Press Room – Information Security and Data Privacy – w4#0816

1. Regulators’ Powers: German DPAs are Open to Amicable Solutions Before Proceeding to Fines or Court Orders Updated

In negotiations with a DPA about an alleged data protection breach, organisations should seek an amicable solution by involving internal data protection officers (if applicable), drafting a response letter with relevant facts and a short legal examination, and propose potential solutions. If there is no amicable solution, the DPA will likely issue an order against the alleged offender; however, all DPA orders can be challenged in court.

2. Attackers can hijack unencrypted web traffic of 80% of Android users

The recently revealed security bug (CVE-2016-5696) in the TCP implementation in the Linux kernel that could allow attackers to hijack unencrypted web traffic without an MitM position also affects some 1.4 billion Android devices, Lookout researchers have warned.

“If you’re running an enterprise mobility program, a number of Android devices are potentially vulnerable to a serious spying attack. CISOs should be aware that this new vulnerability affects their Linux environments, Linux-based server connections (e.g., to popular websites), in addition to Android devices,” he added.
“Enterprises are encouraged to check if any of the traffic to their services (e.g., email) is using unencrypted communications. If so, targeted attacks would be able to access and manipulate unencrypted sensitive information, including any corporate emails, documents, or other files.”

3. Security bullshit: Encryption battle: France in global call to “deal with” messaging apps

France’s interior minister has claimed that encryption technology in messaging apps is widely used by terrorists and said the country would work with Germany to initially launch a European initiative to “deal with” the issue.

“This is a central issue in the fight against terrorism, many of the messages exchanged with a view to carrying out terrorist attacks are now encrypted,” said Bernard Cazeneuve, reported by Le Monde.

4. EU-US Privacy Shield launches: Key points to this agreement

There has been a lot riding on this divisive and complicated agreement, which is why it has taken over two and a half years for all the involved parties to iron out all the details. As of July 12th, the new framework was officially adopted and put into effect.

The EU-US Privacy Shield, as it is known and which replaces the International Safe Harbor Privacy Principles, is basically an agreement between the EU and the US to make the transfer of data for commercial reasons easier and safer.

1) Tough requirements on organizations that handle data
2) Safeguarding data by limiting US government access
3) Protecting the rights of Europeans

5. The Data Retention Saga Continues: European Court of Justice and EU Member States Scrutinize National Data Retention Laws

Triggering a landslide of legislative reforms and legal battles, the European Court of Justice’s (“ECJ”) landmark judgment of April 8, 2014, Digital Rights Ireland (C-293/12), invalidated the Data Retention Directive 2006/24/EC, which provided that providers of publicly available communications services must retain certain data. The ECJ considered that such data retention obligations went beyond what was strictly necessary and violated the Charter of Fundamental rights of the European Union. The ensuing national legislative revamps and national court proceedings now seek to draw the line between combating crime and terrorism, and respecting fundamental privacy and data protection rights.

Status of Data Retention Laws in Selected EU Member States

Belgium. In June 2015, the Belgian Constitutional Court annulled the national law implementing the invalidated Data Retention Directive. Subsequently, the Belgian legislature drafted a new law, on the basis of the findings in the Digital Rights Ireland judgment. The new law aims to achieve greater proportionality, thereby granting access to retained data only where the pursued objective cannot be achieved by more privacy-conscious means. Although the standard data retention period is 12 months, access is now more restricted and tailored to the severity of the crime. Accordingly, for minor crimes, access to retained data can be granted only for a maximum period of six months. For more severe crimes, access can be requested for nine months, with a maximum period of 12 months for the most serious crimes. Additionally, physicians, lawyers, and journalists receive additional protection in view of their legal privilege. The law was adopted on May 29, 2016, and entered into effect on July 28, 2016.

France. The current French legal framework defining data retention is principally set out in the Code of Posts and Electronic Communications (“CPEC”) (Article L. 34-1) and its implementing regulations (Art. R. 10 12 and seq. CPEC), and in the Law of June 21, 2004, on confidence in the digital economy (Article 6, II) and its implementing regulation (Decree n°2011-219 of February 25, 2011).

Pursuant to the CPEC, electronic communications operators must retain specific data for judicial authorities in the investigation and prosecution of criminal offenses, as well as for specific administrative or governmental authorities. Such data consists of technical data enabling the identification of the user and the technical aspects of his or her communications (as opposed to the actual content of such communications). The CPEC requires a one-year retention period for such data. Under the Law of June 21, 2004, internet access providers and internet hosting services must also retain, for a one-year period, information on the identity of the subscribers to their services who contribute to online content, as well as related technical data. Such data can be accessed by judicial authorities in the course of legal proceedings.

The above data retention framework is currently under challenge before the Conseil d’Etat (French supreme administrative court) by several associations. They contend that the framework does not comply with the Charter of Fundamental Rights of the EU, on grounds similar to those that led to invalidation of the 2006 Data Retention Directive.

Netherlands. In March 2015, the Dutch provisional judge (voorzieningenrechter) of the court in The Hague suspended the Dutch Telecommunications Data (Retention Obligation) Act (Wet Bewaarplicht Telecommunicatiegegevens). Following this suspension and the Digital Rights Ireland judgment, a member of the Dutch House of Representatives (Tweede Kamer) introduced a bill considering the repeal of the Telecommunications Data (Retention Obligation) Act. Furthermore, the Dutch Minister of Security and Justice has announced plans for a legislative proposal to amend the Telecommunications Act (Telecommunicatiewet) and the Code of Criminal Procedure (Wetboek van Strafvordering) in view of maintaining acceptable retention obligations under national law.

Spain. In Spain, Law 25/2007 of October 18, 2007 (“Spanish Data Retention Law”), which implemented the now-invalidated Data Retention Directive, addresses data retention related to electronic communications and public communications networks. The Spanish Data Retention Law is, however, in line with the Spanish Constitutional Court’s rulings regarding the right of secrecy of communications: data retained is only that which is related to the communication, not the content, and (ii) data transfers that affect a communication or specific communications are subject to prior judicial authorization.

As a general rule, the retention period obligation ceases 12 months from the date on which the communication occurred. However, legally and subject to prior consultation with telecom operators, this period can be increased to a maximum of two years and reduced to a minimum of six months, taking into account storage and data retention costs, the interests raised by the investigation, and in relation to only the detection and prosecution of serious crimes.

After the invalidation of the Data Retention Directive, the Spanish Data Retention Law underwent some modifications, e.g., in relation to sanctions and that data transfers must be made in electronic form within seven calendar to the authorized representatives mentioned in the Spanish Data Retention Law, among others. Furthermore, sanctions are categorized according to very serious, serious, and minor infractions in relation to the nonretention of data.

6. Financial Attacks Grow by 16% in Q2 2016: Kaspersky Reports

Financial malware is evolving through collaboration between malware creators, according to the results of Kaspersky Lab’s IT threat evolution Report for Q2. During the quarter Kaspersky Lab products blocked 1,132,031 financial malware attacks on users, a rise of 15.6% compared to the previous quarter. One of the reasons for the rise is the collaboration between the authors of two leading banking Trojans: Gozi Trojan and Nymaim Trojan, pushing both into the top 10 ranking of financial malware.

Banking Trojans remain the most dangerous online threats. These malware are often propagated via compromised or fraudulent websites and spam emails and, after infecting users mimic an official online banking page in an attempt to steal users’ personal information, such as bank account details, passwords, or payment card details.

7. Euro regulator calls for delay to virtual currency exchange anti-money laundering regime

EU law makers should step back from plans to subject virtual currency exchanges and digital wallet providers to anti-money laundering (AML) regulations from the beginning of next year, the European Banking Authority (EBA) has said.

The regulator said that more time is needed to implement a legal framework across EU countries and that without a postponement until “26 June 2017, at the very earliest” for the introduction of the regime, businesses would have little time to adapt to the regulatory requirements.

The EBA’s new opinion (9-page / 164KB PDF) was issued in response to plans outlined earlier this summer by the European Commission. The Commission wants to update the Fourth Anti-Money Laundering Directive (AMLD4) to bring virtual currency exchange platforms (VCEPs) and custodian wallet providers (CWPs) within the scope of the framework.

8. Bitfinex: Cause of Bitcoin Hack Still ‘Unknown’

Nearly two weeks after losing more than $60m in customer funds, Bitfinex reports it has not yet identified how the theft was carried out.

In a statement released earlier today, the exchange reported it had hired Ledger Labs, a blockchain consultancy previously contracted by ShapeShift following its own cybersecurity problems, to both investigate the theft as well as perform a balance sheet audit.

Bitfinex further said that it is “reassessing” storage options in light of the hack. The incident would force the exchange to impose a 36% haircut on customer holdings, a move that continues to stoke controversy.

9. Morocco Bans Skype, WhatsApp, in VoIP Crackdown by State ISP

After first being announced in January, Morocco began enforcing its ban of “Voice over IP”, or “VoIP,” on mobile devices, in a move that prevents conventional Moroccan smartphone users from using popular video call programs like Skype, WhatsApp, Viber, and more.

Be the first to comment

Leave a Reply

Your email address will not be published.