Cybersecurity: Focus on the Netherlands’ Information Security Outlook

Briefing

The Netherlands has strong information technology capabilities. According to the World Economic Forum, the country ranks 6th in the world as one of the most advanced and technology-enabled nations. In 2018, the Netherlands imported €61.2 billion euros worth of ICT goods and services. In the same year, exports of ICT-related goods and services (including re-exports) stood at €74.6 billion euros. The Netherlands’ technological environment is anchored by a robust digital infrastructure. The Dutch rank 2nd in the world for online connectivity, with over 98% of households having broadband connection. The Netherlands is a leading cybersecurity hub in Europe, home to Europe’s largest security cluster, The Hague Security Delta (HSD). HSD is a national network of more than 300 public and private organisations working together to accelerate cybersecurity solutions. The Netherlands is home to one of the largest internet exchanges in the world, the Amsterdam Internet Exchange (AMS-IX), and has one of the highest rates of internet connectivity in the world.  The Amsterdam region houses nearly a third of Europe’s data centres, with growth expanding to Groningen and Middenmeer. The country is also home to Europol’s European Cyber Crime Center (EC3), NATO Communications and Information (NCI) Agency and the Global Forum for Cyber Expertise (GFCE) in The Hague.

The Netherlands ranks 4th out of 28 countries (27 EU member states and the UK), in the European Commission Digital Economy and Society Index (DESI) 2020. This ranking is based on pre-coronavirus pandemic analysis.  It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in the country, including key data centres. Demonstrating cybersecurity resilience in the country’s networks, information systems, private sector and public services is very important for national security, economic growth, investment, trust, and innovation. Companies and organisations can also use this information to set expectations and risk levels.

Putting Cybersecurity on the Agenda

In 2018, the Dutch National Cybersecurity Agenda was adopted to allow the Netherlands to benefit from the economic and social opportunities of digitalisation in a secure way and to protect national security in the digital world. Seven ambitions were outlined to allow the Netherlands to:

1. Have strong digital capabilities to detect, mitigate and respond decisively to cyber threats;

2. Contribute to international peace and security in the digital space;

3. Be at the forefront of digitally secure hardware and software;

4. Have resilient digital processes and a robust infrastructure;

5. Have successful barriers against cybercrime;

6. Lead the way in the field of cybersecurity knowledge development; and

7. Have an integrated and strong public-private approach to cybersecurity.

From Agenda to Reality: Key Points from Cyber Security Assessment Netherlands 2021

The Netherlands has moved from setting agendas and ambitions to becoming more proactive in European (and global) cybersecurity efforts. It also seeks to assess the national picture every year so that stakeholders can know the trends, risks, threats, strengths and areas for improvement. This shows both a proactive and transparent approach. The Cyber Security Assessment Netherlands 2021 (CSAN 2021 / CSAN) explains the active cyber threats, the likely impacts, resilience approaches and the risks. CSAN focuses on national security, which is defined annually by the National Coordinator for Security and Counterterrorism (NCTV) and the National Cyber Security Centre (NCSC NL).

The NCTV is the central government body responsible for counterterrorism, cybersecurity, national security, crisis management and state threats. NCTV’s core focus is to prevent and minimise social disruption. The NCSC NL is the central information hub and centre for expertise for cybersecurity in the Netherlands. NCSC NL helps to boost cyber resilience in society, specifically within central government and among critical providers.

  • Risks to National Security

Four risks to national security have been identified in CSAN:

1. Unauthorised access to information and its publication, particularly through espionage. For example, espionage targeting communications within the central government or the development of innovative technologies.

2. The inability to access processes, due to sabotage or the use of ransomware. For example, the infiltration of processes that ensure the distribution of electricity.

3. Major security breaches, such as through the abuse of global IT supply chains.

4. Large-scale outages: for example, where one or more processes are disrupted due to natural activity, technical interference or unintentional human action.

  • Differences in the Levels of Resilience

The CSAN reveals that there are significant differences in levels of resilience in the Netherlands. Large companies can invest in cybersecurity knowledge and skills. Suppliers of essential services and digital service providers also have a statutory duty of care, set out in the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni). However, small businesses, including small and medium-sized enterprises (SMEs), often lack the expertise and resources to substantially upgrade their resilience efforts. SMEs are often targeted by sophisticated actors. This resilience gap has been identified as a work in progress to be solved, in part, by greater capacity building and information sharing.

  • Key Messages from CSAN

There is a clear acknowledgement that cyber incidents can paralyse society, and in particular:

  1. Cybersecurity is a precondition for the functioning of society.
  2. The digital threat is permanent.
  3. Digital resilience is not yet in order everywhere because of the lack of basic measures.
  4. Boosting resilience is the most important tool for managing cyber risks.
  5. A complete and accurate picture of the resilience of critical processes is still missing.
  6. Cyber risks are as great as ever and cannot be separated from other risks.
  7. The Netherlands’ dependence on countries with offensive cyber programmes is a risk-increasing factor.
  8. The main risks to national security are sabotage and espionage by states and the failure of systems. Also, cyberattacks by criminals (cybercrime).
  • The Covid-19 Effect

CSAN notes that since the start of the coronavirus pandemic, several COVID-19 themed cyberattacks have been observed, using a range of tool and tactics. Cyberattacks have been carried out on hospitals, research institutes and the World Health Organisation (WHO). Not only has the healthcare sector been targeted, but governments and companies had to deal with various attacks. The Police, the Public Prosecutor’s Office and Europol warned of the various forms of misuse, ranging from cybercriminal attacks to distribution of disinformation. COVID-19 also lends itself to social engineering attacks.

  • Disrupting Ransomware

CSAN sets out a robust strategy for dealing with all forms of ransomware. It suggests that the most promising solution lies in structurally increasing the costs to the criminals against the benefits gained from ransomware attacks. It suggests that this can only be done if the Police, NCSC NL, the Public Prosecution Service, the public services, private partners and potential victims, unite and stand together. These stakeholders should proactively work together and share information and insights in a targeted manner. Information sharing is the key.

  • Cloud Services and Virtualisation: Questions for Companies and Organisations

In a unique approach, CSAN directedly addresses companies and organisations with key questions about digital transformation and the emerging risks. It focuses on cloud services and the cybersecurity risks associated with virtualisation. The key questions it asks are:

  1. When designing your cloud environment, did you take the failure of this infrastructure into account (design for failure)?
  2. What activities does your organisation perform in the cloud environment and how sensitive are these processes to interruption?
  3. How is the data processed in the cloud environment stored? For complex or sensitive data processing, has replication at multiple data centre locations or ‘availability zones’ been considered? Note: Replication can ensure that important data are not lost in the event of disruption at one location but remains available at another location.
  4. Do you know the basis upon which your organisation chose a public, private or hybrid cloud environment? Does this include the complex data processing and sensitive or unique data that plays a role in your organisational processes?

By asking these questions of all companies and organisations, NCTV and NCSC NL spark a debate but also places the onus on each entity to actively reduce their cyber risks and build resilience. It asks questions of individual entities, so that collective and national data security resilience can be increased.

Action Plan: Monitor the Cybersecurity threat landscape, Participate in Public/Private Cybersecurity efforts and Review Annual Assessments to influence corporate strategy

Companies, organisations, the public sector and investors must monitor the development of the Cybersecurity Agenda and the annual Dutch CSAN analysis. The Netherlands is vital for European data flows, global information technology and international supply chains. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should also be constantly assessed as this has been highlighted in the CSAN. NCSC NL has a strong reputation at home and abroad, especially working with the UK, Germany, USA and bodies such and the European Union Agency for Cybersecurity (ENISA), EUROPOL and NATO.

The Netherland’s data protection approach should also be monitored in conjunction with the National Cyber Security Agenda and CSAN. This completes the information security and data governance picture. Autoriteit Persoonsgegevens (also called The Dutch DPA), is the data protection and General Data Protection Regulation (GDPR) regulator. It is relatively large, sufficiently funded, consistent and adopts an analytical risk-based approach. It leads with education, guidance and recommendations but will issue fines where it considers these are appropriate. Recently, it has used its strongest penalties to respond to data breaches, data about children, health data (including Covid-19 data), intrusive new technologies and surveillance.

The Netherlands stands as a good example of a transparent, effective and active cybersecurity strategy. The agenda and strategy have been operationalised and is assessed annually. The country has championed the multidisciplinary and cross-sector approach to building resilience. Its data protection regulatory system is also stable, consistent and set to expand to respond to new technology, European co-operation, global initiatives and the intensifying cybersecurity landscape. 

Adopting EU GDPR 2021 Data Protection Standard Contractual Clauses: The Insider’s Guide

Briefing

On 4 June 2021, the European Commission published its new data protection Standard Contractual Clauses (SCCs) for General Data Protection Regulation (GDPR) international data transfer compliance. These clauses replace the pre-GDPR clauses published in 2010 and 2014. The new clauses are more fully aligned with the GDPR and the Court of Justice of the European Union’s decision in the Schrems II case of 2020. The clauses came into force on 27 June 2021. From 27 September 2021, all new data protection international transfer arrangements must use the new SCCs. By the end of December 2022, all contracts that transfer the personal data of individuals based in the EU must be updated to reflect the new SCCs. This means that comprehensive data protection updating will be required across a wide range of supply chains.

Key Things to Know about the New SCCs

The key purpose of the new SCCs is to imbed GDPR-compliant and legally binding contractual terms into supply chains and value chains, around the world. The key definitions to understand are Data Exporters (based in the EU) and Data Importers (based outside of the EU). The SCCs are organised into four modules: (a) Controller to Controller, (b) Controller to Processor, (c) Processor to Processor and (d) Processor to Controller.  Each module can be used as a stand-alone contract or the modules can be used together to form a more comprehensive agreement.

The new SCCs have a so-called docking clause, that allows Data Exporters and Data Importers to be added to the clauses over time. This allows maximum flexibility. There are clauses in the SCCs that limit and manage onward data transfers and ensure holistic data protection compliance. Another innovation is the need for Transfer Impact Assessments (TIAs), which must be performed and recorded for all personal data transfers from the EU to countries outside of the EU (third countries).

The UK is in a special position because of Brexit, its departure from the European Union. It is now a third country and so the new SCCs do not apply to it. All data transfers from the UK to third countries may still rely on the EU’s old SCCs and the and the additional requirement of TIAs. In the longer term, the UK will formulate its own guidance and standard clauses for international transfers.                                                                                                  

Inside the Standard Contractual Clauses (SCCs) Project

For the largest companies and organisations, similar contract remediation projects took place in 2010, 2014 and between 2015 and 2016 after the Schrems I case invalidated EU/US Safe Harbor.  Work may also have been done in the lead up to May 2018, when GDPR fully came into force. Lessons from these previous efforts can inform current and future SCC projects. However, current SCC implementation projects will be more complicated because of the detailed requirements of GDPR, more complex supply chains, modern cloud computing services, the presence of big data stores and the use of modern pseudonymisation, hashing and anonymisation techniques.

For SCC projects, here is the Insider’s Guide to effective planning and delivery:

  • The Data Strategy

Companies and organisations should adopt a clear strategy position about their data and international data flows. The new EU SCCs should not be implemented only as a “papering exercise.” The work should complement the strategy and seek savings, economies of scale and innovation. Supply chains could be simplified, international data flows trimmed and data processors audited and removed, if necessary.

  • Data Flows, Risks and Records of Processing Activities (ROPA)

Adopting the new SCCs could also allow organisations to put their global data protection compliance credentials to the test. It is an opportunity to mature Records of Processing Activities under Article 30 of the GDPR. Transfer Impact Assessments can be used to risk assess countries, sectors and organisations as a way of identifying, managing and reducing risks. The risk-based approach should be comprehensive and cover political, economic, human rights, regulatory, international sanctions and information security risks. With this information, companies and organisations could then seek to add contractual, organisational or technical safeguards to respond to these risks.

  • The Project Plan and The Multidisciplinary Team

Effective SCC implementation requires a clear project plan and resources, including a realistic and flexible financial budget. Even more important, is a multidisciplinary team including the Data Protection Office (or Data Protection Professionals), Information Security, procurement, the legal team, the service managers, audit and compliance teams. The combined knowledge of these teams, when well organised, can add detail and precision to the work. Service managers and procurement teams often know most about contracting partners, because of their day to day experience and often long-established relationships. External advisors and technology solutions may help to expand the expertise and improve benchmarking.

  • Communication, Patience and Dynamism

It is important to remember that the EU SCCs will test supply chains and the relationships between Data Exporters and Data Importers. Communication at every level within each organisation and between the contracting parties is vital. A recognition that each party may prioritise and timetable contractual changes differently, is important. The SCC project can also become a place where other important issues are contested. This includes existing contract performance issues, contractual warranties, indemnities, information security schedules, key performance indicators, insurance, price and audit rights. Patience is required and the ability to remember the key reasons for the data sharing and data transfers. Timetables may slip, but each party should retain enthusiasm and dynamism to gain the required signatures and move to contract performance.    

For assistance with EU/UK Standard Contractual Clauses Projects, Legal and Regulatory support, EU GDPR compliance, adopting data privacy certifications and Codes of Practice, contact  PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS082021

Coronavirus Covid-19 and GDPR Data Protection Privacy

Covid-19 Vaccine Passports, Work, Travel and applying GDPR Principles

Briefing

The global coronavirus pandemic has become far more than an international public health issue. The effect of Covid-19 on economic life, employment, politics, social interaction and the environment is wide-ranging and evolving. Work and travel have become the testing ground for countries and communities to prove their resilience and ability to bounce back. Vaccine passports and vaccine certificates allow vaccinated people to gain re-entry to the workplace, social spaces and travel. These certificates can appear as software applications, paper certificates, official stamps, Barcodes, Quick Response (QR) Codes and verifiable tokens. Technology has led the way in providing vaccine confirmation solutions and the data collected and stored are seen as crucial to effectiveness and an evidence-based approach. The use of vaccine passports for employment and travel raises complex issues and require full consideration of the law, public policy, public health, political priorities, human rights, economic considerations and social norms. These considerations directly impact trust, effectiveness and safety.

Focussing on the Key Data Protection Principles

The EU’s General Data Protection Regulation (GDPR) is a useful tool to analyse and balance the competing priorities of vaccine passports and certificates. As a legal and policy framework, the GDPR does not provide all the answers. A focus on Article 5 of the GDPR, however, can be used to identify the most important issues, agree priority outcomes, highlight information governance gaps, introduce ethical data use ideas and apply a risk-based approach to data collection and use. 

Much of the information in Covid-19 data systems and vaccine passport databases will be special categories of personal data, such as information about physical and mental health, sexual life, sexual orientation, race or ethnic origin, religious or philosophical beliefs, genetic data and biometric data. These systems carry out high risk data processing, which is further complicated by also using other data such as geolocation data, financial information, name, address, date of birth, workplace address and details about family members.

For Limited Purposes

An important GDPR principle is that personal data should be collected for identifiable and limited purposes. Purposes should be clearly identified at start of data collection and follow through the life cycle of the project. Data collected for vaccine passports and Covid-19 status certificates can be attractive for a range of secondary uses, which may arise in the future. However, those collecting personal data should be cautious in sharing the information with parties that are not identified at the start of the data collection or are not compatible with the stated purposes. Vaccine passports and certificates give and confirm information about moments in time. Using this information for other purposes, in the future, could offer limited benefits when compared to the risks.

Lawful, Fair and Transparent

The use of personal data should be lawful, fair and transparent. The data processing involved in vaccine passports should be clearly understood by users and those who can be identified from the personal data collected. This simple principle can be neglected if the data project is rushed, the data use remains partially undefined, the system is a black box artificial intelligence system, machine learning is used without clear limits and ownership of the data system is divided among many parties with competing or vastly different interests.  These concepts are key to a data protection by design approach. Fairness is also about the necessity and proportionality of the data collection and use, as well as whether these meet the legitimate expectations of the individuals involved.

Accuracy

Personal data used should be accurate and kept up to date. Personal data should also be as accurate as possible at collection and high levels of data quality maintained. Covid-19 vaccines varying in both efficacy and effectiveness. Covid-19 status certificates, lateral-flow tests and other testing also vary in data quality. The accuracy question is about what the data says, when the data are collected and what effect the information has on both the individual and the Covid-19 data system. Accuracy changes with time and with adding or subtracting data from a data set. Accuracy also depends on who will access and read the personal data and the intended uses of the data. Accuracy is protected by both organisational methods (such as training) and technical systems. 

Data Minimisation

Covid-19 data systems and vaccine passports should use the minimum personal data necessary to fulfil the stated purposes. This can be difficult, because stakeholders often wish to retain the right to re-use these personal data and so encourage data maximisation. Public health and research stakeholders can also encourage greater volumes of data collection. Data practices such as big data, machine learning and deep learning also encourage data intensification. Data minimisation is a practical principle encouraging targeted data sets, reduced data storage costs, less information to secure, improved data analytics and reduced risks associated with cyberattacks and data breaches.

Limits to Data Retention

Personal data should not be kept, used and stored for longer than necessary. This data hygiene principle is also called the storage limitation data lifecycle principle.  When planned properly, the application of this principle can help with all other GDPR principles, acting as a practical lever. Covid-19 personal data systems should develop personal data retention schedules, which lay out the data lifecycle and include data review and data deletion dates. Data retention includes pseudonymisation, data masking, hashing, encryption and putting personal data beyond use. These concepts are important in helping to define data risk.

Information Security, Integrity and Confidentiality

Personal data should be collected and used in ways that ensure information security. These protections should reduce the risk of unauthorised access, unlawful use, accidental loss, destruction and damage to personal data. Covid-19 data systems and vaccine passports should be protected by risk-based and high quality technical and organisational measures. EU GDPR regulators are also keen to ensure that organisations adopt a proactive approach to information security and actively respond to emerging threats from cloud data, phishing attacks, ransomware, cryptocurrencies scams and social engineering attacks.    

Accountability: Demonstrating Governance and Compliance

The key principle for data protection excellence is accountability. This is the ability for covid-19 data systems and vaccine passports to demonstrate compliance with the GDPR to individuals, data controllers, data processors and all stakeholders. Accountability means following all the other principles, carrying out data flow mapping and maintaining Records of Processing Activities (ROPAs). It also means reporting data protection risks to the board or senior leadership, appointing Data Protection Officers and completing Data Protection Impact Assessments (DPIAs). For individuals identified in covid-19 data systems, accountability includes clear GDPR notices, allowing data subject rights to be exercised and having a high-quality consent management system (where consent is being requested). Accountability is also a practical tool to build trust, engagement, effectiveness, good reputation and enhance the quality of the covid-19 data systems. Accountability also creates future-proofing and resilient systems and processes.

For further assistance with Covid-19 data, vaccine status verification systems and GDPR compliance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

PS062021

PrivacySolved Ransomware Cyberattack solutions

The Ransomware Problem: Board and Leadership Priorities

Briefing

Information security is vital for economic security, innovation and business continuity. Cybersecurity is becoming a high-impact board and senior leadership issue. Digital transformation efforts and cloud service adoption increases the reliance of business-critical functions on digital infrastructures. Malicious actors seek to exploit human and technical vulnerabilities, for profit. Increasingly, data breaches and cybersecurity incidents affect all parts of organisations, their value chains and supply chains. The human element, seen in employee errors, phishing and social engineering, are significant weak points in the fight for information security resilience. Now that boards are increasingly paying attention, their priorities, strategies and actions are crucial for sustainable impact and success. Priorities should be risk based, context-rich, applied in a multi-disciplinary way across the organisation and based on proactive analysis.  

The Increasing Problem of Ransomware

The information security landscape changing rapidly, but key indicators and trends can be identified and monitored. The Verizon Data Breach Investigations Report 2021 reported that 85% of data breach incidents involved the human element, 36% involved phishing and 10% included Ransomware (the latter is double the rate of the previous year). The median breach cost per incident is $21,659 (USD), but most organisations can expect their costs to rise to $650,000 (USD) for large incidents.  The UK Cyber Security Breaches Survey 2021, found that 39% of businesses and more than a quarter of charities (26%) report having cyber security breaches or attacks in the previous 12 months. For the organisations that have suffered breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience these at least once a week. Phishing is the most common method for cyberattacks. Among the 39% identifying breaches or attacks, 83% had phishing attacks, 27% were impersonated and 13% had malware (including ransomware).  For those who suffered breaches or attacks, 21% of businesses and 18% of charities lost money, data or other assets. Of all the organisations surveyed, 43% have cyber insurance cover in place, a rise from 32% in the previous year.

Ransomware is a form of malicious software, or malware, that prevents organisations and computer users from accessing their computer files, systems, or networks with a demand that a financial ransom is paid to restore system access or for data to be returned. Cyber attackers often demand that ransom payments are paid in cryptocurrencies, which are hard to trace. Ransomware attacks can cause significant disruption to IT operations and the loss of critical business information and personal data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware onto a computer by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware.

Ransomware can be introduced to an IT system by phishing or spear phishing emails, which aim to appear legitimate to users who open and click on infected hyperlinks. These emails may also enter a system as unwanted spam, hoping that an unwitting user will unknowingly click on the link. Highly targeted campaigns, using social engineering, aim to target high profile and senior figures in companies and organisations in order to access the most sensitive information and have the most impact because of the high levels of trust the senior user enjoys internally. Ransomware can also be introduced using Remote Desktop Protocol (RDP) vulnerabilities (after gaining user access credentials) and by exploiting software vulnerabilities.  Malware and ransomware are pernicious and can ensnare a wide range of individuals. As a result, board awareness, continuous staff training and vigilance are crucial.

Ransomware is at the frontline of global cybercrime. Companies and organisations have been warned that these tactics can be used by rogue states, by hackers, to avoid international sanctions, for money laundering, for terrorist financing, for illegal drug trafficking or for modern slavery. The effect of ransomware attacks can also be technically devastating to IT systems and to an organisation’s critical data.  Services can be stopped, IT systems can be destroyed, data disclosed on the dark web, confidential information published freely online and data permanently deleted. Ransomware can be an existential threat to a company’s reputation and the future commercial viability of businesses and organisations. Several organisations and governments have adopted official policies of not paying ransom demands and not engaging with ransomware gangs. Paying ransoms do not guarantee that stolen data will be returned or that IT systems will be repaired. Of all the persistent cybersecurity threats and risks, it is ransomware that creates the most uncomfortable and unforgiving catch 22.

The Cybersecurity Insurance Puzzle

Cybersecurity insurance is important for good governance, financial resilience and business continuity.  However, many businesses and organisations are under insured against modern cybersecurity threats and risks. Some companies and organisations rely on the information security coverage in their general business insurance policies. These protections are often narrow and can be excluded when claims are made after information security incidents and cyberattacks. Some companies and organisations have specific cybersecurity insurance policies, but these can be poorly underwritten and are not future proofed to cover modern and evolving threats and risks.

When information security claims are made, companies and organisations could find that their claim is rejected, or that the payments received do not meet the true costs of the claim. Boards and senior leaders need to realistically assess their organisations’ standing and take strategic decisions as to the optimal range of insurance coverage. Organisations should learn about the cyber insurance market for their industry and sector and balance this against their business, regulatory and financial needs.  A company’s or organisation’s supply chain should also be regularly audited for information security compliance and adequate insurance cover. 

Increasingly, general insurers and cyber insurers are refusing to pay the ransoms demanded by ransomware attackers. This is because these activities often contradict their corporate values or may be illegal if the ransom is linked to terrorism, money laundering, illegal trafficking or breach international sanctions. These insurers also understand that paying ransoms can incentivize criminality and create greater information security risks due to increased sophisticated cyberattacks.  Paying ransoms is always very risky because it involves dealing with those involved in illegal or unethical activity. The risk-reward calculations often reveal significant risks.

Board and Leadership Priorities and Solutions

Boards and Senior Leadership should adopt a “whole organisation” and multi-disciplinary approach to resourcing and empowering their internal teams, partners and supply chains to:

i. Improve and extend cybersecurity strategies to include a cybersecurity insurance strategy as part of financial governance arrangements with Chief Financial Officers or the heads of finance in smaller organisations. This work should be done in conjunction with the Chief Information Officer, Chief Information Security (Risk) Officer or Head of Security in smaller organisations. This group of stakeholders should also include the General Counsel, the organisation’s lead lawyer or the compliance lead in smaller organisations. Human Resources leaders and external specialist advisors should also be included or consulted to strengthen internal resources.

ii. Develop internal expertise about emerging cybersecurity threats and risks. Board and leadership teams should receive summaries of specialist reports and then update their strategies to reflect the changes to the cybersecurity landscape, new business models and the cyber insurance market.   This should not be treated as an IT-only issue.

iii. Include insights from work on international sanctions compliance, export controls, international cybercrime trends, anti-money laundering standards, blockchain strategy and cryptocurrency financial controls into the cybersecurity strategy and ransomware policies and procedures. This will apply most to complex global businesses and organisations.  

iv. Refine and clarify the personal data breach and personal identifiable information (PII) compromise response procedures to specifically reference the nature of ransomware attacks. This will include legal duties to notify data protection and data privacy regulators, informing individuals affected, liaising with cyber insurance providers, informing enforcement authorities and the police, dealing with ransom groups and establishing a team of first responders.  Compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), other national laws and sectoral laws is also vital. Fines and financial penalties for data breaches could be 2-4% of global turnover, in addition to the financial impacts of the ransomware attack.

v. Improve information classification and data management by categorising data according to its value to the company or organisation and establish physical and logical separation of networks and data for different organisational units. For example, high value research and development or business data could be deliberately held on a separate server and network segment from the organisation’s email environment. Virtualised environments could be used to execute operating system environments or specific programmes.

vi. Improve information security awareness and training for all levels of the company or organisation. Ransomware often targets end users and so employees should be told about the threat of ransomware, how it is delivered, ways to identify it and how to report likely malware. Training should also include key cybersecurity definitions, principles and techniques.

vii. Increase information security hygiene and resilience activities by regularly backing up data and verifying its integrity. This includes ensuring that backups are not connected to the computers and networks that they are backing up. For example, these could be physically stored offline. Backups are vital in ransomware resilience efforts. After a ransomware attack if computer systems are infected, backups may be the best way to recover business critical data. Backups are very important for recovery, business continuity and ransomware mitigation.

viii. Systematically and regularly patch operating systems, software and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier by using a centralised patch management system. Ensuring that anti-virus and anti-malware solutions are set to automatically update and that regular scans take place. Another solution is to disable macro scripts from Office files transmitted via email. For example, Office Viewer software could be used to open Microsoft Office files transmitted via email instead of the full Office Suite applications.

ix. Set up application whitelisting to only allow systems to execute programs that are known and permitted by security policy. It is also useful to implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression and decompression programmes. This includes those located in the AppData or LocalAppData folder. Other solutions include applying best practices for RDP use, including auditing networks for systems using RDP, closing unused RDP ports, applying two-factor authentication where possible and logging RDP login attempts.

x. Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Least privilege should influence how access controls are configured. Requiring user interaction for end-user applications communicating with websites uncategorised by the network proxy or firewall is also helpful. For example, mandating users to type information or enter a password when their system communicates with a website that is uncategorised by the proxy or firewall.

xi. Invest in developing zero trust networks, especially in mission critical parts of IT systems. Agile project management could be used to test, review, assess and repeat trials and experiments to find the right balance between confidentiality, availability and integrity. Zero trust practices can then extend across the IT system and into critical supply chains. Introducing blockchain technology can accelerate these processes.

xii. Audit supply chains for cybersecurity risks and increase standards through clear contractual obligations, practical and accessible information security schedules, Key Performance Indicators (KPIs), robust reporting and dynamic analysis.

Board and Leadership Resources

National Cyber Security Centre (UK)

An Garda Síochána (Ireland’s National Police and Security Service)

Federal Bureau of Investigations (FBI – United States)

Interpol (Global)

For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy, Board Awareness or Information Security Training, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS052021

Analysing UK Data Protection Adequacy: The Benefits and The Limits

Briefing

The route to the United Kingdom (UK) gaining data protection adequacy has been set out by the European Commission. UK adequacy is a declaration by the EU that the UK’s laws and systems are essentially equivalent to cover the General Data Protection Regulation (GDPR) and the Law Enforcement Directive’s (LED) data flows. The UK uniquely benefits from many years of alignment with European data protection standards including ratifying the Council of Europe’s Convention 108. The UK’s pioneering first law was the UK Data Protection Act 1984. The UK then adopted both the EU Data Protection Directive 1995 and the GDPR of 2016.

Data protection adequacy creates certainty and trust for data flows to and from the EU and UK. There are numerous benefits to data protection adequacy for business, trade, cooperation, security and law enforcement. However, because the UK has left the EU (Brexit), it now stands apart from EU developments and automatic institutional advancements. Inevitably, over time, there will be degrees of divergence, duplication of compliance activities and an evolving dynamic tension between the EU and UK regimes. Despite this, there will be an enduring, broad and deep commonality between the EU and UK data protection regimes, well into the future.

The Benefits: What UK Data Protection Adequacy Means

UK data protection adequacy creates a new status quo:

  • The UK will join Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Uruguay as a country with essentially equivalent data protection standards to the EU, the European Economic Area (EEA) countries and Switzerland.
  • The EU will allow the free flow of personal data from the EU to the UK and these will not be considered international data transfers and require the complex additional safeguards listed in the GDPR. The UK has already declared adequate the EU, the EEA, Switzerland and the current list of EU-adequate countries, which creates fully reciprocal personal data flows between the UK and EU.
  • Going forward, the UK will be obliged to ensure that domestic developments in data protection law and systems substantially reflect developments in the EU. This will create a degree of certainty and transparency for companies, organisations and governments.
  • In the future, the Information Commissioner’s Office (ICO), the UK’s GDPR regulator, will be more inclined to interpret and enforce the GDPR in line with EU developments. Though, the ICO must also reflect UK-led changes to the legal framework, UK GDPR interpretation and UK court decisions.
  • Companies and organisations that operate both in the UK and EU must now establish two distinct personal data breach reporting arrangements. UK personal data breaches will need to be reported in the UK, to the ICO. EU data breaches must be reported to one or more of the EU’s twenty-seven GDPR regulators. Bureaucratically, personal data breaches affecting individuals based in the UK and EU must be reported in both regions.
  • International companies and organisation can continue to blend their data protection programmes to cover all EU countries and the UK but specifically allow for future UK variations. This approach will encourage economies of scale, compliance costs savings, interoperability and more transparent European-wide data risk profiles. 

Dynamic Controls

UK data protection adequacy includes several dynamic controls that supervise the EU/UK data relationship into the future. Companies and organisations should note that:

  • UK adequacy decisions are subject to review by the European Commission at four-year intervals. The decisions are re-examined periodically.
  • The validity of the UK’s adequacy decisions could be challenged in the Court of Justice of the European Union (CJEU). This court has the power to invalidate the adequacy decisions, forcing organisations to stop transferring personal data from the EU to the UK. This happened to the EU-US-Swiss Safe Harbour adequacy decision in 2015 and EU-US-Swiss Privacy Shield adequacy decision in 2020, causing much disruption, uncertainty and costs to businesses and organisations.
  • The European Commission can suspend UK adequacy decisions based on a serious violation or series of serious violations that offend the EU’s  rights-based system. This is unlikely. However, a significant UK/EU disagreement about human rights, EU fundamental rights, national security and large-scale surveillance could increase the risk. A significant breakdown in the UK’s internal checks and balances that safeguard the right to personal data protection could negatively affect the stability of UK adequacy.

The Limits: What UK Data Protection Adequacy does not Mean

UK data protection adequacy does not alter several important issues and so companies and organisations should note that:

  • UK adequacy creates and maintains equivalence for data transfers from the EU to the UK. However, the UK will still need to create new international data transfer mechanisms for UK personal data flows to the rest of the world. These may be different from the EU’s system and may include UK-specific data protection standard contractual clauses. Companies and organisations in the UK and EU must now navigate two systems for international transfers.
  • Companies and organisations that have no presence in the EU but offer goods or services or monitor individuals in the EU will need to appoint an EU Data Protection Representative based in the EU, separate from any UK representative.
  • Companies and organisations that have no presence in the UK but offer goods or services or monitor individuals in the UK will need to appoint a UK Data Protection Representative based in the UK, separate from any EU representative.
  • Post Brexit, the UK is still part of the European Convention on Human Rights (ECHR), with its well-established right to privacy, family life, home and correspondence. This right is reflected in the UK’s Human Rights Act 1998.  However, there is no longer a fundamental right to personal data protection in UK law as it exists in EU law. The UK is no longer a party to the EU Charter of Fundamental Rights, and its specific additional Article 8 personal data protections. As a result, data protection rights in the UK are now narrower in scope than in the EU. 
  • The UK continues to have GDPR embedded into its laws. However, automatic data protection alignment is no longer legally and practically inevitable. Brexit means that the UK is no longer a part of the EU’s governing treaties, democratic institutions, internal single market, digital single market, regulators and courts. Data protection decisions and opinions from the European Commission, European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) no longer have automatic legal force on the UK.

For assistance with GDPR, EU/UK data flows and Brexit, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS022021