GDPR – a headache for Data Protection Authorities

With the General Data Protection Regulation only some days away, it’s not just companies upgrading their privacy management systems – also the Data Protection Authorities are preparing to meet their increased obligations under the new law.

More than a year ago, Prof. Dr. Alexander Roßnagel prepared an expert opinion on the additional workload caused by the GDPR for the German state DPAs (in German): http://suche.transparenz.hamburg.de/dataset/gutachten-zum-zusaetzlichen-arbeitsaufwand-fuer-die-aufsichtsbehoerden-der-laender-durch-d-2017. (in German)

He estimated that each DPA would need in addition to its current staff 12-19 lawyers, 4-5 IT experts, 2 educational and 6 administrative roles. – At the beginning fo 2017, the planned staff increase fell far short of this (49 for the federal DPA, 8 and below for the different states were planned as new positions for 2017). It’s also interesting that he didn’t list separate categories for “privacy managers” or “auditors”. http://www.heise.de/newsticker/meldung/Datenschutzgrundverordnung-bringt-Datenschutzaufsicht-an-Belastungsgrenze-3633498.html

The mechanisms for mutual cooperation between the European DPAs are new and quite complex (Art. 60 – 62), especially as communcations might take place in a variety of languages. Also the consistency mechanism (Art. 63 – 66) might turn out to be quite demanding. – In situations in which the One-Stop-Shop (OSS) approach cannot be applied, the DPAs will first have to jointly determine their respective responsibilities. It will be very interesting to see how these mechanisms will work out.

Germany/Bavaria: DPA scanning for web sites for privacy-compliant Google Analytics use

In 2012, the Bavarian DPA scanned German web sites for the privacy compliant use of Google Analytics.

The DPA checked

  • if a written processing agreement had been put in place with Google,
  • if the privacy notice on the web site was transparent on the use of Google Analytics and the users’ option to avoid being tracked
  • if the Google Analytics’ “anonymization feature” was enabled in the web site’s source code

13.404 Webseiten had been tested 2.371 companies were contacted for shortcomings.

More information (in German) on  https://www.lda.bayern.de/de/google_analytics.html

HIPAA violations: $2.5 million settlement for US Diagnostics company

First settlement involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.

Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

Norwegian DPA blocks three smart device vendors from processing customer data

The Norwegian DPA has given Gator AS orders to discontinue all processing of personal information about its customers since they have not provided enough information in the smart bells they provide. In addition, PepCall AS and GPS for children – Smartprodukt AS have been notified of similar decisions.

Use right-click in Chrome to translate:

https://www.datatilsynet.no/aktuelt/2017/palegger-stans-i-behandlingen-av-personopplysninger-i-smartklokker/

ICO fines Carphone Warehouse

The U.K. Information Commissioner’s Office has fined Carphone Warehouse 400,000 GBP after a security vulnerability left one of its computer systems compromised in a 2015 cyberattack. In one of the ICO’s largest fines issued to date, Information Commissioner Elizabeth Denham said,

A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”

The investigation revealed attackers gained access via an outdated WordPress software login, leading Denham to call the systemic failures “rudimentary, commonplace measures.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/

UK DPA on security vulerabilities’ impacts and data controllers

In a blogpost for the U.K. Information Commissioner’s Office, Nigel Houlden, head of technology policy, wrote about the impact serious security flaws will have for data controllers.

Drawing upon Google’s Project Zero blog post detailing the security flaws posed by Meltdown and Spectre, Houlden said the ICO “strongly recommend[s] that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency.

Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”

In the post, Houlden said implementing a privacy-by-design approach would help mitigate potential attacks.

https://iconewsblog.org.uk/2018/01/05/meltdown-and-spectre/

HIPAA settlement – Fresenius pays $3.5 million USD

Quotes from linked page below


CR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.

FMC Ak-Chin failed to implement policies and procedures to address security incidents.

FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.

FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.

FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.

http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/FMCNA/index.html.