Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-03-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The joys of changing Privacy Laws

Published: 2018-03-06
Last Updated: 2018-03-06 06:12:04 UTC
by Mark Hofman (Version: 1)
2 comment(s)

There are a few privacy changes that have occured and will occur. You may be affected, so I've summarised it here. Please keep in mind I'm not your legal counsil so as always, check yours. 

Australian NDB (maybe skip this if you don't operate in AU)
Changes in the Australia Privacy Act in February 2017 established the Notifiable Data Breach (NDB) scheme. The scheme is effective from 22 February 2018. From this date onwards if you suffer a breach that affects Personally Identifiable Information (PII), then you have to notify the privacy commissioner. What does this actually mean for organisations? Well if you operate in Australia and you are a: 

  •     Australian Government agency, 
  •     business and/or not-for-profit organisation with an annual turnover of $3 million or more, 
  •     credit reporting bodies, 
  •     health service providers, 
  •     Tax File Number recipients

Then you have to have the processes and procedures in place to evaluate if a security incident is a breach of PII.  What the impact will be to those whose information is affected and the steps that have been taken to remediate the issue. To determine whether a security incident is a breach you have to assess three main criteria: 

  1. is there unauthorised access or disclosure of PII?
  2. is it likely to result in serious harm (Not a specifically defined term, but may include serious physical, psychological, emotional, financial, or reputational harm)? 
  3. has the organisation been able to prevent serious harm from occurring with remedial action?

If the answer to the above is yes, then you may have a notifiable breach. 
If you haven't already, make sure your organisation has the processes in place. 
A good resource is the following link https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches#what-is-a-data-breach

GDPR (probably affects most of us)
The other change is the General Data Protection Regulation (GDPR) which will be enforced from May 25 2018. So another month or so to go. (https://www.eugdpr.org/ )

GDPR affects organisation both inside the EU as well as outside of the EU. The main criteria are pretty broad. If you are selling goods or services to EU citizens, then you will have to comply. The difficulty comes into play with the last criterion which is "monitor the behaviour of, EU data subjects".  This basically means if you have a web site that collects information about users of the site, you will likely have to comply. This is one reason why you are seeing those fairly intrusive "we collect cookies, give us permission" banners on more and more websites.  

The penalties can be quite substantive, up to 20 million pounds. Not sure how they would collect that from "Bob's Kitchen and Toilet Brush emporium", but ultimately the risk is there.

The main changes are:

  • required to notify of a breach within 72 hours, 
  • users must provide consent so no longer an automatic opt in or a "tick here to not do something".      
  • Users can obtain the information collected about them, in a machine readable format
  • Right to be forgotten (this concept does not carry across too many other countries' privacy laws)
  • Design for privacy (only collect what is really needed)
  • Have a Data Protection Officer. 

And before you ask, yes the IP address is considered PII and falls under this regulation (maybe a good argument to block all of the EU IP addresses wink ) . 

So if you have a web site, deal with EU citizens or you do business in Australia, then you may have some privacy processes to review and update. 

Cheers

Mark H - Shearwater

Keywords: GDPR NDB privacy
2 comment(s)
Diary Archives