18 April 2014


Posts relating to the category tag "legislation" are listed below.

09 November 2013

It's Not Just Cookies!

Shock horror! It is possible to track users without using cookies!

Cookie-replacement tracking technology would be subject to same 'cookie law' rules

It is news to some people apparently. There is a good write-up on Out-Law.com. Unsurprisingly the people who insisted on calling it a "cookie law" feel threatened; the concern is tracking of course, not what method is used.

Hopefully this is not news to readers of the posts here about the relevant legislation, guidance and issues.

Posted on: 09 November 2013 at 08:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 October 2013

Notification of PECR Security Breaches

The UK's Information Commissioner's Office (ICO) has published new guidance on notification of breaches of the Privacy and Electronic Communications Regulations (PECR).

The contents page from the ICO's guidance on 'Notification of PECR Security Breaches'

The guidance only relates to "a provider of a public communications service" such as telecoms providers and internet service providers. And, a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise protected in connection with the provision of a public electronic communications service".

In summary:

  • Service providers must notify the ICO that a personal data breach has occurred within 24 hours of becoming aware of the basic facts, with full details must be provided as soon as possible and some additional detail at least within 3 days, using an online form
  • Notify individuals without undue delay if the breach is likely to adversely affect them
  • Maintain a log of breaches and submit this to the ICO monthly.

Posted on: 02 October 2013 at 08:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 August 2013

The Law and Web Application Attacks

Are you breaking the law if you stumble upon an injection attack on a web site, or discover direct object references that can be enumerated due to inadequate access control?

Partial view of the attack legality spreadsheets from Whitehat Security

As we know, the testing of applications and other system components requires careful preparation, scoping and agreement with owners of the items under test, or that could be affected. But what about other situations?

Robert Hansen of Whitehat Security has listed a range of common attacks or methods of impacting web applications. He has then attempted to list the legal precedent, if any, and a personal (non legal) opinion of the status of each of these forms of attack in the eyes of the law in the United States (state and federal, criminal and civil). The spreadsheet is available to download free of charge, and without registration.

Does anyone know of a such a comprehensive list for the United Kingdom, and other EU jurisdictions? If not, would anyone like to participate to research and create one?

Posted on: 20 August 2013 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 July 2013

Draft Cybersecurity Framework for Critical Infastructure

US standards agency NIST has released its draft Outline of Cybersecurity Framework for Critical Infrastructure.

[The] Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.

The draft framework is in response to an executive order for NIST to work with the public and private sector.

The draft outline references many existing standards and other documents and is still undergoing development, review and detailing.

Posted on: 16 July 2013 at 15:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 July 2013

Personal Information from US and EU Perspectives

A recent paper discusses the differences in privacy law between the United States and Europe, and how personally identifiable information (PII) is defined in US and EU privacy law.

Partial view of a page from the paper 'Reconciling Personal Information in the United States and European Union'

In the paper Reconciling Personal Information in the United States and European Union, Paul M. Schwartz and Daniel J. Solove discuss and evaluate the EU Data Protection Directive and the proposed new regulation, both of which treat privacy as a fundamental right. This is contrasted with and the range of approaches in the United State where consumer protection and balancing privacy with efficient commercial transactions. The authors point out the difficulties these different approaches raise in transfers of data.

The paper moves on to discuss the concept of "PII 2.0" with there categories for regulation — information about an identified, or identifiable, or non-identifiable person. The authors argue that PII 2.0 is consistent with the underlying philosophies of both US and EU privacy law regimes, bridging the current gap between the these.

Posted on: 09 July 2013 at 18:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 June 2013

User Profiling and "Significant Impact"

Do you profile your customers, clients and citizens with data from your applications?

"Profiling" means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person's health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.

The European Commission's Article 29 Working Party has published an opinion, in the form of an advice leaflet, to provide input into the current discussions on European data protection reform.

The paper supports that the scope of Article 20 covering processing of personal data for the purpose of profiling or measures based on profiling, and that there should be greater transparency and control for data subjects of profiling and subsequent measures based upon the profile generated, and thus acknowledges the this creates more responsibility and accountability for data controllers.

However, the paper suggests profiling and measures should only be subject to additional control if they significantly affect the interests, rights or freedoms of the data subject.

See further discussion here and here.

Posted on: 07 June 2013 at 19:03 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 May 2013

Internet and Mobile Literacy, Usage & Opinions

OFCOM, the UK communications sector's regulator and competition authority, has announced a report on adults' use of media and attitudes.

More than half of internet users say they use the same passwords for most websites

The Adults' Media Use and Attitudes Report 2013 (complete 181 page print version) discusses media literacy, take-up, preference and media use, understanding, attitudes and concerns, use of the internet and mobile phones, and users in three class — new, "narrow" and non-users.

Over half of all internet users think that online purchasing puts their privacy at risk

There is a wealth of valuable data for strategic planning and marketing purposes, but also useful information on security and safety habits and attitudes to regulation of the internet. If you need information to help support decisions around security and usability, this report will have something of use to you.

A quarter of internet users say they have experienced a virus on their home PC or laptop in the past year

It is this weekend's best read.

Posted on: 17 May 2013 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 May 2013

IP Address Sharing and Individual Identification

BT has announced a trial of its Carrier-Grade Network Address Translation (CGNAT) where Internet Protocol (IP) addresses will be shared between subscribers.

organisations [will] generally have to treat IP addresses as personal data

Concerns have been expressed about the ability for some application to work if they rely on the assumption that IP addresses are unique, and also how this affects the identification of individual people.

Out-law.com provides a good review of the issues and information from BT, but links to the sources are not provided. BT has apparently stated they will still be able to identify individuals despite using CGNAT.

But the issue of identification does not only relate to newsworthy "illegal online activity" but also for wider privacy protection of completely legal activity where it is clear that IP addresses really must be considered as personal identifiers, especially when they can be combined with other data sets. Something to be considered in privacy impact assessments.

Posted on: 10 May 2013 at 09:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 May 2013

Consultation on Cyber Security Standard

The UK Cabinet Office has announced a consultation into the proposed cyber risk management standard for organisations as part of its cyber security strategy announced in November 2011.

Photograph of the feedback entry device for travellers at a Gatwick Airport who have just passed through the outbound security checks labelled 'How was your security experience' with four smiley-style buttons below

The proposed guidance and accompanying call for views and evidence define Cyber security as "preservation of confidentiality, integrity, and availability of information in cyberspace" and cyberspace quite broadly as "complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".

The UK Government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. The current proposal outlines requirements for a standard, its objectives, outcomes, auditable requirements and controls in "at least" the following areas:

  • Network security
  • Malware prevention
  • Secure configuration of information systems
  • Monitoring
  • Removable media
  • Home and mobile working
  • Managing user privileges
  • User education and awareness
  • Incident management.

So, somewhat disappointing that application security isn't mentioned, but those requirements pre-date this consultation - about the choice of an existing standard to follow.

Responses can be sent by email to cybersecurity@bis.gsi.gov.uk or by post to Cyber Security Team, BIS, 1 Victoria Street, London SW1H 0ET. The closing date to submit evidence is 14 October 2013.

Posted on: 07 May 2013 at 19:39 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 April 2013

2013 Information Security Breaches

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

One of the bar charts in the DBIS '2013 Information Security Breaches Survey'

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

  • 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
  • For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
  • Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

Posted on: 30 April 2013 at 20:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Legislation : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Sunday, 20 April 2014 at 19:27 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com