Month: January 2022

https://edpb.europa.eu/system/files/2022-01/legalstudy_on_the_appropriate_safeguards_89.1.pdf

Includes detailled assessment of the additional rules per EEA state.

“The results of this study show that certain harmonisation exists among EEA States with respect to appropriate safeguards for scientific research, as required by the GDPR. However, a conundrum of various bodies of law and (ethical) guidelines regulate scientific research in specific areas, such as biobanking, health, epidemiology, social benefits, artificial intelligence and statistics. In turn, this makes the legal framework for sectoral research to remain fragmented.”

https://edpb.europa.eu/our-work-tools/our-documents/legal-study-external-provider/legal-study-government-access-data-third_en

From the conclusion:

• The present study preliminarily investigates the general situation of China, India and Russia concerning
  fundamental rights and freedoms, [..]

• In relation to China, it can be seen that the Chinese legal system does not provide sufficient safeguards
  for foreigners’ data comparable to those found in the EU. Based on insights from the analysis of the
  People’s Republic of China (PRC) Constitution it is clear that government access to personal data is not
  constrained. [..]

• In relation to India, it should be noted that the right to privacy was recognised only recently by the Indian
  Supreme Court. In close connection, also the right to personal data has received more attention.
  However, the Indian government has a track record of infringing both rights extensively. After careful
  assessment of relevant Indian legislation (Information Technology Act – IT Act, several IT Rules and
  Aadhaar Act), it may be concluded that these regulations foresee widespread exemptions for
  governmental access to personal data.[..]

• In relation to Russia, it can be concluded that Russian data protection law is a complex matter. Although
  the formal legislative framework seems comprehensive, the enforcement and the application of the
  legislation has serious drawbacks. In addition, Russia has a striking record of violating the European
  Convention of Human Rights (ECHR) related to other related rights and freedoms, such as the freedom
  of expression [..]

Article in German at de lege data:

Französische Datenschutzbehörde: Empfehlungen für die Bearbeitung von Auskunftsansprüchen nach Art. 15 DSGVO im Arbeitsverhältnis – speziell zu beruflichen E-Mails

https://www.delegedata.de/2022/01/franzoesische-datenschutzbehoerde-empfehlungen-fuer-auskunftsansprueche-nach-art-15-dsgvo-im-arbeitsverhaeltnis-speziell-zu-beruflichen-e-mails/

“Cross-border Transfer of Data under the Personal Information Protection Law of the Mainland” — Privacy Commissioner’s article contribution at Hong Kong Lawyer (December 2021)

The Personal Information Protection Law (PIPL) of the Mainland, which became effective on 1 November 2021, is the first piece of legislation dedicated to the protection of personal information in the Mainland. As the PIPL imposes requirements on the transfer of personal information from the Mainland to other jurisdictions, this article attempts to highlight the rules and the more salient requirements for businesses in Hong Kong.

https://www.pcpd.org.hk/english/news_events/speech/speeches_202112.html

https://iapp.org/resources/article/privacy-risk-study

Full report
https://iapp.org/media/pdf/resource_center/privacy_risk_study_2021.pdf

https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf
Adopted on 14 December 2021
Version 2.0

• mentions a controller internal “Handbook of Handling Personal Data Breah” (as good practice)
• internal documentation required for each and every breach (regardless of risk)

includes:

2 RANSOMWARE

2.1 CASE No. 01: Ransomware with proper backup and without exfiltration

• –

2.2 CASE No. 02: Ransomware without proper backup

• Notification to SA

2.3 CASE No. 03: Ransomware with backup and without exfiltration in a hospital

• Notification to SA, Communication to Data Subjects

2.4 CASE No. 04: Ransomware without backup and with exfiltration

• Notification to SA, Communication to Data Subjects

2.5 Organizational and technical measures for preventing / mitigating the impacts of ransomware attacks

• Patch management
• Network/system segmentation
• Backups
• Malware controls
• Network security (firewall, IDS)
• Phishing training
• Forensics (identify the type of malicious code, -> nomoreransom.org)
• Central log server
• Strong encryption and MFA (multifactor authnetication), esp. for admins, appropriate key and password management
• Vulnerability/penetration testing
• CSIRT/CERT team
• Reviews/tests/updates of risk analysis

3 Data Exfiltration ATTACKS

3.1 CASE No. 05: Exfiltration of job application data from a website

• Notification to SA, Communication to Data Subjects

3.2 CASE No. 06: Exfiltration of hashed password from a website

• –

3.3 CASE No. 07: Credential stuffing attack on a banking website

• Notification to SA, Communication to Data Subjects

3.4 Organizational and technical measures for preventing / mitigating the impacts of hacker attacks

• Strong encryption, key managemenet. Hashed/salted passwords. Prefer authentication controls without need to process passwords on server
• Patch management
• Strong authentication methods (e.g. 2FA), up-to-date password policy
• Secure Software Development standards (input validation, brute force controls). Web Application Firewalls (WAF) might help.
• Strong user privileges and access control management policy
• Network security (firewall, IDS)
• Security audits and vulnerability assessmnents
• Backup controls are reviewed and tested
• No session ID in URL in plain text

4 INTERNAL HUMAN RISK SOURCE

4.1 CASE No. 08: Exfiltration of business data by an employee

• Notification to SA

4.2 CASE No. 09: Accidental transmission of data to a trusted third party

• –

4.3 Organizational and technical measures for preventing / mitigating the impacts of internal human risk sources

• Privacy and security awareness training
• Data protection practices, procedures and systems (robust, effective, evaluated and improved)
• Access control policies
• User authentication when accessing sensitive personal data
• Revocation of user access as soon as user leaves company
• Checks for unusual dataflow between servers and clients
• Technical controls on use of portable media (USB, CD, DVD, ..)
• Access policy reviews
• Disabling open cloud services
• Preventing access to known open mail services
• Disable print screen function in OS
• Enforce clean desk policy
• Automatic locking of computers after defined time of user inactivity
• Use mechanisms (e.g. hardware tokens) for fast user switches in shared environments
• Dedicated systems for manageing personal data. – Spreadsheets and other office documents are not appropriate means to manage client data.

5 LOST OR STOLEN DEVICES AND PAPER DOCUMENTS

5.1 CASE No. 10: Stolen material storing encrypted personal data

• –

5.2 CASE No. 11: Stolen material storing non-encrypted personal data.

• Notification to SA, Communication to Data Subjects

5.3 CASE No. 12: Stolen paper files with sensitive data

• Notification to SA, Communication to Data Subjects

5.4 Organizational and technical measures for preventing / mitigating the impacts of loss or theft of devices

• Device encryption
• Use passcode/password on all devices. Encrypt all mobile devices and require complex password for decryption
• Use multi-factor authentication
• Turn on device location services for highly mobile devices
• Use MDM (Mobile Devices Management) and localization, remote wipe
• Use anti-glare filters.
• Close down unattended devices
• If possible, store personal data on central backend server – not a mobile device
• Automatic backup workfolders of mobile clients – when connected to corporate LAN, if personal data unavoidable there.
• Secure VPN
• Locks to physically secure mobile devices while unattended
• Regulate device usage inside and outside the company
• Centralised device management (incl. controls on software installations)
• Physical access controls
• Avoid storing sensitive information in mobile devices and hard drives

6 MISPOSTAL

6.1 CASE No. 13: Postal mail mistake

• –

6.2 CASE No. 14: Highly confidential personal data sent by mail by mistake

• Notification to SA, Communication to Data Subjects

6.3 CASE No. 15: Personal data sent by mail by mistake

• –

6.4 CASE No. 16: Postal mail mistake (another example)

• Notification to SA

6.5 Organizational and technical measures for preventing / mitigating the impacts of mispostal

• Setting exact standards for sending letters/emails
• User training on how to send letters/emails
• Default use of bcc: to send emails to multiple recipients
• Four-eyes principle
• Automatic addressing (rather than manual)
• Use of message delay (to allow message deletion/editing after hitting “send” button)
• Disable auto-complete when typing email addresses
• User awareness trainings on data breach causes
• Training session and manuals on data breach handling

7 Other Cases – Social Engineering

7.1 CASE No. 17: Identity theft

• Notification to SA, Communication to Data Subjects

7.2 CASE No. 18: Email exfiltration (HR related data)

• Notification to SA, Communication to Data Subjects

https://stiftungdatenschutz.org/veranstaltungen/unsere-veranstaltungen-detailansicht/datentag-datenschutz-und-kuenstliche-intelligenz-239

in German, event on “Data Protection and Artificial Intelligence (AI)” hosted by the Stiftung Datenschutz.
Video, audio and presentations

• Digitalisierung. In einer Pandemie. Im Gesundheitsamt!
  https://media.ccc.de/v/rc3-2021-cwtv-226-digitalisierung-in-ein

• Listen to Your Heart: Security and Privacy of Implantable Cardio Foo
  https://media.ccc.de/v/rc3-2021-cwtv-272-listen-to-your-heart-s

• Make it static!
  https://media.ccc.de/v/rc3-2021-cwtv-343-make-it-static

• Warum personalisierte Werbung verboten werden muss
  https://media.ccc.de/v/rc3-2021-chaosstudiohamburg-378-warum-personalisierte-werbung-verboten-werden-muss

• Kyber and Post-Quantum Crypto
  https://media.ccc.de/v/rc3-2021-cwtv-230-kyber-and-post-quantum

• Cookiebanner, das Online-Werbe-Ökosystem und Google
  https://media.ccc.de/v/rc3-2021-chaosstudiohamburg-374-cookiebanner-das-online-werbe-kosystem-und-google-preistrger-bigbrotherawards-2021

On Relive (will migrate to https://media.ccc.de/c/rc3-2021 )

• WTHealth. Beyond genome sequencing
  https://streaming.media.ccc.de/rc3/relive/376

• Cyberpunk 2022 – wo Brain-Computer-Interfaces auf Grundrechte treffen
  https://streaming.media.ccc.de/rc3/relive/369

• The Covid19-Diaries (2nd edition) – Erlebnisse aus Wissenschaft, Medizin & Aktivismus
  https://streaming.media.ccc.de/rc3/relive/388

• Kaffeefahrt ins Darknet
  https://streaming.media.ccc.de/rc3/relive/219

• Hilfe, mein Astralleib wird geimpft! Die wundersame Welt esoterischer Verschwörungserzählungen
  https://streaming.media.ccc.de/rc3/relive/399

• Build Your Own Construction Kit (Blender/LibreCAD)
  https://streaming.media.ccc.de/rc3/relive/13

• Blockchain 102
  https://streaming.media.ccc.de/rc3/relive/460

• Practical bruteforce of military grade AES-1024
  https://streaming.media.ccc.de/rc3/relive/216

• Rebuilding Landkreis Anhalt-Bitterfeld
  https://streaming.media.ccc.de/rc3/relive/295
  >

• Hacking Containers, Kubernetes and Clouds
  https://streaming.media.ccc.de/rc3/relive/247

• TPM – the explosion
  https://streaming.media.ccc.de/rc3/relive/208