have been no fewer than 806 breaches of data protection policy at 152 NHS Trusts in the UK. This is an average of just over 268 cases per year, significantly higher than the total number of breaches reported by the Information Commissioners Office. From these incidents, we have seen that the frequency, scale and scope of these breaches in data protection are of great concern. This report highlights how frequent breaches of data protection take place and the severity of the incidents disclosed, and the lack of public awareness about many of the breaches.”

(Source: out-law.com)