European ruling is bad news for U.S. tech giants

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The European Court of Justice ruled that the transatlantic Safe Harbor agreement, which lets American companies use a single standard for consumer privacy and data storage in both the United States and Europe, is invalid. The ruling came after Edward Snowden’s NSA leaks showed that European data stored by U.S. companies was not safe from surveillance that would be illegal in Europe. Companies such as Facebook and Twitter may now face scrutiny from individual European countries’ data regulators—and could be forced to host European user data in Europe, rather than hosting it in the U.S. and transferring it over. In theory, American companies with European customers could now end up trying to follow 20 or more different sets of national data privacy regulations. Up to 4,500 US companies—not just tech firms—have relied on Safe Harbor. The European Commission’s Safe Harbor cannot usurp the powers of national authorities, the ruling says. Individual European countries now can set their own regulation for U.S. companies’ handling of citizens’ information, and countries can suspend the transfer of data to the U.S.—forcing companies to host user data exclusively within the country. The Irish data regulator now will examine whether Facebook offered European users adequate data protections, and may order the suspension of Facebook’s transfer of data from Europe to the U.S., if so. Source: Business Insider

Suddenly, riding underground doesn’t seem like a swell idea

sh_Korea subway_280South Korea’s National Intelligence Service blamed North Korea for hacking into the Seoul Metro subway, breaking into and infecting 210 employee computers from March to August in 2014. The NIS said the hackers implanted 58 malicious codes into the computers using the Advanced Placement Threat, the same methodology that the North Koreans used in 2013 to attack banks and broadcasters in South Korea, according to the Korea Herald. Seoul Metro said the affected computers were used for human resources and administrative purposes and that the subway system was never in any danger. Source: SC magazine

Trump hotels confirm hack; card numbers at risk

sh_trump_750Customer credit and debit card numbers may have been stolen at seven Trump hotels after its payment systems were hacked for nearly a year. The Trump Hotel Collection confirmed on its website that hackers gained access to its systems from May 2014 to June 2015 at the front desks. Hotel restaurants and gift shops also were hacked. The hotel operator said an independent forensic investigation has not found evidence of customers’ information being misused. The company is offering affected customers a year of free identity theft protection. The potential thefts occurred at the Trump SoHo New York, Trump International New York, Trump National Doral in Miami, Trump International Chicago, Trump International Waikiki in Hawaii, Trump International Hotel and Tower Las Vegas and Trump International Toronto. Republican presidential candidate Donald Trump is chairman and president of Trump Hotel Collection. Trump Hotel said it is working with the Secret Service and the FBI. Source: CNBC

News about nukes not good

sh_nuclear plant_280Nuclear power plants throughout the world are in denial over the risk of a serious cyber attack, says a study claiming that civil nuclear infrastructure in most countries is unprepared for such threats. Even a small-scale attack, the study found, could release deadly radiation into the local area. The report claims that cyber criminals could trigger an incident similar to that seen at Fukushima Daichi in Japan in 2011. Nearly 16,000 people died in the natural disaster and subsequent devastation. The study, published by think tank Chatham House, looked at cybersecurity in power plants over a period of 18 months and cites 50 incidents globally. Senior nuclear officials at plants and in governments in Canada, France, Germany, Japan, the United Kingdom, Ukraine and the United States were among those interviewed. Source: The (U.K.) Daily Mail

Where the insurance money goes

New claims cost data reveal a wide discrepancy on costs associated with cyber losses. More than $75.5 million has been spent on cyber claims losses as reported in the latest study published by NetDiligence, a cyber risk assessment and data breach services company. The annual study examines actual losses for data breach events covered by various cyber-liability insurance carriers for claims with incident dates from 2012 to 2014. The study finds that of the total cyber claims costs of $75.5 million, 78 percent was spent on crisis services, 8 percent on legal defense, 9 percent on legal settlements, 1 percent each on regulatory defense and regulatory fines, and 3 percent on PCI fines. The claims analyzed in the study remain open so amounts noted within the study should be considered payments to date. Source: Insurance Journal

Making that joyride just a bit safer

sh_computer car_280As more cars connect to the Internet, motorists’ physical safety could be at risk, says Intel Security general manager Chris Young. “Cybersecurity used to be about fraud and identity theft. Now there are physical safety issues with connected cars. There are hundreds of computer components in a car.” Intel has announced the formation of the Automotive Security Review Board to bring together top security industry researchers from around the world whose focus is on securing cyber-physical systems. “We can raise the bar against cyber attacks in automobiles. With the help of the ASRB, Intel can ensure cybersecurity is an essential ingredient in the design of every connected car,” Young said. Source: The Irish Times

By the sea, by the sea, by the beautiful cyber sea

sh_navy_280The Navy has wrapped up a one-year project designed to “awaken” the service to the need to drive cybersecurity concerns into everything it does. It’s now transitioning the lessons it learned into a permanent organization called Navy Cybersecurity. The organization will be part of the Navy’s headquarters staff at the Pentagon, consisting of about 40 people whose full-time job is to make sure the service’s acquisition policies, its personnel practices and its general culture are pointed toward greater cybersecurity. Its policy, budgeting and oversight roles will extend far beyond traditional IT systems and into anything the Navy buys that might have a microchip inside it. The office is meant to carry on the work of Task Force Cyber Awakening, a temporary organization the Navy created to force its organizational culture to pay more attention to cyber after such incidents as one that compromised the Navy-Marine Corps Intranet in 2013. Source: Federal News Radio

How well do company wellness programs guard privacy?

As benefits enrollment for 2016 approaches, more employers are expected to nudge workers toward plans that screen them for risks, monitor their activity, and encourage them to take the right pills, food and exercise. This involves a huge collection of health data outside the established medical system, not only by wellness vendors such as Redbrick, Audax and Vitality, but also by companies offering gym services, smartphone apps and devices that track steps and heartbeats. Such partners pass worker results to the wellness providers. Standards to keep such information confidential have developed more slowly than the industry. That raises risks it could be abused for workplace discrimination, credit screening or marketing, consumer advocates say. Source: National Public Radio

OPM letters go out; that’s snail mail, not email

sh_snail mail_280The Office of Personnel Management has begun sending notification letters to those affected by breaches on the agency’s systems. Some 21.5 million people who had personally identifiable information stolen will receive a notification through traditional mail, though the process could take a “considerable” amount of time to ensure full delivery. Acting Director Beth Cobert wrote that email would not be used for the communications. Personalized identification numbers will accompany the notification letters so people can sign up for the services the federal government will provide for identity protection, including identity monitoring, credit monitoring, identity restoration services and identity theft insurance. The agency has provided a Cybersecurity Resource Center online, where those who were affected can sign up for the associated services. Source: Fierce Government

There’s a new privacy sheriff in town

California Attorney General Kamala Harris has announced a privacy breach settlement that requires the defendant company to create a “chief privacy officer” position to oversee compliance with privacy laws. Harris said Houzz, an online platform for home design and decor, violated state anti-eavesdropping and anti-wiretapping laws, which forbid recording phone calls without notifying the other parties to the call and obtaining their consent. According to the complaint, for about six months in 2013, Houzz recorded incoming and outgoing calls for “quality assurance and training purposes.” But it never notified parties to the calls, or got their consent. The settlement requires that Houzz appoint a chief privacy officer, who must be knowledgeable of all state and federal privacy laws, establish privacy policies and procedures that comply with those laws, and oversee Houzz’s compliance. The settlement also includes $175,000 in penalties and fees, and requires Houzz to complete an extensive privacy risk assessment and monitoring program. Source: National Law Review