European ruling is bad news for U.S. tech giants

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Euro­pean Court of Jus­tice ruled that the transat­lantic Safe Har­bor agree­ment, which lets Amer­i­can com­pa­nies use a sin­gle stan­dard for con­sumer pri­va­cy and data stor­age in both the Unit­ed States and Europe, is invalid. The rul­ing came after Edward Snowden’s NSA leaks showed that Euro­pean data stored by U.S. com­pa­nies was not safe from sur­veil­lance that would be ille­gal in Europe. Com­pa­nies such as Face­book and Twit­ter may now face scruti­ny from indi­vid­ual Euro­pean coun­tries’ data regulators—and could be forced to host Euro­pean user data in Europe, rather than host­ing it in the U.S. and trans­fer­ring it over. In the­o­ry, Amer­i­can com­pa­nies with Euro­pean cus­tomers could now end up try­ing to fol­low 20 or more dif­fer­ent sets of nation­al data pri­va­cy reg­u­la­tions. Up to 4,500 US companies—not just tech firms—have relied on Safe Har­bor. The Euro­pean Commission’s Safe Har­bor can­not usurp the pow­ers of nation­al author­i­ties, the rul­ing says. Indi­vid­ual Euro­pean coun­tries now can set their own reg­u­la­tion for U.S. com­pa­nies’ han­dling of cit­i­zens’ infor­ma­tion, and coun­tries can sus­pend the trans­fer of data to the U.S.—forcing com­pa­nies to host user data exclu­sive­ly with­in the coun­try. The Irish data reg­u­la­tor now will exam­ine whether Face­book offered Euro­pean users ade­quate data pro­tec­tions, and may order the sus­pen­sion of Facebook’s trans­fer of data from Europe to the U.S., if so. Source: Busi­ness Insider

Suddenly, riding underground doesn’t seem like a swell idea

sh_Korea subway_280South Korea’s Nation­al Intel­li­gence Ser­vice blamed North Korea for hack­ing into the Seoul Metro sub­way, break­ing into and infect­ing 210 employ­ee com­put­ers from March to August in 2014. The NIS said the hack­ers implant­ed 58 mali­cious codes into the com­put­ers using the Advanced Place­ment Threat, the same method­ol­o­gy that the North Kore­ans used in 2013 to attack banks and broad­cast­ers in South Korea, accord­ing to the Korea Her­ald. Seoul Metro said the affect­ed com­put­ers were used for human resources and admin­is­tra­tive pur­pos­es and that the sub­way sys­tem was nev­er in any dan­ger. Source: SC mag­a­zine

Trump hotels confirm hack; card numbers at risk

sh_trump_750Cus­tomer cred­it and deb­it card num­bers may have been stolen at sev­en Trump hotels after its pay­ment sys­tems were hacked for near­ly a year. The Trump Hotel Col­lec­tion con­firmed on its web­site that hack­ers gained access to its sys­tems from May 2014 to June 2015 at the front desks. Hotel restau­rants and gift shops also were hacked. The hotel oper­a­tor said an inde­pen­dent foren­sic inves­ti­ga­tion has not found evi­dence of cus­tomers’ infor­ma­tion being mis­used. The com­pa­ny is offer­ing affect­ed cus­tomers a year of free iden­ti­ty theft pro­tec­tion. The poten­tial thefts occurred at the Trump SoHo New York, Trump Inter­na­tion­al New York, Trump Nation­al Doral in Mia­mi, Trump Inter­na­tion­al Chica­go, Trump Inter­na­tion­al Waiki­ki in Hawaii, Trump Inter­na­tion­al Hotel and Tow­er Las Vegas and Trump Inter­na­tion­al Toron­to. Repub­li­can pres­i­den­tial can­di­date Don­ald Trump is chair­man and pres­i­dent of Trump Hotel Col­lec­tion. Trump Hotel said it is work­ing with the Secret Ser­vice and the FBI. Source: CNBC

News about nukes not good

sh_nuclear plant_280Nuclear pow­er plants through­out the world are in denial over the risk of a seri­ous cyber attack, says a study claim­ing that civ­il nuclear infra­struc­ture in most coun­tries is unpre­pared for such threats. Even a small-scale attack, the study found, could release dead­ly radi­a­tion into the local area. The report claims that cyber crim­i­nals could trig­ger an inci­dent sim­i­lar to that seen at Fukushi­ma Daichi in Japan in 2011. Near­ly 16,000 peo­ple died in the nat­ur­al dis­as­ter and sub­se­quent dev­as­ta­tion. The study, pub­lished by think tank Chatham House, looked at cyber­se­cu­ri­ty in pow­er plants over a peri­od of 18 months and cites 50 inci­dents glob­al­ly. Senior nuclear offi­cials at plants and in gov­ern­ments in Cana­da, France, Ger­many, Japan, the Unit­ed King­dom, Ukraine and the Unit­ed States were among those inter­viewed. Source: The (U.K.) Dai­ly Mail

Where the insurance money goes

New claims cost data reveal a wide dis­crep­an­cy on costs asso­ci­at­ed with cyber loss­es. More than $75.5 mil­lion has been spent on cyber claims loss­es as report­ed in the lat­est study pub­lished by Net­Dili­gence, a cyber risk assess­ment and data breach ser­vices com­pa­ny. The annu­al study exam­ines actu­al loss­es for data breach events cov­ered by var­i­ous cyber-lia­bil­i­ty insur­ance car­ri­ers for claims with inci­dent dates from 2012 to 2014. The study finds that of the total cyber claims costs of $75.5 mil­lion, 78 per­cent was spent on cri­sis ser­vices, 8 per­cent on legal defense, 9 per­cent on legal set­tle­ments, 1 per­cent each on reg­u­la­to­ry defense and reg­u­la­to­ry fines, and 3 per­cent on PCI fines. The claims ana­lyzed in the study remain open so amounts not­ed with­in the study should be con­sid­ered pay­ments to date. Source: Insur­ance Journal

Making that joyride just a bit safer

sh_computer car_280As more cars con­nect to the Inter­net, motorists’ phys­i­cal safe­ty could be at risk, says Intel Secu­ri­ty gen­er­al man­ag­er Chris Young. “Cyber­se­cu­ri­ty used to be about fraud and iden­ti­ty theft. Now there are phys­i­cal safe­ty issues with con­nect­ed cars. There are hun­dreds of com­put­er com­po­nents in a car.” Intel has announced the for­ma­tion of the Auto­mo­tive Secu­ri­ty Review Board to bring togeth­er top secu­ri­ty indus­try researchers from around the world whose focus is on secur­ing cyber-phys­i­cal sys­tems. “We can raise the bar against cyber attacks in auto­mo­biles. With the help of the ASRB, Intel can ensure cyber­se­cu­ri­ty is an essen­tial ingre­di­ent in the design of every con­nect­ed car,” Young said. Source: The Irish Times

By the sea, by the sea, by the beautiful cyber sea

sh_navy_280The Navy has wrapped up a one-year project designed to “awak­en” the ser­vice to the need to dri­ve cyber­se­cu­ri­ty con­cerns into every­thing it does. It’s now tran­si­tion­ing the lessons it learned into a per­ma­nent orga­ni­za­tion called Navy Cyber­se­cu­ri­ty. The orga­ni­za­tion will be part of the Navy’s head­quar­ters staff at the Pen­ta­gon, con­sist­ing of about 40 peo­ple whose full-time job is to make sure the service’s acqui­si­tion poli­cies, its per­son­nel prac­tices and its gen­er­al cul­ture are point­ed toward greater cyber­se­cu­ri­ty. Its pol­i­cy, bud­get­ing and over­sight roles will extend far beyond tra­di­tion­al IT sys­tems and into any­thing the Navy buys that might have a microchip inside it. The office is meant to car­ry on the work of Task Force Cyber Awak­en­ing, a tem­po­rary orga­ni­za­tion the Navy cre­at­ed to force its orga­ni­za­tion­al cul­ture to pay more atten­tion to cyber after such inci­dents as one that com­pro­mised the Navy-Marine Corps Intranet in 2013. Source: Fed­er­al News Radio

How well do company wellness programs guard privacy?

As ben­e­fits enroll­ment for 2016 approach­es, more employ­ers are expect­ed to nudge work­ers toward plans that screen them for risks, mon­i­tor their activ­i­ty, and encour­age them to take the right pills, food and exer­cise. This involves a huge col­lec­tion of health data out­side the estab­lished med­ical sys­tem, not only by well­ness ven­dors such as Red­brick, Audax and Vital­i­ty, but also by com­pa­nies offer­ing gym ser­vices, smart­phone apps and devices that track steps and heart­beats. Such part­ners pass work­er results to the well­ness providers. Stan­dards to keep such infor­ma­tion con­fi­den­tial have devel­oped more slow­ly than the indus­try. That rais­es risks it could be abused for work­place dis­crim­i­na­tion, cred­it screen­ing or mar­ket­ing, con­sumer advo­cates say. Source: Nation­al Pub­lic Radio

OPM letters go out; that’s snail mail, not email

sh_snail mail_280The Office of Per­son­nel Man­age­ment has begun send­ing noti­fi­ca­tion let­ters to those affect­ed by breach­es on the agency’s sys­tems. Some 21.5 mil­lion peo­ple who had per­son­al­ly iden­ti­fi­able infor­ma­tion stolen will receive a noti­fi­ca­tion through tra­di­tion­al mail, though the process could take a “con­sid­er­able” amount of time to ensure full deliv­ery. Act­ing Direc­tor Beth Cobert wrote that email would not be used for the com­mu­ni­ca­tions. Per­son­al­ized iden­ti­fi­ca­tion num­bers will accom­pa­ny the noti­fi­ca­tion let­ters so peo­ple can sign up for the ser­vices the fed­er­al gov­ern­ment will pro­vide for iden­ti­ty pro­tec­tion, includ­ing iden­ti­ty mon­i­tor­ing, cred­it mon­i­tor­ing, iden­ti­ty restora­tion ser­vices and iden­ti­ty theft insur­ance. The agency has pro­vid­ed a Cyber­se­cu­ri­ty Resource Cen­ter online, where those who were affect­ed can sign up for the asso­ci­at­ed ser­vices. Source: Fierce Gov­ern­ment

There’s a new privacy sheriff in town

Cal­i­for­nia Attor­ney Gen­er­al Kamala Har­ris has announced a pri­va­cy breach set­tle­ment that requires the defen­dant com­pa­ny to cre­ate a “chief pri­va­cy offi­cer” posi­tion to over­see com­pli­ance with pri­va­cy laws. Har­ris said Houzz, an online plat­form for home design and decor, vio­lat­ed state anti-eaves­drop­ping and anti-wire­tap­ping laws, which for­bid record­ing phone calls with­out noti­fy­ing the oth­er par­ties to the call and obtain­ing their con­sent. Accord­ing to the com­plaint, for about six months in 2013, Houzz record­ed incom­ing and out­go­ing calls for “qual­i­ty assur­ance and train­ing pur­pos­es.” But it nev­er noti­fied par­ties to the calls, or got their con­sent. The set­tle­ment requires that Houzz appoint a chief pri­va­cy offi­cer, who must be knowl­edge­able of all state and fed­er­al pri­va­cy laws, estab­lish pri­va­cy poli­cies and pro­ce­dures that com­ply with those laws, and over­see Houzz’s com­pli­ance. The set­tle­ment also includes $175,000 in penal­ties and fees, and requires Houzz to com­plete an exten­sive pri­va­cy risk assess­ment and mon­i­tor­ing pro­gram. Source: Nation­al Law Review