PrivacySolved Ransomware Cyberattack solutions

The Ransomware Problem: Board and Leadership Priorities

Briefing

Information security is vital for economic security, innovation and business continuity. Cybersecurity is becoming a high-impact board and senior leadership issue. Digital transformation efforts and cloud service adoption increases the reliance of business-critical functions on digital infrastructures. Malicious actors seek to exploit human and technical vulnerabilities, for profit. Increasingly, data breaches and cybersecurity incidents affect all parts of organisations, their value chains and supply chains. The human element, seen in employee errors, phishing and social engineering, are significant weak points in the fight for information security resilience. Now that boards are increasingly paying attention, their priorities, strategies and actions are crucial for sustainable impact and success. Priorities should be risk based, context-rich, applied in a multi-disciplinary way across the organisation and based on proactive analysis.  

The Increasing Problem of Ransomware

The information security landscape changing rapidly, but key indicators and trends can be identified and monitored. The Verizon Data Breach Investigations Report 2021 reported that 85% of data breach incidents involved the human element, 36% involved phishing and 10% included Ransomware (the latter is double the rate of the previous year). The median breach cost per incident is $21,659 (USD), but most organisations can expect their costs to rise to $650,000 (USD) for large incidents.  The UK Cyber Security Breaches Survey 2021, found that 39% of businesses and more than a quarter of charities (26%) report having cyber security breaches or attacks in the previous 12 months. For the organisations that have suffered breaches or attacks, around a quarter (27% of these businesses and 23% of these charities) experience these at least once a week. Phishing is the most common method for cyberattacks. Among the 39% identifying breaches or attacks, 83% had phishing attacks, 27% were impersonated and 13% had malware (including ransomware).  For those who suffered breaches or attacks, 21% of businesses and 18% of charities lost money, data or other assets. Of all the organisations surveyed, 43% have cyber insurance cover in place, a rise from 32% in the previous year.

Ransomware is a form of malicious software, or malware, that prevents organisations and computer users from accessing their computer files, systems, or networks with a demand that a financial ransom is paid to restore system access or for data to be returned. Cyber attackers often demand that ransom payments are paid in cryptocurrencies, which are hard to trace. Ransomware attacks can cause significant disruption to IT operations and the loss of critical business information and personal data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware onto a computer by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware.

Ransomware can be introduced to an IT system by phishing or spear phishing emails, which aim to appear legitimate to users who open and click on infected hyperlinks. These emails may also enter a system as unwanted spam, hoping that an unwitting user will unknowingly click on the link. Highly targeted campaigns, using social engineering, aim to target high profile and senior figures in companies and organisations in order to access the most sensitive information and have the most impact because of the high levels of trust the senior user enjoys internally. Ransomware can also be introduced using Remote Desktop Protocol (RDP) vulnerabilities (after gaining user access credentials) and by exploiting software vulnerabilities.  Malware and ransomware are pernicious and can ensnare a wide range of individuals. As a result, board awareness, continuous staff training and vigilance are crucial.

Ransomware is at the frontline of global cybercrime. Companies and organisations have been warned that these tactics can be used by rogue states, by hackers, to avoid international sanctions, for money laundering, for terrorist financing, for illegal drug trafficking or for modern slavery. The effect of ransomware attacks can also be technically devastating to IT systems and to an organisation’s critical data.  Services can be stopped, IT systems can be destroyed, data disclosed on the dark web, confidential information published freely online and data permanently deleted. Ransomware can be an existential threat to a company’s reputation and the future commercial viability of businesses and organisations. Several organisations and governments have adopted official policies of not paying ransom demands and not engaging with ransomware gangs. Paying ransoms do not guarantee that stolen data will be returned or that IT systems will be repaired. Of all the persistent cybersecurity threats and risks, it is ransomware that creates the most uncomfortable and unforgiving catch 22.

The Cybersecurity Insurance Puzzle

Cybersecurity insurance is important for good governance, financial resilience and business continuity.  However, many businesses and organisations are under insured against modern cybersecurity threats and risks. Some companies and organisations rely on the information security coverage in their general business insurance policies. These protections are often narrow and can be excluded when claims are made after information security incidents and cyberattacks. Some companies and organisations have specific cybersecurity insurance policies, but these can be poorly underwritten and are not future proofed to cover modern and evolving threats and risks.

When information security claims are made, companies and organisations could find that their claim is rejected, or that the payments received do not meet the true costs of the claim. Boards and senior leaders need to realistically assess their organisations’ standing and take strategic decisions as to the optimal range of insurance coverage. Organisations should learn about the cyber insurance market for their industry and sector and balance this against their business, regulatory and financial needs.  A company’s or organisation’s supply chain should also be regularly audited for information security compliance and adequate insurance cover. 

Increasingly, general insurers and cyber insurers are refusing to pay the ransoms demanded by ransomware attackers. This is because these activities often contradict their corporate values or may be illegal if the ransom is linked to terrorism, money laundering, illegal trafficking or breach international sanctions. These insurers also understand that paying ransoms can incentivize criminality and create greater information security risks due to increased sophisticated cyberattacks.  Paying ransoms is always very risky because it involves dealing with those involved in illegal or unethical activity. The risk-reward calculations often reveal significant risks.

Board and Leadership Priorities and Solutions

Boards and Senior Leadership should adopt a “whole organisation” and multi-disciplinary approach to resourcing and empowering their internal teams, partners and supply chains to:

i. Improve and extend cybersecurity strategies to include a cybersecurity insurance strategy as part of financial governance arrangements with Chief Financial Officers or the heads of finance in smaller organisations. This work should be done in conjunction with the Chief Information Officer, Chief Information Security (Risk) Officer or Head of Security in smaller organisations. This group of stakeholders should also include the General Counsel, the organisation’s lead lawyer or the compliance lead in smaller organisations. Human Resources leaders and external specialist advisors should also be included or consulted to strengthen internal resources.

ii. Develop internal expertise about emerging cybersecurity threats and risks. Board and leadership teams should receive summaries of specialist reports and then update their strategies to reflect the changes to the cybersecurity landscape, new business models and the cyber insurance market.   This should not be treated as an IT-only issue.

iii. Include insights from work on international sanctions compliance, export controls, international cybercrime trends, anti-money laundering standards, blockchain strategy and cryptocurrency financial controls into the cybersecurity strategy and ransomware policies and procedures. This will apply most to complex global businesses and organisations.  

iv. Refine and clarify the personal data breach and personal identifiable information (PII) compromise response procedures to specifically reference the nature of ransomware attacks. This will include legal duties to notify data protection and data privacy regulators, informing individuals affected, liaising with cyber insurance providers, informing enforcement authorities and the police, dealing with ransom groups and establishing a team of first responders.  Compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), other national laws and sectoral laws is also vital. Fines and financial penalties for data breaches could be 2-4% of global turnover, in addition to the financial impacts of the ransomware attack.

v. Improve information classification and data management by categorising data according to its value to the company or organisation and establish physical and logical separation of networks and data for different organisational units. For example, high value research and development or business data could be deliberately held on a separate server and network segment from the organisation’s email environment. Virtualised environments could be used to execute operating system environments or specific programmes.

vi. Improve information security awareness and training for all levels of the company or organisation. Ransomware often targets end users and so employees should be told about the threat of ransomware, how it is delivered, ways to identify it and how to report likely malware. Training should also include key cybersecurity definitions, principles and techniques.

vii. Increase information security hygiene and resilience activities by regularly backing up data and verifying its integrity. This includes ensuring that backups are not connected to the computers and networks that they are backing up. For example, these could be physically stored offline. Backups are vital in ransomware resilience efforts. After a ransomware attack if computer systems are infected, backups may be the best way to recover business critical data. Backups are very important for recovery, business continuity and ransomware mitigation.

viii. Systematically and regularly patch operating systems, software and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier by using a centralised patch management system. Ensuring that anti-virus and anti-malware solutions are set to automatically update and that regular scans take place. Another solution is to disable macro scripts from Office files transmitted via email. For example, Office Viewer software could be used to open Microsoft Office files transmitted via email instead of the full Office Suite applications.

ix. Set up application whitelisting to only allow systems to execute programs that are known and permitted by security policy. It is also useful to implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression and decompression programmes. This includes those located in the AppData or LocalAppData folder. Other solutions include applying best practices for RDP use, including auditing networks for systems using RDP, closing unused RDP ports, applying two-factor authentication where possible and logging RDP login attempts.

x. Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Least privilege should influence how access controls are configured. Requiring user interaction for end-user applications communicating with websites uncategorised by the network proxy or firewall is also helpful. For example, mandating users to type information or enter a password when their system communicates with a website that is uncategorised by the proxy or firewall.

xi. Invest in developing zero trust networks, especially in mission critical parts of IT systems. Agile project management could be used to test, review, assess and repeat trials and experiments to find the right balance between confidentiality, availability and integrity. Zero trust practices can then extend across the IT system and into critical supply chains. Introducing blockchain technology can accelerate these processes.

xii. Audit supply chains for cybersecurity risks and increase standards through clear contractual obligations, practical and accessible information security schedules, Key Performance Indicators (KPIs), robust reporting and dynamic analysis.

Board and Leadership Resources

National Cyber Security Centre (UK)

An Garda Síochána (Ireland’s National Police and Security Service)

Federal Bureau of Investigations (FBI – United States)

Interpol (Global)

For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy, Board Awareness or Information Security Training, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS052021

Analysing UK Data Protection Adequacy: The Benefits and The Limits

Briefing

The route to the United Kingdom (UK) gaining data protection adequacy has been set out by the European Commission. UK adequacy is a declaration by the EU that the UK’s laws and systems are essentially equivalent to cover the General Data Protection Regulation (GDPR) and the Law Enforcement Directive’s (LED) data flows. The UK uniquely benefits from many years of alignment with European data protection standards including ratifying the Council of Europe’s Convention 108. The UK’s pioneering first law was the UK Data Protection Act 1984. The UK then adopted both the EU Data Protection Directive 1995 and the GDPR of 2016.

Data protection adequacy creates certainty and trust for data flows to and from the EU and UK. There are numerous benefits to data protection adequacy for business, trade, cooperation, security and law enforcement. However, because the UK has left the EU (Brexit), it now stands apart from EU developments and automatic institutional advancements. Inevitably, over time, there will be degrees of divergence, duplication of compliance activities and an evolving dynamic tension between the EU and UK regimes. Despite this, there will be an enduring, broad and deep commonality between the EU and UK data protection regimes, well into the future.

The Benefits: What UK Data Protection Adequacy Means

UK data protection adequacy creates a new status quo:

  • The UK will join Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Uruguay as a country with essentially equivalent data protection standards to the EU, the European Economic Area (EEA) countries and Switzerland.
  • The EU will allow the free flow of personal data from the EU to the UK and these will not be considered international data transfers and require the complex additional safeguards listed in the GDPR. The UK has already declared adequate the EU, the EEA, Switzerland and the current list of EU-adequate countries, which creates fully reciprocal personal data flows between the UK and EU.
  • Going forward, the UK will be obliged to ensure that domestic developments in data protection law and systems substantially reflect developments in the EU. This will create a degree of certainty and transparency for companies, organisations and governments.
  • In the future, the Information Commissioner’s Office (ICO), the UK’s GDPR regulator, will be more inclined to interpret and enforce the GDPR in line with EU developments. Though, the ICO must also reflect UK-led changes to the legal framework, UK GDPR interpretation and UK court decisions.
  • Companies and organisations that operate both in the UK and EU must now establish two distinct personal data breach reporting arrangements. UK personal data breaches will need to be reported in the UK, to the ICO. EU data breaches must be reported to one or more of the EU’s twenty-seven GDPR regulators. Bureaucratically, personal data breaches affecting individuals based in the UK and EU must be reported in both regions.
  • International companies and organisation can continue to blend their data protection programmes to cover all EU countries and the UK but specifically allow for future UK variations. This approach will encourage economies of scale, compliance costs savings, interoperability and more transparent European-wide data risk profiles. 

Dynamic Controls

UK data protection adequacy includes several dynamic controls that supervise the EU/UK data relationship into the future. Companies and organisations should note that:

  • UK adequacy decisions are subject to review by the European Commission at four-year intervals. The decisions are re-examined periodically.
  • The validity of the UK’s adequacy decisions could be challenged in the Court of Justice of the European Union (CJEU). This court has the power to invalidate the adequacy decisions, forcing organisations to stop transferring personal data from the EU to the UK. This happened to the EU-US-Swiss Safe Harbour adequacy decision in 2015 and EU-US-Swiss Privacy Shield adequacy decision in 2020, causing much disruption, uncertainty and costs to businesses and organisations.
  • The European Commission can suspend UK adequacy decisions based on a serious violation or series of serious violations that offend the EU’s  rights-based system. This is unlikely. However, a significant UK/EU disagreement about human rights, EU fundamental rights, national security and large-scale surveillance could increase the risk. A significant breakdown in the UK’s internal checks and balances that safeguard the right to personal data protection could negatively affect the stability of UK adequacy.

The Limits: What UK Data Protection Adequacy does not Mean

UK data protection adequacy does not alter several important issues and so companies and organisations should note that:

  • UK adequacy creates and maintains equivalence for data transfers from the EU to the UK. However, the UK will still need to create new international data transfer mechanisms for UK personal data flows to the rest of the world. These may be different from the EU’s system and may include UK-specific data protection standard contractual clauses. Companies and organisations in the UK and EU must now navigate two systems for international transfers.
  • Companies and organisations that have no presence in the EU but offer goods or services or monitor individuals in the EU will need to appoint an EU Data Protection Representative based in the EU, separate from any UK representative.
  • Companies and organisations that have no presence in the UK but offer goods or services or monitor individuals in the UK will need to appoint a UK Data Protection Representative based in the UK, separate from any EU representative.
  • Post Brexit, the UK is still part of the European Convention on Human Rights (ECHR), with its well-established right to privacy, family life, home and correspondence. This right is reflected in the UK’s Human Rights Act 1998.  However, there is no longer a fundamental right to personal data protection in UK law as it exists in EU law. The UK is no longer a party to the EU Charter of Fundamental Rights, and its specific additional Article 8 personal data protections. As a result, data protection rights in the UK are now narrower in scope than in the EU. 
  • The UK continues to have GDPR embedded into its laws. However, automatic data protection alignment is no longer legally and practically inevitable. Brexit means that the UK is no longer a part of the EU’s governing treaties, democratic institutions, internal single market, digital single market, regulators and courts. Data protection decisions and opinions from the European Commission, European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) no longer have automatic legal force on the UK.

For assistance with GDPR, EU/UK data flows and Brexit, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS022021

Cybersecurity and Cyber Resilience in the FinTech Sector

Article

The FinTech sector was valued at €140 billion globally in 2018 and is estimated to more than double in size to €431 billion by 2022. In the EU, FinTech investments increased by nearly 300% in 2018 from the previous year, to €37 billion. The FinTech sector’s aims of transforming financial services delivery and offering innovative data-rich services makes it highly attractive for venture capital. As the sector expands, the risks of hacking, cybercrime, cybersecurity incidents, and personal data breaches increases. FinTech faces unique cybersecurity challenges but with the application of standards, tools, and strategies the sector can remain proactive and cyber resilient.

FinTech’s Unique Cybersecurity Landscape

The FinTech sector is a series of related financial technologies. The sector is, by nature, innovative and data-driven, with ever expanding boundaries. The ecosystem includes large traditional banks, financial services providers, challenger banks, and a wide range of start-ups. Key FinTech services include payments, alternative finance, smartphone-based mobile retail banking, currency exchange services, investing services, and cryptocurrencies. The edges of FinTech stretches into ‘InsurTech’ and the more multifaceted ‘RegTech’ sector. FinTech’s growth, innovative use of data, and user-focus makes it a unique target for cybercrime and cybersecurity threats.

FinTech actively uses new technologies, data analytics, Big Data, artificial intelligence, robotic process automation (RPA), blockchain, and biometrics. The sector is an evolving mix of diverse data points and a large footprint of endpoints and devices. The sector is home to various data sets, including financial transactions, payment card, credit report, geolocation, and special categories of personal and other sensitive data. As a result, it is an increasing target for cybercriminals, cybersecurity incidents, and personal data breaches. Distributed denial-of-service attacks are increasingly common. Ransomware, malware and phishing attacks are also growing.

A Mix of Rules and Regulations

In the EU, FinTech as a combined sector is not highly regulated. However, depending on the type of FinTech organisation, types of technologies deployed, or the types of data used, various laws and rules will apply data security norms. Traditional banks, challenger banks, and smartphone-based financial services providers face the most demanding cybersecurity rules. The EU’s Payment Services Directive (EU 2015/2366) (‘PSD2′) lead the way for open banking by allowing banks to make their customers’ personal or business current-account information accessible to external third-party providers. The PSD2 supercharged the growth of EU FinTech. FinTech’s are also governed by a mixture of EU banking authorities, EU financial services laws, central banks, and national financial services regulators. Organisations that are part of critical national infrastructure fall within the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) (‘the NIS Directive’). Their supply chains, which can include FinTechs, are indirectly regulated by these cybersecurity standards. FinTechs that use direct marketing tools, cookies, and similar technologies must comply with the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (‘the ePrivacy Directive’) and the related national laws in each EU country.

The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) provides overarching rules to encourage cybersecurity and data protection compliance. The GDPR’s rules on transparency, accountability, security of data processing, personal data breach notifications to regulators and individuals, Privacy by Design, Privacy by Default, Data Protection Impact Assessments (‘DPIAs’), and the appointment of data protection officers, offer FinTechs a baseline for compliance, which they must build on to reflect their specific context and risk-profile.

EU public policy has acknowledged the need to make cybersecurity the number one priority in FinTech planning. The European Commission adopted the EU FinTech Action Plan (‘the Action Plan’) in 2018 with the clear aim of placing cybersecurity and integrity at the heart of FinTech growth and development. The Action Plan encourages a security by design approach. The European Banking Authority also published a FinTech Roadmap to set out its priorities for 2018/2019. The European Union Agency for Cybersecurity (‘ENISA’), is, at the time of publication, working on an EU certification framework for ICT security products and services, increasing access to threat intelligence and information sharing, encouraging penetration and resilience testing, as well as increasing cybersecurity training and awareness. In 2019, the European Supervisory Authorities published advice to the European Commission on the strengthening of EU cyber and IT security regulation in the financial sector. A key recommendation was to develop an EU oversight framework for third party providers active in financial services, especially cloud service providers. Another recommendation was to develop an EU-wide framework for testing the cyber resilience of important financial institutions. Globally, at an intergovernmental level, the G7, the G20, the Organisation for Economic Co-operation and Development, the International Monetary Fund, and the World Bank are also working on FinTech cybersecurity and information security for financial services.

FinTech Cybersecurity and Cyber Resilience Standards and Tools

Security by design (and security engineering) should underpin FinTech infrastructure, services, software, and applications, so that security is built-in by default, allowing a secure environment at the core and the endpoints.

International Information Security Standards, such as ISO 27001, allow FinTechs to create and manage high quality information systems. However, newer standards, such as ISO 27032:2012 for improving the state of cybersecurity and ISO 27701:2019 for extending privacy information management system standards, can be used to mature the level of compliance. FinTechs should also seek to apply the Payment Card Industry Data Security Standard, if applicable, the National Institute on Information Standards and Technology (‘NIST’) Cybersecurity Framework, financial services IT standards, and other sectors norms in the countries in which the FinTech operates.

A zero-trust approach and continuous testing allow FinTechs to significantly fortify their networks, endpoints, and level of resilience. Zero-trust architecture and zero-trust networks are based on the principle that actors, systems, or services operating from within the security perimeter should not be automatically trusted, but must be verified to initiate access and continue access to IT services.

DPIAs allow FinTechs to better understand their personal data use and demonstrate GDPR compliance. DPIAs focus on high-risk data processing and enable risk identification, remediation, risk acceptance, risk reduction, and risk management. At the system design stage, DPIAs can help FinTechs to identify and adopt Privacy by Design.

Supply chain cybersecurity compliance, strength, and resilience are vital for business continuity and disaster recovery. FinTechs should build-in IT flexibility and backup options, especially for cloud services. Supply chain partners must be held to high standards of cybersecurity compliance. They should also display cybersecurity agility and responsiveness to react to threats, risks, near-misses, and breaches.

Proactive Cyber Resilience

The language of cybersecurity can often appear binary and prosaic to developers, FinTech founders, senior leaders, and boards. Cybersecurity is often presented as a problem to be fixed to allow growth and profits to take place uninterrupted. In truth, cybersecurity is fluid, it is an enabler, and an adept partner to FinTech’s most ingenious innovations. In today’s complex global supply chains, with its aggressive and evolving threat landscape, cybersecurity must be aligned with proactive cyber resilience.

NIST defines cyber resilience as ‘the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.’ Proactive cyber resilience is a more suitable and beneficial aim, allowing organisations to promote a broader application of cybersecurity to include disaster recovery, business continuity, intelligent cyber insurance, and supply chain strength and flexibility. FinTech’s dynamism, complexity, and expanding boundaries require security engineering and cybersecurity to be core competences within the sector’s ecosystem and where the watchword is always resilience.

For Enquiries:

contact@privacysolved.com

London: +44 207 175 9771 \ Dublin: +353 1 960 9370

www.privacysolved.com

Also published by DataGuidance

Automated Decisions, Algorithms, Profiling and AI: EU Data Protection Lessons

Article

Companies and organisations should ensure that their data protection compliance is not reduced to a set of policies and procedures, quarterly reports and annual reviews. Data protection outcomes should not be synonymous with the introduction of enterprise privacy software, compliance team updates of controls or data privacy as intractable legal and IT add-ons to be overcome. Effective data protection should be dynamic and integral to day to day activities, in the way that workplace health and safety, financial probity and corporate good conduct flows through organisations, affecting almost every decision. Data protection should not play catch-up to digital transformation initiatives, IT strategy changes, research and development priorities or expansions of the supply chain. Data protection principles should be applied consciously to strengthen an organisation’s core DNA and operating model. As a result, whenever personal data are collected, stored or used, data protection should become a byword for responsible data management, excellent data ethics, protecting individual personal data, accountability, security, resilience, profitability, trust and innovation.

Data Protection by Design and by Default

In the same way that financial transparency, environmental impacts and board accountability are key measures for listed companies, data protection should be designed into an organisation’s way of doing business, so that it becomes second nature. The EU’s General Data Protection Regulation (GDPR) has increased the prominence and status of Data Protection by Design, Security by Design and Privacy by Design (PbD) practices. The data protection principles of transparency, accountability and data minimisation are crucial. Data Protection Impact Assessment (DPIA) is a practical tool to practice high level data governance, demonstrate compliance and add vital data intelligence to an organisation’s knowledge base. Data Protection should  be operationalised, at the beginning of decision-making processes and information life cycles to maximise the planned outcomes.  Poor data governance should be considered as problematic as poor workplace health and safety, poorly trained staff and financial mismanagement.

Automated Decisions

Automated decisions are assessments, judgements, results and outcomes made by computers without human intervention. These decisions are often made by computer calculations and the outcomes are not checked or verified by humans. These results can have serious economic, financial, political and social implications for individuals. Companies and organisations may carry out automated decisions without full awareness or assessment of its impact or that specific data protection rules apply. The outsourcing of Human Resources functions and other business processes have redirected some automated decisions away from organisations’ direct internal management structures, creating greater risks. However, legal responsibilities and liabilities remain with the organisation that act as the personal data controller.  Automated decisions can be based on assumptions about a person’s skills, decisions, actions, intentions or characteristics. Assumptions can be wrong, out of date or incomplete and cause discrimination, financial loss, loss of opportunity, distress or other damage.  Companies and organisations should be transparent about assumptions made by automated decisions and apply internal quality checks, testing and outcome verification. Individuals affected should also be provided with a way to intervene into the decision-making processes, request human involvement, express their views or question the outcome. 

Algorithms and Strategy

An algorithm is a sequence of defined, computer-implementable instructions, used to solve a type of problem or to perform a computation. Algorithms are present where computers operate. As a result of the exponential growth of computing power, the enormous increase of data and the rise of artificial intelligence, the role of algorithms has become more prominent in everyday business and how organisations operate. As a result, companies and organisations should ensure that they have a clear strategy for the use of algorithms that affect individuals. The strategy should sit with overall business strategies for growth, efficiency, profits and innovation. All strategic outcomes should be quality tested against how they protect individual’s personal data, promote information security (and cybersecurity), encourage data transparency, create data accountability and data fairness (quality and data minimisation).

Profiling

The rise of information technology, online transactions, social media and internet usage around the world have created an explosion of profiling. Companies and organisations may carry out profiling without full awareness or assessment of its impact or that specific data protection rules apply to the practice. Profiling is the use of mathematical formulas, computations or algorithms to categorize individuals into one or more classes or groups. Profiling can also be used to evaluate individual characteristics such as performance at work, economic standing, health, personal preferences, interests, reliability (skill or competence), behaviour, location, movement, intention or priorities. The most intrusive elements of profiling can be the ability to infer information from data and the ability to predict an individual’s future choices or actions. Inferences and predictions can be wrong, biased, incomplete and based on irrelevant data, yet have a substantial effect on individuals, including discrimination, financial loss, loss of opportunities, distress or other damage.  Companies and organisations must be transparent about their use of profiling, have internal quality checks, practice data minimisation and verification. Individuals affected must be able to seek information about their profiles and question the decisions made about them.

The GDPR has one of the most sophisticated regulatory frameworks to deal with profiling and automated decision making. In most cases, automated decision making is categorised as profiling. EU policy makers anticipated the growth of profiling by ensuring that all foreign companies (with or without an EU presence), that profile EU citizens’ behaviour in the EU, fall within the scope of GDPR, even where the profiling operations take place outside the EU. This may not be well understood and may often be ignored by organisations. As well as compliance with the GDPR’s main principles and provisions, profiling should always be accompanied by Data Protection Impact Assessments (DPIAs). These DPIAs must also comply with the requirements of the relevant EU member states’ data protection regulator and local laws. Consulting with the individuals affected and with the data protection regulator could also be required, based on the nature of the profiling.  The Data Protection Officer should support and drive the process of producing high quality DPIAs that are well written, honest, easy to understand, effectively reviewed and updated.

Artificial Intelligence

Artificial Intelligence (AI) is the ability for computer systems or computer-controlled robots to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, translation between languages, performing manual tasks, interactions with other computers and interactions with humans. AI is big business and is set to transform the global economy, work, home, education, healthcare and security. The global artificial intelligence market size is expected to reach $390.9 billion US dollars by 2025, according to a report by Grand View Research, Inc. The market is anticipated to expand at a Compound Annual Growth Rate (CAGR) of 46.2% from 2019 to 2025. Companies and organisations should ensure that in building AI systems that algorithms are tested, reviewed and outputs verified. Data sources should be quality checked to remove incomplete data, bias and out of date information. Assumptions and inferences should be robustly tested. These steps are data hygiene and reflect similar GDPR requirements. However, GDPR compliance and relevant data protection and privacy laws should be specifically incorporated into AI data life cycles.

Companies and organisations should ensure that AI is explainable so that individuals affected can increase their understanding and trust can be built. This requirement maps across to the GDPR’s principles of fairness, lawfulness, transparency, purpose limitation, accuracy, integrity, confidentiality and accountability. Frameworks have been published to help organisations manage and explain AI to improve accountability. The European Union High-Level Expert Group on AI has published Ethics Guidelines for Trustworthy Artificial Intelligence. The United States National Institute of Standards and Technology (NIST) has published Four Principles for Explainable Artificial Intelligence. The UK’s data protection regulator, the Information Commissioner’s Office and the Alan Turing Institute, have published joint guidance on Explaining Decisions Made with AI.

Data Protection Lessons

Data Protection maturity can improve companies and organisations key strategic goals of profitability, growth, efficiency, trust, innovation and resilience. Organisations that attempt to grow without robust data protection find that several of their key strategic goals remain uncertain. Their longevity can be at risk because users, customers and supply chain trust are low. Their efficiency and growth are precarious because at any time, a data protection regulator, markets regulator, privacy activists, civil society groups, governments and individuals could start campaigns against their poor data protection practices. Fines, bad publicity, internal staff protests, political interjections and whistleblowers can create a state of inherent instability. Excellence in data protection and data protection by design should be positive and proactive advancements rather than reactive responses. For the future, agility and trust will be important economic drivers. Organisations that understand their data and personal data, explain their data uses, imbed data protection by design and engage with stakeholders about data governance issues will thrive, remain resilient and fulfil their key strategic objectives.

PS082020

Schrems II: Rethinking Privacy Shield & Standard Contractual Clauses

Briefing

On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.

Privacy Shield

The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease.  EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.

Standard Contractual Clauses (SCCs)

The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers. On 4 June 2021, the European Commission published its final updated Standard Contractual Clauses that comply with GDPR and the Schrems 2 case.

Responses and Actions

  1. Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
  2. Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
  3. Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses (June 2021) and implement these by December 2022.
  4. Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
  5. Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.

Resources

EU / US and Swiss / US Privacy Shield Home Page

Schrems II Case Press Release

Schrems II Case Full Judgment

Schrems II European Data Protection Board (EDPB) Frequently Asked Questions

Schrems II US Federal Trade Commission (FTC) Statement

Schrems II US Secretary of Commerce Statement

Schrems II Joint Statement from European Commission and US Department of Commerce

Schrems II Ireland Data Protection Commission (DPC) First Statement

Schrems II UK Data Protection Commissioner’s Office (ICO) First Statement and Updated Statement

Schrems II European Data Protection Board (EDPB) Taskforce on Post-Schrems II Complaints

Schrems II US Department of Commerce, US Justice Department & US Office of the Director of National Intelligence White Paper on US Privacy Safeguards for SCCs and other Legal Bases

Schrems II European Data Protection Supervisor (EDPS) Strategy for EU Institutions to comply with Schrems 2 Ruling

Schrems II European Data Protection Board (EDPB) Supplementary Measures for data transfer tools to ensure GDPR compliance – Consultation

Schrems II European Commission Standard Contractual Clauses (SCCs) 2020 – Consultation  

Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

European Commission Final Standard Contractual Clauses (SCCs) for Data Controllers and Data Processors and also International Data Transfers – June 2021

For Further Assistance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com