Oct 232017

Anita Anand of Allen & Overy writes:

The Article 29 Working Party this week published draft Guidelines on personal data breach notificationunder GDPR. The relevant GDPR provisions are often misrepresented, and in many respects leave matters open to interpretation – a good or bad thing depending on the day. Many are now asking what further clarity the draft guidelines bring for companies looking to design and implement a GDPR-compliant incident response and breach notification process in time for May 2018.

Assessing risk

GDPR makes it clear that a wide range of types of risk must be considered in assessing the impact of a personal data breach: physical, material, or non-material damage. The more difficult question is whether the degree of risk is such that the supervisory authority or the affected data subjects must be notified.

Read more on Lexology.

Oct 232017

Ankush Johar writes, in part:

The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.

In February this year, a Youtube video showed a demo of such a replay attack. Later that month, UIDAI filed a case against an employee of  Suvidhaa Infoserve, saying that an Axis Bank’s gateway was used to carry out around 400 transactions via replaying Aadhaar information that was saved earlier.

Read more on Economic Times.

Oct 222017

Laura Douglass reports:

A computer malware virus that has devastated a number of businesses across the globe has been disrupting operations the last several days at FirstHealth of the Carolinas and a number of doctors’ offices across the Sandhills.

The malware virus was detected in the organization’s computer network midday Tuesday and the system has remained offline while it is scrubbed of the threat.

The malware has been identified as a new form of “WannaCry,” a ransomware virus that initially struck companies around the globe this past May.

Read more on The Pilot.
That report was on October 20. As of this morning, FirstHealth still has a downtime notice/alert on its site, but it is the notice of October 20 and does not appear to have been updated. The notice reads, in part:
We are experiencing some delays and appointment cancellations as a result of the downtime event.  This does not apply to critical and emergent needs.  We sincerely apologize for any inconvenience this has caused.  Our team is working tirelessly to remediate the virus and get our system back up to be fully operational. Updates on our progress will be available on FirstHealth’s website and social media pages.
I’m not sure about Facebook because I don’t use it, but there’s no notice of the problem on Twitter, nor any update there, so it sounds like FirstHealth is still working to remediate the  problem. We wish them all the best in their efforts.
Oct 222017

Not the most technical/legal explanation of the new EU regs, but this Daily Mail piece by Ben Ellery does convey some of what is concerning businesses:

Computer hacking victims will be able to claim thousands of pounds in compensation under new laws – even if they do not lose any money.

The ‘distress’ they suffer will be enough to qualify for a payout regardless of whether their accounts have actually been raided.

And with the potential damages as high as £6,000 per person, companies with millions of customers could be left crippled by a cyber-attack.

Read more on The Daily Mail.

Now it would be great if businesses were so concerned that they: (1) collected and stored less data, and (2) provided better security for the data they do collect and store, but as Ellery notes, what happens if companies just decide to take a risk and not report breaches for fear of penalties? Hmmm…

Oct 222017

Five days to issue a comprehensive report? Imagine if that happened here….

Daxim L. Lucas reports:

The government’s privacy watchdog said on Sunday that it was closely monitoring the “possible personal data breach” on the country’s largest online stock brokerage firm, which has almost a quarter of a million clients trading shares its internet-based trading platform.

In a press statement, National Privacy Commission (NPC) chief Raymund Enriquez Liboro ordered COL Financial five days to submit a comprehensive report on the potential hacking of its client database to aid in the agency’s probe as well as to help it decide on its next course of action.

Read more in Inquirer.net.