How to Forge a Cyber-Security Strategy for 2018

Intrusion Detection System
Much of having a strong information security plan is depending on having the tools to detect breaches in the first place. Without the technical tools in place to realise you’re under attack, your business continuity planning and risk prevention might as well be pointless. Just to give you an example of the headaches this will cause in the future if not addressed: under the GDPR you’re obligated to put into place a comprehensive personal data breach notification system (to both the Information Commissioners Office and affected victims of personal data theft). However, this requirement can only be fulfilled if you have the means to detect that a breach has happened if the first place. The fines we’ve seen so far indicate that not being aware of breaches is actually a far bigger compliance hazard then the steps you need to take afterwards.

How to Protect Personal Data When Moving It Between Countries while working in a Global Company

The upcoming EU GDPR introduces a relatively new method of ensuring adequate protection for personal data when it is transferred to countries outside the European Economic Area between different sections of the same corporate group.

These are known as “Binding Corporate Rules” and are seen as the new gold standard of intra-company data protection standards.

These were developed because using constant repeated contractual arrangements is not a cost-effective or practical way of legitimising international transfers for data-reliant organisations operating across the globe.

Essentially, a set of BCRs must be based upon European Privacy standards and include the following:

The Sea-Change of the Concept of Privacy and its Consequences

"Privacy". It's all the rage nowadays. More and more laws are being drafted for purposes of protecting personally identifiable data, not least the massive upcoming EU General Data Protection Regulation.

But while Privacy may be becoming increasingly valued in the era of "big data" - where giant multi-national corporations devour information to fuel in-house machine learning and other forms of normative Artificial Intelligence - that certainly wasn't always the case. Not until quite recently in fact.

"Privacy" as a concept didn't even exist in formative English common law (beyond very limited torts). In fact, apart from the embryonic 4th Amendment to the U.S Constitution, the weren't any decently strong protections for privacy in the Western world until the passage of the European Convention on Human Rights. Article 8 of the ECHR may in theory ordain a right to privacy but it has so many qualifiers:

"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

Before the information age, privacy really wasn't seen as a big deal, especially compared to the unqualified rights portrayed in the ECHR such as freedom from torture, right to a fair trial etc that were deemed a far higher priority to protect. But that's all changing now.

When Do You Actually Need a Data Protection Officer under the GDPR?

You can hear the rumbling on the horizon. That's right, GDPR is coming. But no need to panic; as long as you're aware of what exactly you have to comply with - and make solid, demonstrable steps towards compliance - you should be fine.

So with that in mind, let's focus on one of the absolute key areas of the legislation that has organisations concerned. That's right; appointing a Data Protection Officer. Basically, according to Articles 35-39 you must appoint one in three specified situations:

where processing is carried out by a public authority;
if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale; or
if the core activities consist of processing special categories of personal data on a large scale.

Now, that may seem simple enough. But statutes always seems simple until you actually have to apply them. For example, what do they mean by "core activities" or "large-scale" or "regular and systematic monitoring"? There's no real body of case law to help us after all.

Have no fear, because in December 2016, the Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) helped clarify all of this.

Personal Data Breaches

What are my Obligations under the GDPR?

Data breaches. Even the phrase itself sends chills down the spines of CISOs and CPOs. Protecting your organisation against such a threat is a key obligation of the upcoming EU General Data Protection Regulation. That responsibility is defined under the so called "security principle" wherein all appropriate safeguards have to be taken to ensure effective information security via best practice standards such as ISO 27001/2 and NIST security controls.

However, putting all of that to the side, what most organisations need to understand right away is what their legal obligations are AFTER a data breach has occurred (after all, they are increasing in frequency at a seemingly exponential rate).

So, let's get down to brass tacks; what is a personal data breach exactly?

Article 4(12) of the GDPR provides the definition of ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

Articles 33 and 34 impose requirements on data controllers to notify personal data breaches to their data protection authority (in the UK's case this would be the Information Commissioner's Office) and, in certain circumstances, to communicate with the people impacted by the breach.

Continue reading