When the U.K.’s Information Commissioner’s Office announced earlier this month a £400,000 fine against telecoms company TalkTalk for a cyber attack which allowed access to customer data “with ease,” it was the largest penalty the ICO had ever imposed. Yet, the TalkTalk fine pales in comparison to the £3m penalty levied by the then-FSA to HSBC in 2009 for not having adequate systems and controls to protect customers’ confidential information.
However, as attorney Razia Begum explains in this Cambridge Network article, even these hefty fines will look like chump change compared to the new penalties on the way under GDPR. In general, failing to take appropriate measures could lead to a fine of €10m or 2 percent of a company’s total worldwide annual revenue, whichever is greater. If coupled with other data breaches, these figures could be doubled to €20m and 4 percent.
How does an organization reduce the risk of a data breach and the liability that comes with it? The GDPR itself suggests pseudonymisation and data minimisation as part of a data controller's approach to protection. Lawyer Frank Jennings offers additional guidance in this informative piece in post in The Register.
Another change coming with GDPR are increased privacy protections for children. As Professor Sonia Livingstone explains on The London School of Economics’ Media Policy Project Blog, 16 years old is about to become the new European norm below which parental permission is required before offering information services of any kind to a minor. This is a distinct increase on the age of 13 that is more commonly required across Europe, especially by companies headquartered in the U.S. where the Children’s Online Protection Act (COPPA) defines both children’s access to the internet and companies’ access to children.
To learn more about best practices for getting your business ready for GDPR, readers of this blog are invited to join Protegrity’s webinar, Fit-for-purpose GDPR tools boost business and your brand, this Wednesday, 26 October, at 10 a.m. BST.
Here’s a roundup of other top data security stories making headlines or providing insights the week of Oct. 17, 2016:
“Big data security, privacy becomes a concern for marketing analytics,” by Mekhala Roy of TechTarget. The proliferation of IoT devices has resulted in an upsurge in data-driven marketing, which in turn can fuel data security, privacy and ethics concerns, experts say.
The CISO has traditionally reported to the CIO, but this is changing as security becomes more important. How will this change their relationship, and how can they better work together?
“The New Digital Security Organization,” by Gartner analyst Earl Perkins. For IT organizations increasingly drawn into fulfilling the security needs of operational technology (OT) assets and of the Internet of Things (IoT), now is the time to consider becoming a new digital security organization.
“Oracle fixes 100s of vulnerabilities that put enterprise data at risk,” by Lucian Constantin in Computerworld. Oracle has released another large batch of patches, fixing many critical vulnerabilities in enterprise products including database servers, networking components, operating systems, application servers and ERP systems that are used to store and work with critical business data.
“Snowden, Martin, and how to manage third-party risk,” by Neil Amato of CGMA Magazine. Organizations can better deal with third-party risk related to proprietary data by having stronger controls in place, regardless of who is using the data.
“Don't agree to privacy policies without knowing what PII is at risk,” by Michael Kassner in TechRepublic. Beware of privacy policies that give security software developers user rights and access to Personally Identifiable Information.
“NAIC Data Law Runs into Jumble of Opposition,” by Cyril Tuohy in InsuranceNewsNet.com. State regulators and insurance industry groups are asking for more revisions to the proposed Insurance Data Security Model Law designed to offer lawmakers a roadmap for how insurers and distributors ought to proceed in the face of costly and potentially devastating data theft and the subsequent liability incurred by responsible parties.
“University IT employees fighting for jobs question security,” by Patrick Thibodeau of Computerworld. University of California IT employees, who will soon lose their jobs to overseas workers, are trying point out potential data security risks associated with allowing offshore workers who staff help desks, call centers and manage systems to access data in the U.S.