Act Now Launches New RIPA E Learning Course

Screenshot 2020-11-24 at 10.26.09

The Investigatory Powers Commissioner’s Office (IPCO), like its predecessor the Office of the Surveillance Commissioner(OSC), undertakes inspections of public authorities to ensure their compliance with Part 2 of the Regulation of Investigatory Act 2000 (RIPA).
A common feature of an IPCO report into a council is the highlighting of the lack of regular refresher training for those who undertake covert surveillance, including when using social media.  

The coronavirus pandemic as well as decreasing council budgets means that training staff is difficult to say the least. Social distancing and home working make face to face training impossible and live online training may not always be cost effective for those who need a quick refresher.  

Act Now Training is pleased to announce the launch of RIPA Essentials. This is a new e learning course, consisting of an animated video followed by an online quiz, designed to update local authority employees’ knowledge of Part 2 of RIPA which covers Directed Surveillance, Intrusive Surveillance and CHIS. Designed by our RIPA experts, Ibrahim Hasan and Steve Morris, it uses simple clear language and animation to make the complex simple. 

In just 30 minutes your employees can learn about the main provisions of Part 2 of RIPA including the different types of covert surveillance, the serious crime test and the authorisation process. It also covers how RIPA applies to social media monitoring and how to handle the product of surveillance having regard to data protection. All this at a time and in a place of your employees’ choosing. (See the full contents here.

Steve Morris said: 

“Ibrahim and I have over 40 years of experience in training and advising local authorities on covert surveillance and RIPA. We have used this experience, as well as the latest guidance from the Home Office and IPCO, to produce an online training course which is engaging, interactive and fun.” 

With full admin controls, RIPA Essentials will help you to build a RIPA compliance culture in your organisation and develop a workforce that is able to identify and address privacy risks when conducting surveillance. The course is specifically designed for local authority investigators including trading standards officers, environmental health officers, licensing officers, auditors and legal advisers.  

You can watch a demo of RIPA Essentials here. Prices start from as little as £69 plus vat per user. For a bespoke quote please get in touch

RIPA Essentials follows the successful launch of GDPR Essentials which has been used by our clients to train thousands of staff in the public and private sector.

Posted in Data Protection, e learning, RIPA, Social media, Surveillance, Training, Uncategorized | Leave a comment

Act Now Launches New Advanced Certificate in GDPR Practice

advanced_gdpr_cert

Act Now Training is pleased to announce the launch of the Advanced Certificate in GDPR Practice. It comes following 12 months of development and as a result of the success of our GDPR Practitioner Certificate which, over the last few years, has cemented its position as the gold standard for data protection qualifications.  

Our courses are practical and jargon free. We focus on teaching the skills and knowledge to help delegates do their job every day. Our aim is to help delegates become the most complete DPO for the ever-changing privacy landscape.  

The training provided practical guidance with useful examples to help inform my application of GDPR in the workplace. The focus was on how to use it rather than learning all the legal minutiae, and from the first session I was able to go away and use what I’d learnt in my Information Governance role.EG, Hampshire CC  

A highly informative and interactive course which helped to join the dots together and add layers to my understanding of a complex area. I had some reservations as to how it would be possible to achieve an effective course remotely and would it be as engaging as a classroom-based alternative. Frank managed all this and more, he was approachable, highly knowledgeable and made sure the participants were understanding the content.
I would not hesitate to recommend to colleagues.SW, Harrogate BC 

Having trained over 1500 data protection professionals on our GDPR Practitioner Certificate, we have now answered their call for a more advanced GDPR qualification to help them enhance their skills and knowledge. 

The new Advanced Certificate in GDPR Practice consists of a series of challenging masterclasses in which delegates will analyse and evaluate thought-provoking case studies designed to help them deconstruct and interpret complex GDPR issues. This will help them gain a deeper understanding of the GDPR and further their ability to navigate the legislation and its application. 

The course is set over three days; approximately one masterclass per month and will take a total of 12 weeks to complete. Delegates should expect to do at least five hours of self-study prior to each masterclass. A practical project will be required to be submitted at the end of the course.  

This course has been designed and will be delivered by our senior associate, Susan Wolf, and our director, Ibrahim Hasan. Susan has over ten years’ experience teaching practitioners on the LLM Information Rights Law at Practice at Northumbria University. She has also designed our very popular FOI Practitioner Certificate course. Ibrahim has been designing and delivering practical data protection courses for over 20 years. 

Ibrahim said: 

“I am really looking forward to teaching this course. I hope to challenge, inspire and provoke delegates into thinking about advanced GDPR concepts and their application.
It will be hard work for the delegates (and the tutor) but worth it! 

These together with a series of practical tasks is sure to enthuse and excite delegates on their way to advancing their skills.” 

This advanced course is exclusively available to those who have completed the Act Now  GDPR Practitioner Certificate as it builds on the knowledge and skills developed in that course. There is an application process for places which are limited to 8 per course.  

The course has a special introductory price of £2,150 plus vat, which is £500 off the RRP. Application forms are available on our website. If you wish to discuss your suitability for this course before applying, please get in touch and we will be happy to help. 

Posted in Advanced Certificate in GDPR Practice, Certificated course, GDPR, Uncategorized | Tagged , , | 2 Comments

Ticketmaster Fined £1.25m Over Cyber Attack

0_MGP_CHP_270618TICKETMASTER_0736ticketmasterJPG

GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.  

The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK. 

As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page. 

The ICO found that Ticketmaster failed to: 

  • Assess the risks of using a chat-bot on its payment page 
  • Identify and implement appropriate security measures to negate the risks 
  • Identify the source of suggested fraudulent activity in a timely manner 

James Dipple-Johnstone, Deputy Information Commissioner, said: 

“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not. 

Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud. 

The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.” 

In a statement, Ticketmaster said:  

“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO.
We plan to appeal [against] today’s announcement.” 

Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.   

Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said: 

“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.  

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.) 

75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe.
Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.  

We have some places available on our forthcoming Cyber Security for DPOs workshop. This and other GDPR developments will be covered in our next online GDPR update workshop.

Posted in cyber security, Data Breach, Fines, ICO, Ticketmaster, Uncategorized | Tagged , , , , | 1 Comment

The Marriott Data Breach Fine

Niagara Falls, Ontario, Canada - September 3, 2019: Sign of Marriott on the building in Niagara Falls, Ontario, Canada. Marriott International is an American hospitality company.

The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.  

The Data 

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.  

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK. 

The Cyber Attack 

In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network.
With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker. 

The ICO acknowledged that Marriott acted promptly to contact customers and the ICO.
It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014. 

Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.  

It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November. 

The Information Commissioner, Elizabeth Denham, said: 

“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.” 

Marriott said in statement:  

“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”

Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.  

This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000. 

This and other GDPR developments will be covered in our new online GDPR update workshop. Our next online GDPR Practitioner Certificate is fully booked.We have added more courses. 

Posted in Data Breach, Fines, Marriot, Security, Uncategorized | Tagged , , , | 2 Comments

The ICO’s New Subject Access Guidance

markus-winkler-afW1hht0NSs-unsplash

GDPR has introduced some new Data Subject rights including the right to erasure and data portability. The familiar right of Subject Access though still remains albeit with some additional obligations. Last week the Information Commissioner’s Office (ICO) published its long awaited right of access detailed guidance following a consultation exercise in December. The guidance provides some much needed clarification on key subject access issues Data Controllers have been grappling with since May 2018. 

Reasonable Searches 

Sometimes Data Subjects make subject access requests with the aim of creating maximum work for the recipient. “I want to see all the documents you hold which have my name in them, including e mails” is a common one. How much effort has to be made when searching for such information? The new guidance states that Controllers should make reasonable efforts to find and retrieve the requested information. However, they are “not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.” Factors to consider when determining whether searches may be unreasonable or disproportionate are:

  • the circumstances of the request; 
  • any difficulties involved in finding the information; and 
  • the fundamental nature of the right of access. 

Thus there is no obligation to make every possible effort to find all instances of personal data on the Data Controller’s systems. However, the burden of proof is on Controllers to be able to justify why a search is unreasonable or disproportionate. 

Stopping the Clock 

Data Controllers have one month to respond to a subject access request. Normally this period starts from the day the request is received. Previously the ICO guidance stated that the day after receipt counted as ‘day one’. They revised their position last year following a Court of Justice (CJEU) ruling

Data Controllers can ask the Data Subject to clarify their request, if it is unclear what they want, but this often leaves little time to meet the one month deadline. Having considered consultation responses, the ICO’s position now is that where a request requires clarification, in certain circumstances, the clock can be stopped whilst Controllers are waiting for clarification. 

Manifestly Unfounded and Excessive 

Article 12(5) of GDPR allows Data Controllers to refuse a Data Subject request or charge a fee where it is “manifestly unfounded or excessive.” The burden of proving this is on the Controllers whose staff often struggle with these concepts. The ICO has now provided additional guidance on these terms. 

A request may be manifestly unfounded if: 

  • The individual clearly has no intention to exercise their right of access; or 
  • The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual: 
  • explicitly states, in the request itself or in other communications, that they intend to cause disruption; 
  • makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice; 
  • targets a particular employee against whom they have some personal grudge; or 
  • systematically sends different requests to the Controller as part of a campaign, e.g. once a week, with the intention of causing disruption. 

To determine whether a request is manifestly excessive Data Controllers need to consider whether it is clearly or obviously unreasonable. They should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including: 

  • the nature of the requested information; 
  • the context of the request, and the relationship between the Controller and the individual; 
  • whether a refusal to provide the information or even acknowledge if the Controller holds it may cause substantive damage to the individual; 
  • the Controller’s available resources; 
  • whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or 
  • whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).  

The Fee 

What can be included when charging a fee for manifestly unfounded or excessive requests? The new guidance says Data Controllers can take into account the administrative costs of: 

  • assessing whether or not they are processing the information; 
  • locating, retrieving and extracting the information; 
  • providing a copy of the information; and 
  • communicating the response to the individual 

A reasonable fee may include the costs of: 

  • photocopying, printing, postage and any other costs involved in transferring the information to the individual; 
  • equipment and supplies (e.g. discs, envelopes or USB devices) 

Staff time can also be included in the above based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. In the absence of relevant regulations under the Data Protection Act 2018, the ICO encourages Data Controllers to publish their criteria for charging a  fee and how they calculate it.  

Finally, the new ICO guidance emphasises the importance of preparation particularity the need to have: 

  • Training for employees to enable them to recognise subject access requests;  
  • Specific people appointed to deal with requests; 
  • Policies and procedures; and  
  • Technical systems in place to assist with the retrieval of requested information. 

Our Handling Subject Access Requests workshop is now available online. It covers all aspects of dealing with SARs including identifying and applying exemptionsLooking for a GDPR Qualification? Final places left on our online GDPR Practitioner Certificate

Posted in ICO, Subject Access, Uncategorized | Tagged , | Leave a comment

GDPR and Employee Data: H&M Fined 35 Million Euros

afif-kusuma--OhhinPhLHM-unsplash

On 2nd October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DP Commissioner) imposed a 35.3 million Euros fine on H&M Hennes &Mauritz for serious breaches of the General Data Protection Regulation (GDPR) at its service centre in Nuremberg. Specifically the breaches related to the covert and extensive monitoring of the personal information of several hundred employees. 

The Hamburg DP Commissioner is one of the 16 state Data Protection Commissioners in Germany. Details of the infringement and the fine were posted on the European Data Protection Board’s news feed

The Facts

H&M had been collecting and recording extensive information about the private lives of its employees since at least 2014.  The information was collected by supervisor during “Welcome Back Talks” which took place with employees after absences due to holidays or sickness; even after relatively short absences. Notes of the meetings were stored on a network drive. These included details of the employee’s vacation experiences, or details of their symptoms of illness and diagnosis if they had been taking sick leave. In some cases, supervisors had even obtained and recorded broader information about employees’ private lives such as details of family issues and religious beliefs. Some of the information that was recorded was highly detailed and recorded over extensive periods of time documenting the development of issues.

The information was digitally stored and partly readable by up to fifty other managers throughout the company. The company used this information to meticulously evaluate individual work performance and to obtain a detailed profile of employees for measures and decisions regarding their employment.

Employees were unaware that all this was happening until the data became accessible company-wide for several hours in October 2019 due to a configuration error.

The Hamburg Data Protection Commissioner became aware of this from press reports.
His first action was to order the company to” freeze” the network drive and then hand it over. The company submitted a data record of around 60 gigabytes for evaluation. Evidence from numerous witnesses confirmed the practice of collecting and recording this data. 

The Breaches and the Fine

The details of this case are quite shocking both in terms of the volume and type of information that was collected and recorded; the way in which it was done covertly; and the fact that the company used the information to evaluate its employees. The collection and recording of such ‘private information’ for monitoring purposes certainly breached the first three data protection principles in GDPR Article 5. The employees were not aware this was happening; so this was clearly neither fair nor transparent and they were therefore unable to exercise any rights in respect of this data. It is difficult to see what legal basis the company could have used to collect much of this information under both Articles 6 and 9 (the latter for the Special Category Data that was involved). The company collected far more information than was necessary and for much longer than necessary. It also appears that the company was conducting profiling of employees without employees knowledge, thus preventing them from exercising their rights under GDPR Article 22. There was no lawful basis for sharing very privet personal information with over 50 managers. In addition the activities of the company almost certainly breached the employee’s rights under Article 8 of the European Convention of Human Rights.
As the Hamburg Commissioner stated, this was a case of a serious disregard for the rights of the company’s employees.

What steps does H&M have to take now?

Based on the information reported by the European Data Protection Board it appears that the company has put forward a comprehensive plan of how it will take corrective action. The steps include the appointment of a “data protection coordinator” (It is unclear whether this is to be a Data Protection Officer); monthly data protection status updates and more protection for whistle-blowers. This seems to suggest the plan has come from the company rather than the Commissioner and it is not clear whether the Commissioner has used his regulatory powers to enforce this. In the UK the Information Commissioner could enforce these corrective actions by serving an Enforcement Notice under S.149 Data Protection Act 2018.

In addition the company has agreed to pay the employees “considerable compensation” as well as apologising. GDPR Article 82 provides that data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR “shall have the right” to receive compensation from the Data Controller in respect of the damage suffered. According to the EDPB news post this is “an unprecedented acknowledgement of corporate responsibility following a data protection incident”. Whether or not it is unprecedented, it certainly is pragmatic given that the company avoids any protracted legal actions and the further adverse media attention that litigation would inevitably attract.  

Readers may be interested in our blogs on GDPR and Employee Surveillance. These and other GDPR developments will be discussed in detail by Ibrahim Hasan in our forthcoming online GDPR update workshop. Why not use the time working from home to achieve a GDPR qualification? Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the courses following.

Posted in Uncategorized | Leave a comment

The British Airways Data Breach Fine

isaac-struna-rjPs8EffHwA-unsplash

The ICO has finally issued a fine to British Airways (BA) for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.  

£20 million is a lot of money, even for British Airways, and especially in a global pandemic which has seen all airlines struggle financially. However it is a far cry from the original Notice of Intent, issued in issued in July 2018, for the sum of £183 Million.
But then again the smaller fine is no big surprise either.  

On 31st July, IAG (British Airways parent company) issued its Interim Management Report which states: 

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018.
The process is ongoing and no final penalty notice has been issued“. 

The Cyber Attack 

The BA fine followed a cyber-attack during 2018, which remained undetected for more than two months. The attack involved diverting cardholder data from British Airways official website to one set up by the attacker.  

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed. 

Failure to Prevent the Attack 

According to the ICO, there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include: 

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role 
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; 
  • protecting employee and third party accounts with multi-factor authentication. 

Additional mitigating measures BA could have used are listed in the penalty notice.
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA. (You can read more about the causes of cyber security breaches in our recent blog post.) 

It may well be that British Airways launches an appeal in which case its reasoning and  actions when issuing fines under GDPR will be the subject of judicial scrutiny.
This will help GDPR Practitioners faced with similar ICO investigations.  

It will also be interesting to see what happens to the other outstanding Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Interesting times ahead. 

We have some places available on our Cyber Security for DPOs workshop in November. This and other GDPR developments will be covered in our new  online GDPR update workshop. 

Posted in Uncategorized | 4 Comments

Cyber Security and GDPR Compliance

photo-1584433144859-1fc3ab64a957

Olu Odeniyi writes…

Data Protection Officers (DPOs), and others who work in data protection, will know that a fundamental requirement of GDPR is to protect personal data ”against accidental loss, destruction or damage, using appropriate technical or organisational measures” as stipulated in the sixth data protection principle in Article 5. As the recent British Airways data breach fine has shown, failure to comply can be costly.

Article 32 further requires measures to be implemented to ensure a level of security appropriate to the risk  including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. Other GDPR provisions, including article 24 and article 25, demand similar requirements. As threats to complying with these articles emanate from malicious activity, mistakes, process weaknesses and software application vulnerabilities, it is clear that cyber security is an essential element of GDPR compliance.

Although many organisations rely on the IT department, the Chief Information Security Officer (CISO) or the Senior Information Risk Officer (SIRO) to lead implementation of cyber security controls, DPOs need a good understanding  of this topic to most effectively discharge their responsibilities and ensure compliance. 

What is Cyber Security?

The first step is to understand what cyber security is and what it is not. Various definitions exist. Most people associate cyber security with digital services, computerised devices and other forms of information technology. Protection against accidental and malevolent activity, unauthorised data access and preservation of services are fundamental cyber security goals but there’s more. 

Cyber security touches the very heart of how we live work and play within the fourth industrial revolution as highlighted by the founder of the World Economic Forum. Boundaries between work and home life have never been so blurred.
Government engagement around the world is increasingly conducted via digital services and individuals can barely avoid interacting with online services on a daily basis. 

While numerous standards and frameworks exist to help drive best practice, each organisation needs to contextualise what cyber security means for itself. A survey of the most common standards and frameworks will be left for a later blog (some are highlighted further down in this article), yet every organisation should scope and detail its own meaningful definition of cyber security. High level definitions can be utilised if required to achieve this from respected organisations such as the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST)

However, it’s a myth to think cyber security is a standard or a framework of itself and that only technology is involved. People utilise technology and digital services by means of a process or procedure. Therefore, effective cyber security comprises people, process and technology and many breaches could have been avoided given changes to either of these three areas. The remainder of this blog introduces cyber security under each of these headings.

People

It is often stated that people are the greatest weakness when it comes to cyber security, but it doesn’t have to be this way – they can be the strongest defence. The National Cyber Security Centre (NCSC) has performed leading research around people centric cyber security which organisations can benefit from. Staff know the issues they face better than anyone else and should be included in the risk analysis. By understanding productivity roadblocks, working pressures and specific training needs, new ways of working can be formulated to minimise breaches and security mistakes. 

For example, some groups could possibly opt to use enterprise collaboration applications (e.g. Microsoft Teams) to eradicate or decrease emails being sent to the wrong recipients. Watch the NCSC video or read the transcript for more information on developing people centric cyber security.

Security awareness training conducted well can be effective and significantly help prevent data and security breaches. Nonetheless, developing a security culture takes an organisation to the next level as staff develop their own sense of how to best protect the organisation and personal data. Culture change isn’t an overnight occurrence.
Focused effort and dedicated resources are required but the results will be worth it. 

Developing a security culture involves engaging with staff and seeking their input.
Small group sessions, organisation wide campaigns and open communication forums are some of the many approaches to transform cultures. Useful reading on the human aspects of cyber security can be found in the Cyber Security Culture Guidelines: Behavioural Aspects of Cyber Security report by  the European Union Agency for Cyber Security (ENISA).

It is important to ensure security measures and controls don’t hinder staff productivity or increase the likelihood that they will circumvent organisation policies. As the NCSC video above states, “if security doesn’t work for people, it doesn’t work”.

Process

Earlier this year I was asked to advise on a serious data breach where sensitive data had been disclosed. It so happened the breach could have been avoided if either processes, staff action or if different technology had otherwise been deployed. The role of policies, processes, guidelines and procedures in cyber security shouldn’t be underestimated, especially with large contingents of remote workers during a pandemic. (Read about the data protection challenges of remote working here)

Start by reviewing your organisation’s cyber and/or information security policies if they exist. Consider when the last updates were made and read the documents several times, making notes on their suitability or any glaring gaps. Check if any standards or frameworks are in use such as the ISO 27000 Information Security Family or the NIST Cyber Security Framework. Many others exist too. If so, familiarise yourself with the associated literature and determine where you can begin to get involved. 

Alternatively, you could be the staff member who introduces standards and frameworks into your organisation. You’ll likely need senior management support and the suggestion may have been considered previously. Either way, established best practice can help organisations review processes and streamline cyber security risk assessments. As mentioned previously, be sure to engage with staff who’ll likely see many process security risks for their departments that are blind to others.

At the very least, view the NCSC Risk management guidance which explains and recommends various concepts behind risk assessments. Combining cyber security risk assessments with Data Protection Impact Assessment (DPIAs) may also be an option in some cases. However, remember that while cyber security is essential for personal data protection, it extends to protecting the entire organisation too.

Technology

The use and maintenance of technology and digital services by staff, contractors and third-party suppliers forms the basis of technological aspects of cyber security. Online services, cloud computing and connected devices, or any other internet mediums through which data flows, are all cyber security concerns. Technology includes devices found in “smart homes” fitted with a degree of automation and the so-called Internet of Things (IoT), where numerous gadgets are connected online through a local network. Governments around the world are attempting to offer advice to mitigate the cyber risks associated with IoT devices. The UK Department for Digital, Culture, Media and Sport (DCMS) published a  Code of Practice for Consumer IoT Security in 2018, although widespread adoption is in its infancy.

Technology is also used to strengthen cyber defences through a number of security applications, which deliver varying levels of protection depending on how often they are updated. Basic anti-virus programs have long since been accompanied by a suite of new security applications many of which are connected to cloud-based detection engines which rely on Artificial Intelligence (AI) to improve performance. Nonetheless, a sound risk management methodology should always be established prior to investing in new protective technologies – benefits of the expected decrease in risk need to ideally be measurable and potential loss ought to supersede or equal expenditure. 

A great way to bring an organisations’ technical cyber security controls to a baseline standard is by adopting Cyber Essentials, a UK government backed scheme designed to guard against the most common cyber threats. Cyber Essentials outlines 5 control themes – firewalls, secure configuration, user configuration, malware protection and patch management. Organisations can become certified to Cyber Essentials in two ways – self-certification and Cyber Essentials Plus, where hands-on technical verification is carried out by an independent certified body.

Putting it all Together

Although this blog has described the people, process and technology aspects of cyber security separately, in reality all three areas need to be considered simultaneously.
A cyber security risk methodology should always form the heart of any cyber security defence strategy as part of overall business risk management. Those responsible for cyber security should also ensure they keep themselves updated as the security landscape has been changing rapidly, both in terms of malicious or accidental attacks and defences. The good news is that with a concerted effort, organisations can adequately protect themselves and their staff.

Olu will be examining this subject further in our Cyber Security for DPOs workshop in November. A few places left. Our GDPR Essentials E learning course is ideal for training frontline staff. In just over 30 minutes they will learn about the key provisions of GDPR and how to keep personal data safe.

Posted in cyber security, Uncategorized | Tagged | 3 Comments

Act Now Associate Appointed to Judicial Position

EDIT-37

Act Now Training would like to congratulate Susan Wolf our senior associate, who has been appointed as a Fee Paid Member of the Upper Tribunal assigned to the Administrative Appeals Chamber (Information Rights Jurisdiction) and First Tier Tribunal General Regulatory Chamber (Information Rights Jurisdiction). 

We are delighted that Susan will continue in her current position at Act Now Training delivering our full range of online and classroom-based workshops. Susan also writes for our information law blog and has developed our very popular FOI Practitioner Certificate

Prior to joining us, Susan taught information rights practitioners on the LLM in Information Rights Law at at Northumbria University. She has also taught and presented workshops on FOI, EIR and access to EU information in Germany, the Czech Republic and throughout the UK. 

Commenting on Susan’s appointment Ibrahim Hasan Director of Act Now Training, said: 

“I am delighted that Susan’s expertise as an information rights lawyer has been recognised through this judicial appointment. I am sure that she will use her fantastic skills and experience to the benefit her new role.”

Posted in Information Rights, Tribunal | Tagged , , | Leave a comment

The Scottish Information Commissioner’s Annual (FOISA) Report 2020

wesley-tingey-snNHKZ-mGfE-unsplash

The Scottish Information Commissioner, Daren Fitzhenry, recently published his Annual Report and Accounts for the year 2019-20. It is available to read and download from the Commissioner’s website. Mr Fitzhenry enforces the Freedom of Information (Scotland) Act 2002  (FOISA) as well as the Environmental Information (Scotland) Regulations 2004.  

In publishing, the Commissioner Daren Fitzhenry said: 

“I am publishing my Annual Report at a time dominated by the Covid-19 pandemic.
While freedom of information in Scotland has certainly not been immune from the impact of the pandemic, the importance of the right to information is one clear constant. 

“Inevitably we all have questions about the decisions being made by our governments and public services. Never more so than at a time when those decisions, sadly, may mean the difference between life and death.  

“This is why it is so vital that Scotland’s law ensures everyone has a right to seek information from public authorities and – with only very few, limited exceptions – to receive it.”

Key statistics from the report include:

  • 79,300 FOI requests were made to Scottish public bodies during the year. 12.6% of these were for environmental information (an increase from 10.3% in 2018-19)
  • 76% of requests to Scottish public authorities resulted in full or partial disclosure of information to the requester (an increase from 75% in 2018-19)
  • 251 interventions regarding authority practice improvements were carried out by the Commissioner (compared to 252 in 2018-19 and 234 in 2017-18)
  • There were 494 appeals made to the Commissioner (0.6% of total requests made to Scottish public bodies). 75% of appeals were made by members of the public. 
  • On average, cases appealed to the Commissioner were closed within 3.4 months
  • 23% of valid appeals to the Commissioner related to an authority’s failure to respond
  • 67% of the Commissioner’s decisions found wholly or partially in favour of the requester (an increase from 65% in 2018-19)

Please note that this annual report covers the period 1 April 2019 – 31 March 2020.
The Commissioner will publish an initial insights briefing specifically examining the impact of the Covid-19 on FOI in Scotland later in 2020.

Our most popular FOISA course will take place online in November. Click here for details.

Posted in FOISA, Scotland, Uncategorized | Tagged , | Leave a comment