Legislation

Businesses Delayed Security Breach Disclosure

An FoI request to the Information Commissioner’s Office (ICO) has revealed cause for concern over whether businesses on the run up to the implementation of GDPR were preventing, detecting and responding to security threats and breaches in a good and compliant way.

Delay In Identifying and Reporting

An FoI request to the ICO by threat detection and response firm Redscan found that, in the year leading up to the implementation of GDPR on 25th of May, many UK businesses appeared to be routinely delaying data breach disclosure to the ICO.

The data revealed in the request indicated that companies took an average of 60 days to identify that they’d been a victim of a data breach and an average 3 weeks after discovery to report a breach to the ICO.  The worst offending business (in the data revealed) took a massive 44 months to identify a breach, and some organisations took an average of 142 days to report their breaches to ICO.

Financial and Legal Quicker at Identifying & Reporting Breaches

The FoI data did, however, show that financial and legal sector organisations were better at identifying and reporting breaches.  For example, financial services firms took 37 days to identify a breach and legal firms took 25 days.  These figures compare favourably to the general business category where companies took 138 days to identify breaches.

Also, when it came to reporting the breaches, financial services companies took an average of 16 days and legal firms an average of 20 days.  These figures, again, compare favourably to ‘general business’ category organisations which took 27 days on average to report breaches to the ICO.

Full Impact Not Reported

The requested data also showed that 9 out of 10 businesses did not fully specify the nature and impact of the breach to the ICO.

Dates Not Reported

The same figures showed that 21% of businesses did not report the breach incident date, and 25% did not report the breach discovery date to the ICO. It may be fair to assume that these figures could indicate that businesses may have either lacked awareness about the breaches or perhaps made a conscious decision to withhold important information due to fear of the consequences.

Most Hacks Happen At Weekends

The FoI data also showed that hackers tend to prefer attacking at the weekends as this is most likely to be the time when many Monday to Friday businesses are not monitoring for threats and essentially have their guard down, and attackers have two days to break into systems.  For example, the requested data showed that more than three-quarters of incidents happen on a Saturday.

What Does This Mean For Your Business?

This data relates to behaviour before the introduction of GDPR, but with GDPR now in place, and with the legal risks (big fines) and reputational stakes now escalated, businesses need to make sure that they can be compliant going forward.

Attacks are getting more diverse in nature, are occurring across a wider front, and are becoming more sophisticated.  Businesses must, therefore, make sure that they have the appropriate skills, technology, controls and procedures in place to identify a breach in the first place

Also, businesses now need to make sure that they report identified breaches in enough detail, and within 72 hours of becoming aware of the breach, where feasible.  These things are now vitally important as reporting requirements are much stricter under GDPR.

The fact that most businesses are hit by hackers at weekends indicates that businesses need to ensure that they have 24/7, 7-day-a-week controls, defences and procedures in place to be able to protect their systems and the data they hold.

Response To Freedom of Information Requests Concerning Brexit Involves ICO

Two government departments and a Kent-based Brexit planning group are reported to have given local councils advice on how to avoid releasing information about the no-deal Brexit plans, prompting UK. Gov and the ICO to intervene.

What Happened?

Kent Online reported that at the end of January, a leaked report showed that local councils were being given advice about how to handle Freedom of Information requests relating to the councils’ work and plans towards a no-deal Brexit, in a way that would not cause public harm.

It has been alleged that the threat of a no-deal Brexit situation has led to an increase in the amount of FIOA requests that councils receive about their plans for it, but that certain government departments and others may have sought to manage the amount of information making its way into the papers by issuing tips on how to keep emergency plans secret.

A blanket approach of this kind would go completely against FOIA laws.

Who?

According to Kent Online, the leaked report came from the Kent Resilience Forum, which is a group co-ordinating the strategy in the county for how it would deal with disruption in the event of a no-deal Brexit. Also, guidance issued by the Department for Exiting the EU DExEU was also cited in the report, as was guidance by the Cross-Border Delivery Group.

What Kind of Guidance?

The ‘guidance’ in question, mentioned in the leaked report, is alleged to include:

  • The DExEU suggesting that councils and other organisations should refuse FOIA requests in relation to their emergency planning and, in some circumstances, that they should not confirm whether they hold information.
  • Guidance from the DExEU leading to emergency services and councils being given a ready-made template for FOIA requests on Brexit plans.
  • Local Resilience Forums or individual partner organisations being told to argue that disclosure would not be in the public interest as it “would undermine the effective conduct of public affairs”.
  • Guidance that has led to the government tying ports to non-disclosure agreements, which prevent them from releasing any details about their discussions. Recommendations from the Cross-Border Delivery Group mean that while port authorities can share information with other organisations, these non-disclosure agreements are in effect for general disclosure to the public domain.

ICO Involved

The idea that FOIA requests could be treated in this way has prompted the involvement of the Information Commissioner’s Office. It has been reported that the ICO’s director of FoI, Gill Bull, has written to DExEU, the local government department, and the Kent Resilience Forum to express the ICO’s concern about the guidance.

The Council Says…

Kent Council has said that “We are keen to provide our partners with advice on how they can prepare for a worst-case EU Exit scenario”. The council has also said that it will soon be issuing an updated partner pack without the previous FOIA guidance.

The Government Says…

It has been reported that a government spokesperson has said that the original advice has now been revised, and new, updated guidance has now been issued.

What Does This Mean For Your Business?

Brexit is a complicated and divisive subject, but a Freedom of Information Request is an important legal right in the UK that allows for greater transparency in the way that companys and organisations operate, and each FOIA request should be considered individually.  It is worrying that advice should be given by government departments and other organisations, supposedly in the public interest, that appears to go against the Freedom of Information Act, by suggesting that some kind of blanket response, designed to withhold information should be applied. Businesses would not be able to behave this way without being held to account in a very damaging way, and it is understandable, therefore that the ICO has stepped in.

Potential £ 1 Million Court Bill Over £1 Uber Receipt

A millionaire barrister who raised crowdfunding money to fight ride-sharing company Uber in court over a £1.06 VAT receipt has lost attempts to limit his court costs liability and could face a £1 Million legal bill.

What Happened?

The initial reason given for tax lawyer Jolyon Maugham QC bringing the case against Uber was that he was not given a VAT receipt for £1.06 for his £6.34 taxi journey which he could have reclaimed from HMRC as a business expense and that Mr Maugham QC believed that Uber was undercharging VAT on its taxi services.

However, as commentators have noted there may be a wider angle to this story as the barrister accepted that the VAT receipt amount that he sought was trivial and that it may be more about establishing whether Uber as a company is subject to VAT.  If Uber is found to be subject to VAT, Mr Maugham QC’s action could trigger a £1bn VAT bill against Uber.

More Than Half Raised From The Black Cab Trade

Even though Mr Maugham QC managed to raise £107,650 to bring the case, one of the factors that appears to have influenced Mr Justice Trower’s rejection of Mr Maugham QC’s attempt to shield himself from the £1M legal bill and his attempt to appeal against the rejection is the proportion of money raised from the black cab trade to fight Uber. For example, the judge pointed out that “well in excess of 50%” of the crowdfunding money came from the black cab trade, and this included a donation of £20,000 from just one unidentified black cab source.

Income A Factor

Even though Mr Maugham QC wanted to limit his legal costs liability to £20,000 in the High Court case he brought against Uber, some commentators have noted that Mr Maugham QC’s alleged net annual income of £400,000, and his ownership of two properties may also have been a factor in the judge deciding not to stop Uber from recovering its estimated £1 million legal costs if it wins the main case.

The VAT Argument

This case was originally intended to focus on VAT, and one thing it has done is to shine a light on an argument about whether it is the individual Uber drivers who need to be VAT registered to give a VAT receipt, or whether Uber now has a large VAT liability.

What Does This Mean For Your Business?

The case was originally based on an assertion that Uber may be undercharging VAT on the taxi services it offers, and that HMRC may be treating big US multinationals such as Uber with kid gloves and an allegation that Uber could be thought by some to have a business model that’s designed to minimise its tax liability, and to minimise the workers’ rights that it has to offer to its drivers.

According Jolyon Maugham QC, in his statement via the Good Law Project, the decision to reject his attempt to limit his liability for legal costs could be seen as an example of how corporations can use the threat of costs liability to somehow dodge legal accountability, thereby making it difficult for other individuals or organisations to hold them to account.

Although Mr Maugham QC’s personal income and property assets may have had a bearing on the Judge’s decision not to grant him protection from an estimated £1 million legal bill if Uber wins, the outcome could also send a warning to businesses that taking on a big company/corporation in court could be make or break and could have serious financial implications.

New York’s Governor Orders Investigation Into Facebook Over App Concerns

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

Alerted By Wall Street Journal

The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.

Health Data

It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.

The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”

Defence

Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.

Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.

The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.

Lawsuits Pending

This appears to be just one of several legal fronts where Facebook will need to defend itself.  For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.

Apple Also Accused By Governor Over FaceTime Bug

New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.

DFS Involvement

The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.

Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.

What Does This Mean For Your Business?

You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.

There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform.  You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/

Potential Jail For Clicking on Terror Links

The new UK Counter-Terrorism and Border Security Act 2019 means that you could face up to 15 years in jail if you visit web pages where you can obtain information that’s deemed to be useful to ‘committing or preparing an act of terrorism’.

Really?

The government states that the Act is needed to “make provision in relation to terrorism; to make provision enabling persons at ports and borders to be questioned for national security and other related purposes; and for connected purposes”.

As shown online in at legislation.gov.uk, Chaper1, Section 3 of the Act, which relates to the amended Section 58 of the Terrorism Act 2000 (collection of information) for example, states that unless you’re carrying out work as a journalist, or for academic research, if a person “views, or otherwise accesses, by means of the internet a document or record containing information of that kind” i.e. (new subsection) information of a kind likely to be useful to a person committing or preparing an act of terrorism, you can be punished under the new Act.

Longer Sentences

The new Act increases the sentences from The Terrorism Act 2000, so that a sentence of 15 years is now possible in some circumstances.

The Most Terror Deaths in Europe in 2017

A Europol Report showed that the UK suffered more deaths as a result of terror attacks than any other country in Europe in 2017.  The bill which has now become the new law was first introduced on 6th June 2018 after calls to for urgent action to deal with terrorism, following three terrorist attacks on the UK within 3 months back in 2017.

Online Problem

One of the key areas that it is hoped the law will help to tackle is how the internet and particularly social media can be used to recruit, radicalise and raise money.

Criticism

The new Act, which received royal assent on 12th February, has been criticised by some as being inflexible, based too much upon ‘thought crime’, and being likely to affect more of those at the receiving end of information rather than those producing and distributing it.  The new law has also been criticised for infringing upon the privacy and freedom of individuals to freely browse the internet in private without fear of criminal repercussion, as long as that browsing doesn’t contribute to the dissemination of materials that incite violent or intolerant behaviour.

The new Act has been further criticised by MPs for breaching human rights and has been criticised by legal experts such as Max Hill QC, the Independent Reviewer of Terrorism Legislation, who is reported as saying that the new law may be likely to catch far too many people, and that a 15-year prison is “difficult to countenance when nothing is to be done with the material, it is not passed to a third party, and it is not being collected for a terrorist purpose.”

What Does This Mean For Your Business?

We may assume that most people will be unlikely to willingly view the kind of material that could result in a prison sentence, and many in the UK are likely to welcome a law that provides greater protection against those who plan and commit terror attacks or who are seeking to use online means to recruit, radicalise and raise money.  The worry is that such a law should not be so stringent and inflexible as to punish those who are not viewing or collecting material for terrorist purposes, and there are clearly many prominent commentators who believe that this law may do this.

Businesses, organisations and venues of all kinds are often caught up in (or are the focus of) terror attacks and/or must ensure that they invest in security and other measures to make sure that their customers, staff and other stakeholders are protected.  A safer environment for all in the UK is, of course, welcome, but many would argue that this should not be at the expense of the levels of freedom and privacy that we currently enjoy.

Russia Plans Disconnect From Rest of World Internet For Cyber-Defence Test

Russia has set itself a deadline of 1st April to test “unplugging” the entire country from the global Internet for reasons relating to defence and control.

Giant Intranet Dubbed “Runet”

The impending test of a complete ‘pulling up of the drawbridge’ from the rest of the world is being planned in order to ensure compliance with a new (draft) law in Russia called the Digital Economy National Program.  This will require Russia’s ISPs to show that they can operate in the event of any foreign powers acting to isolate the country online with a “targeted large-scale external influence” i.e. a cyber-attack.

The plan, which is being overseen by Natalya Kasperskaya, co-founder of Kaspersky the antivirus company and former wife of CEO Eugene, will mean that Russia can unplug from the wider Internet, and create its own internal ‘Intranet’ (the ‘Runet’) where data can still pass between Russian citizens and organisations from inside the nation rather than being routed internationally.

Moving Router Points Inside Russia

A move of this scale involves attempting to move the country’s key router points inside Russia. This means that ISPs will have to show that they can direct all Internet traffic entering and leaving Russia through state-controlled routing points, whereby traffic can be filtered so that, if required, traffic destined for outside Russia is discarded, and attempts to launch cyber-attacks on Russia can be more easily detected and thwarted.

Own Version of DNS

Other measures needed to give Russia the ability to completely unplug include building its own version of the net’s DNS address system. This is currently overseen by 12 organisations outside Russia, but copies of the net’s core address book now exist inside Russia.

Why?

Russia has been implicated in many different international incidents that could provoke cyber-attack reprisals and misinformation interference. For example, the alleged interference in US presidential election campaign and UK referendum, and the Novichok attack in Salisbury.  There has also been deterioration of the relationship between the US and Russia, and widespread criticism of Russia in the western media.

Censorship and Control?

Even though the word from Russia is that the ability to ‘unplug’ is for defence from external aggression, many commentators see it as a move to be able to exert more state control in a way that is perhaps similar that seen in China with its extensive firewall.

In Russia, control of social media could, for example, thwart attempts from the people to organise mass protests against Putin, such as those seen in 2011-13.

Also, the ability to control what people can see and say online can mean that websites that promote anti-state views and information can be blacklisted. It has been reported that there is already an extensive blacklist of banned websites and that Russia now requires popular bloggers to register with the state.  There have also been reports of Russians facing fines and jail for social media posts that have been judged to have ridiculed the Kremlin or Orthodox Church.

What Does This Mean For Your Business?

Business and trade tend to benefit from open channels of communication, and when states move to shut down communication channels in this way, it prevents the promotion and advertising of products, creates costs and bureaucracy, and damages the prospects and competitiveness of those organisations exporting to and from Russia. This kind of communications shutdown may be useful for the purposes of the state, but it can only really be harmful for international trade, and for those businesses within Russia itself looking to sell overseas.

Anything that portrays the image of a controlling and/or inward-looking state can also damage industries such as tourism and can make companies in those states appear to be risky to deal with.

Man Fined After Hiding From Facial Recognition Cameras

A man was given a public order fine after being stopped by police because he covered his face during a trial of facial recognition cameras in Romford, London.

What Facial Recognition Trial?

A deliberately “overt” trial of live facial recognition technology by the Metropolitan Police took place in the centre of Romford, London, on Thursday 31st January.  This was supposed to be the first day of a two-day trial of the technology, but the second day was cancelled due to concerns that the forecast snow would only bring a low level of footfall in the area.

Live facial recognition trials of this kind use vehicle-mounted cameras linked to a police database containing photos from a watchlist of selected images from the police database.  Officers are deployed nearby so that they can stop those persons identified and matched with suspects on the database.

In the Romford trial, the facial recognition filming was reported to have taken place from a parked police van and, according to the Metropolitan Police, the reason for the use of the technology was to reduce crime in the area, with a specific focus on tackling violent crime.

Why The Fine?

The trial also attracted the attention of human rights groups, such as Liberty and Big Brother Watch, members of which were nearby and were monitoring the trial.

It was reported that the man who was fined, who hasn’t been named by police, was observed pulling his jumper over part of his face and putting his head down while walking past the police cameras, possibly in response to having seen placards warning that passers-by were the subjects of filing by police automatic facial recognition cameras.

It has been reported that the police then stopped the man to talk to him about what they may have believed was suspicious behaviour and asked to see his identification. According to police reports, it was at this point that the man became aggressive, made threats towards officers and was issued with a penalty notice for disorder as a result.

8 Hours, 8 Arrests – But Only 3 From Technology

Reports indicate that the eight-hour trial of the technology resulted in eight arrests, but only three of those arrests were as a direct result of facial recognition technology.

Criticism

Some commentators have criticised this and other trials for being shambolic, for not providing value for money, and for resulting in mistaken identity.

Research Questions Reliability

Research by the University of Cardiff examined the use of facial recognition technology across several sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals.  The research found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

Also, in December 2018, ICO head Elizabeth Dunham was reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

What Does This Mean For Your Business?

It has been reported that spending over £200,000 on the deployment of facial recognition trials on 6 deployments between August 2016 and July 2018, no arrests were made.  On the surface, these figures suggest that, although the technology has the potential to add value and save costs, and although businesses in town centres are likely to welcome efforts to reduce crime, the trials to date don’t appear to have delivered value-for-money to taxpayers.

There was also criticism of the facial recognition system used in Soho, Piccadilly Circus and Leicester Square over two days in the run-up to Christmas, where freedom campaigners such as Big Brother Watch and Liberty were concerned about mixed messages from police about how those who turn away from facial recognition cameras mounted in/on police vans because they don’t want to be scanned could be treated.

Despite some valid worries and criticism, most businesses and members of the public would probably agree that CCTV systems have a real value in helping to deter criminal activity, locating and catching perpetrators, and providing evidence for arrests and trials.  There are, however, several concerns, particularly among freedom and privacy groups, about how just how facial recognition systems are being (and will be) used as part of policing e.g. overt or covert, issues of consent, possible wrongful arrests due to system inaccuracies, and the widening of the scope of its purpose from the police’s stated aims.  Issues of trust where our personal data is concerned are still a problem, as are worries about a ‘big brother’ situation for many people.

Register Now Or Lose EU Research Grants Post-Brexit

The UK government is urging organisations that benefit from European Union (EU) research funding to sign-up to a UK-led replacement scheme now in order to guarantee that their Horizon 2020 project funding can continue after Brexit.

What Is Horizon 2020?

Dating back to 2014, Horizon 2020 from the EU, is the largest ever European funding programme for research and innovation with a budget of 79 billion euros and is set to run until 2020.  It is aimed at improving Europe’s global competitiveness in research and innovation.  Applications for the funding are open to registered businesses, charities, partnerships or research organisations with a legal standing across the EU. For example, higher education institutions, public bodies and charities make up many of the applicants.

What’s The Problem?

The concern, highlighted by The Department for Business, Energy and Industrial Strategy (BEIS), is that when the UK leaves the EU (possibly without a deal), in order to ensure no disruption in the receipt of funding that organisations are currently receiving from the EU’s Horizon 2020 project, they will need to sign up to a UK-led replacement programme that guarantees continuity in a no-deal Brexit scenario.  According to BEIS figures, therefore, the 2,700 public and private sector organisations that are receiving Horizon 2020 funding from the EU but have not yet signed up to the replacement programme could be at risk of disruption in funding and delays to future grants if they don’t sign up asap.

Guaranteed

Although the Science and Innovation Minister, Chris Skidmore, has guaranteed that UK organisations and businesses who already receive EU science and research funding will continue to do so, even if there’s no-deal Brexit at the end of March, he is urging businesses to register their details on a simple online portal for Horizon 2020 grants in future.

Online Portal – Doesn’t Take Long

The BEIS is, therefore, encouraging the remaining 2,700 businesses to join the current 5,500 registrations to date, to sign-up on the online portal. Reports suggest that it only takes around ten minutes per grant for the data to be inputted. The new portal can be found here:  https://www.ukri.org/funding/how-to-apply/

What Does This Mean For Your Business?

If you are a business or an organisation that receives Horizon 2020, and if you haven’t already done so, the advice is to sign-up via the government’s online portal (run by UKRI) to the UK-led replacement programme in order to avoid disruption to funding.  The BEIS has said, for example, that If an organisation leaves it until 5th March, ahead of a no-deal Brexit on 29 March 2019, they could be risking delays to future Horizon 2020 funding.

Naming and Shaming of Companies With Poor Cyber Security

A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.

Who?
The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science in order to promote better research into cyber-security.  The other research partner in this case, the Policy Institute at King’s College London is an independent research institute focusing on using evidence and expertise to tackle societal challenges.

Cyber-crime Levels

The report highlights the fact that government’s 2018 data breach survey showed that 4 in 10 businesses experienced a cyber-security breach or attack in 2017-18 should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.

Championing The ACD Programme

The report also champions the government’s Active Cyber Defence (ACD) programme, which was developed by the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.

The report points to the relative success that ACD has had in bringing about a fall in scam emails from fake government addresses, and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information.  Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes, and in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC in order to deploy ACD as a tool to better tackle cyber-crime in the UK.

According to the National Cyber Security Centre (part of GCHQ), the ACD defence programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed that UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.

What Does This Mean For Your Business?

Reputations are valuable and vitally important to businesses, as should be cyber-security defences, and making sure that strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to be taken to bring about improvements and contribute to the tackling of cyber-crime across the private as well as the public sector. 

The NCSC, for example, has been working with companies for some time anyway with the ACD programme to help them protect their customers.  For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs, and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections. 

As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress, and it is not a single entity, amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being perhaps a way of the government scanning and collecting data about private organisations.  For this reason, the CSRG and King’s College London Report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.

In reality, effective cyber-security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far, show that it, or tools based upon it, could have real value as part of a number of measures that could help reduce cyber-crime for private as well as public sector organisations.

Google’s £44 Million GDPR Fine

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad Personalisation & Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.

What & Why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were that:

  1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
  2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other Complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What Does This Mean For Your Business?

Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.