18 April 2014

Data protection

Posts relating to the category tag "data protection" are listed below.

29 December 2013

Personal Data Breach Incident Severity Ranking

While on the subject of ENISA, it has published a suggested methodology for the severity ranking of personal data breaches.

Mark Hansen and Ben Rubin's Listening Post art installation at the Science Museum, London, http://www.sciencemuseum.org.uk/visitmuseum/~/link.aspx?_id=822C31BCD5734CDE94E701ED170F4909

Breaches in the context of the document include breaches of confidentiality, availability and integrity both accidentally and maliciously.

The proposed methodology calculates the severity as the multiplication of three factors:

  • Data processing context (1.0-4.0)
  • Ease of identification (0.0-1.0)
  • Circumstances of the breach, the sum of
    • Loss of confidentiality (0.0-1.0)
    • Loss of integrity (0.0-1.0)
    • Loss of availability (0.0-1.0)
    • Malicious intent (0.0 or 0.50)

Some factors which seem to have an undue influence on reducing the calculated severity are if data is lost but there is no evidence of [illegal processing] misuse (very hard to know and easy to assume), and two flags whether the number of records lost was less than 100 (the number of individuals affected may be difficult to determine) and the data are unintelligible (encryption is often undermined by poor implementation or weak key management).

The calculated severity score is then used to determine one of four levels: low, medium, high and very high. The document includes examples for the data processing context (DPC), but none for the other two factors, nor overall example scenarios. It would seem that for a typical breach of personal data from something like a retailer, where some customer data is copied and subsequently published elsewhere would appear to be 3.0 (i.e. High). But accidental loss of an unencrypted laptop containing all the retailer's employee details including their medical and bank details in plain text would be 0.0 (i.e. Low) if there was no "evidence that illegal processing has occurred". This doesn't quite seem correct yet.

The announcement does state "it is planned to further develop the methodology with the aim to generate a final practical tool for a data breach severity assessment". While thus just an early draft, there is the implication this type of scoring system might be used to determine whether notification is required to the relevant competent authority, and whether the individuals affected need to be informed.

See also the related posts The Privacy Dividend and Business Case for Data Protection.

Posted on: 29 December 2013 at 10:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 November 2013

It's Not Just Cookies!

Shock horror! It is possible to track users without using cookies!

Cookie-replacement tracking technology would be subject to same 'cookie law' rules

It is news to some people apparently. There is a good write-up on Out-Law.com. Unsurprisingly the people who insisted on calling it a "cookie law" feel threatened; the concern is tracking of course, not what method is used.

Hopefully this is not news to readers of the posts here about the relevant legislation, guidance and issues.

Posted on: 09 November 2013 at 08:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 October 2013

Notification of PECR Security Breaches

The UK's Information Commissioner's Office (ICO) has published new guidance on notification of breaches of the Privacy and Electronic Communications Regulations (PECR).

The contents page from the ICO's guidance on 'Notification of PECR Security Breaches'

The guidance only relates to "a provider of a public communications service" such as telecoms providers and internet service providers. And, a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise protected in connection with the provision of a public electronic communications service".

In summary:

  • Service providers must notify the ICO that a personal data breach has occurred within 24 hours of becoming aware of the basic facts, with full details must be provided as soon as possible and some additional detail at least within 3 days, using an online form
  • Notify individuals without undue delay if the breach is likely to adversely affect them
  • Maintain a log of breaches and submit this to the ICO monthly.

Posted on: 02 October 2013 at 08:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 August 2013

The Law and Web Application Attacks

Are you breaking the law if you stumble upon an injection attack on a web site, or discover direct object references that can be enumerated due to inadequate access control?

Partial view of the attack legality spreadsheets from Whitehat Security

As we know, the testing of applications and other system components requires careful preparation, scoping and agreement with owners of the items under test, or that could be affected. But what about other situations?

Robert Hansen of Whitehat Security has listed a range of common attacks or methods of impacting web applications. He has then attempted to list the legal precedent, if any, and a personal (non legal) opinion of the status of each of these forms of attack in the eyes of the law in the United States (state and federal, criminal and civil). The spreadsheet is available to download free of charge, and without registration.

Does anyone know of a such a comprehensive list for the United Kingdom, and other EU jurisdictions? If not, would anyone like to participate to research and create one?

Posted on: 20 August 2013 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 August 2013

Consultation on Conducting Privacy Impact Assessments

The UK Information Commissioner's Office (ICO) is consulting on a revised code of practice for privacy impact assessments.

One of the pages from the ICO's draft code of practice for privacy impact assessments

The new draft code of practice is intended to streamline the guidance and process currently defined in the ICO's PIA Handbook.

Responses to the consultation should use the template provided and can be returned by post of email by 5th November 2013.

The ICO has also just issued version 2 of their Data Protection Regulatory Action Policy .

Posted on: 13 August 2013 at 08:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 July 2013

Data Disclosure Incident Database

The Verizon 2013 Data Breach Investigations Report provides a useful insight into a range of recorded data disclosure incidents.

Partial screen capture showing the data charting and drill down features available on the VERIS Community Database

For the first time, this data is now available to download or browse/mine interactively. The initial data set includes information from 1,200 incidents mainly during 2012 and 2013. Note these are heavily biased to the health sector.

The downloadable data are available free-of-charge without registration in JSON on GitHub such as this example. The data sets are recorded using the Vocabulary for Event Recording and Incident Sharing (VERIS). The interactive visualisation includes predefined views based on threat actors/motives (e.g. external, internal, partner), actions (e.g. hacking, malware, misuse, physical), assets affected (e.g. media, network, people, servers, user devices) and timeline/discovery.

As more data are added, especially from alternative sources, this will be a very valuable resource. See also the Data Loss DB, Breach Watch and the Web Hacking Incident Database (WHID).

Posted on: 27 July 2013 at 16:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 July 2013

Personal Information from US and EU Perspectives

A recent paper discusses the differences in privacy law between the United States and Europe, and how personally identifiable information (PII) is defined in US and EU privacy law.

Partial view of a page from the paper 'Reconciling Personal Information in the United States and European Union'

In the paper Reconciling Personal Information in the United States and European Union, Paul M. Schwartz and Daniel J. Solove discuss and evaluate the EU Data Protection Directive and the proposed new regulation, both of which treat privacy as a fundamental right. This is contrasted with and the range of approaches in the United State where consumer protection and balancing privacy with efficient commercial transactions. The authors point out the difficulties these different approaches raise in transfers of data.

The paper moves on to discuss the concept of "PII 2.0" with there categories for regulation — information about an identified, or identifiable, or non-identifiable person. The authors argue that PII 2.0 is consistent with the underlying philosophies of both US and EU privacy law regimes, bridging the current gap between the these.

Posted on: 09 July 2013 at 18:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 June 2013

OWASP Top Ten 2013

The latest release of OWASP's Top Ten application security awareness document, detailing the most critical web application security risks, was announced on 12th June.

Partial view of a page from the OWASP Top 10 2013

The document is intended to be an introduction to application security risks for developers, and is freely available as a PDF and on wiki pages in English. Translations into other languages will follow as volunteers have time. It will also shortly be available as a printed booklet, available to buy at cost. The 2013 edition is:

  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Known Vulnerable Components
  • A10 Unvalidated Redirects and Forwards

Comparing with the previous edition in 2010, there is some minor re-ordering. Otherwise "Insecure Cryptographic Storage" and "Insufficient Transport Layer Protection" have been merged into the new A6 "Sensitive Data Exposure", and "Failure to Restrict URL Access " has been broadened to A7 "Missing Function Level Access Control". Finally the new "Using Known Vulnerable Components", used to be within "Security Misconfiguration" but has been separated into a standalone named risk.

For further analysis I recommend Breaking Down the OWASP Top 10 Security Flaws for 2013 and New OWASP Top 10 Reflects Unchanged State Of Web Security.

If you reference the OWASP Top Ten, now is the time to update. The risks identified are an important first step in moving to developing secure software code. Beyond this, read the sections for developers, testers and organisations at the end of the document, but I would also recommend this pair of related documents:

Posted on: 25 June 2013 at 11:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 June 2013

User Profiling and "Significant Impact"

Do you profile your customers, clients and citizens with data from your applications?

"Profiling" means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person's health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.

The European Commission's Article 29 Working Party has published an opinion, in the form of an advice leaflet, to provide input into the current discussions on European data protection reform.

The paper supports that the scope of Article 20 covering processing of personal data for the purpose of profiling or measures based on profiling, and that there should be greater transparency and control for data subjects of profiling and subsequent measures based upon the profile generated, and thus acknowledges the this creates more responsibility and accountability for data controllers.

However, the paper suggests profiling and measures should only be subject to additional control if they significantly affect the interests, rights or freedoms of the data subject.

See further discussion here and here.

Posted on: 07 June 2013 at 19:03 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 May 2013

OWASP EU Tour 2013 in London on June 3rd

As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

Photograph of London at dusk with the river Thames in the foreground and St Paul's cathedral lit up

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Update 29th May 2013: Dinis Cruz, Rory McCune and Tobias Gondrom are now also speaking.

Posted on: 21 May 2013 at 19:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Data protection : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Saturday, 19 April 2014 at 16:17 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com