[BreachExchange] ‘New era’ in data protection as changes loom

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 12 14:02:35 EDT 2017


http://www.irishexaminer.com/ireland/new-era-in-data-
protection-as-changes-loom-447574.html

Data Protection Commissioner (DPC) Helen Dixon warned in her annual report,
published yesterday, that an overhaul of EU laws was coming down the tracks
in terms of greater protection of personal information.

“We are going to see a very big change and that’s really what I was
referencing when I made the reference to a new era,” she told the Irish
Examiner.

“At an EU level the law is being completely over-hauled and that new law in
the form of the General Data Protection Regulation and in due course also a
new e-privacy regulation is going to be implemented from May 2018.”

She said data will be treated with greater care.

“We are all going to be under obligation to treat the personal data that we
process much more carefully in the future. We’re going to have to ensure
that there is much greater transparency to users, in terms of the personal
data that we collect and process.

“For public bodies, we will have to appoint on a mandatory basis by law a
data protection officer.”

However, the new law does not just demand greater accountability on the
part of the companies and state bodies, it gives individuals more rights.

“For the individual, the intention of this new law is that it puts all of
us much more in control because arguably we are not in control at the
moment because we are not entirely clear all the time who’s collecting what
on us.

“A lot of organisations have pro forma privacy policies that are extremely
difficult to decipher, they’re not concise and intelligible to the user. We
don’t see in plain English exactly what a company is collecting on us and
what third parties they’re sharing it with.”

In the report, the DPC outlined emerging issues in the field of data
protection.

“It’s clear that power in terms of internet tracking and driving profit
from interest-based ads lies largely in the hands of a few big platforms
and that questions need to be asked and answered as to whether consumers
are being left between a rock and a hard place with too little choice (and
therefore subject to a type of ‘forced consent’) given that media outlets
are all signed up to those same ad exchanges.”

The report also detailed the number of queries it received as well as
breaches reported. In 2016, the DPC dealt with 15,335 queries by email,
16,744 by phone and 1,150 queries by post. Some 2,224 valid data security
breaches were recorded.

Unsolicited marketing email

An online retailer was prosecuted by the Data Protection Commissioner (DPC)
for sending an unsolicited marketing email.

A customer received an unsolicited email after opting out of marketing from
the company, Shop Direct Ireland Limited trading as Littlewoods Ireland.

Littlewoods Ireland carried out a review of the customer’s account.

It found that while she was correctly opted out of email marketing, she was
not opted out of third-party marketing.

It then took steps to opt the customer out of third-party marketing.

A “null value” was applied to the email marketing field of the customer’s
account but this had the unintended consequence of opting her back into
email marketing.

In court, last April, the company pleaded guilty to one charge of sending
an unsolicited marketing email without consent.

The company made a charitable donation and the charge was struck out.

Bank disclosed personal data

The Data Protection Commissioner (DPC) received a complaint last year that
Bank of Ireland (BoI) had disclosed personal information to a third party.
This occurred because BoI failed to properly “verify the identity” of an
individual on the phone.

The individual in question was the mother of a son (the complainant), who
shared a forename with his father. The mother mistakenly thought the call
was in relation to an account she held with her husband.

BoI did not contest the disclosure but said confusion had arisen. The DPC
found BoI contravened Section 2A(1) of the Data Protection Acts 1988 and
2003. “While the circumstances of this case involved the verbal
unauthorised disclosure of personal data to a family member of the data
subject concerned, this in no way makes it any less serious than if it had
been a written disclosure to an unrelated third party,” the DPC said.

Hackers demand ransom from school

A ransom was demanded from an Irish primary school after hackers seized
personal data.

The Data Protection Commissioner (DPC) received a report about a breach
from a primary school last October, where parts of the school’s information
systems had been encrypted (data was concealed) by a third party.

This meant the school was unable to access its own files, which contained
names, dates of births, and personal public service numbers.

A ransom was then demanded from the school to release the encrypted files.

The DPC found that the school “failed to ensure that adequate security
measures were in place, to protect against the unauthorised processing and
disclosure of personal data”.

The DPC made several recommendations to the school, which were followed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170412/9d1dd6ff/attachment.html>


More information about the BreachExchange mailing list