Norwegian DPA blocks three smart device vendors from processing customer data

The Norwegian DPA has given Gator AS orders to discontinue all processing of personal information about its customers since they have not provided enough information in the smart bells they provide. In addition, PepCall AS and GPS for children – Smartprodukt AS have been notified of similar decisions.

Use right-click in Chrome to translate:

https://www.datatilsynet.no/aktuelt/2017/palegger-stans-i-behandlingen-av-personopplysninger-i-smartklokker/

ICO fines Carphone Warehouse

The U.K. Information Commissioner’s Office has fined Carphone Warehouse 400,000 GBP after a security vulnerability left one of its computer systems compromised in a 2015 cyberattack. In one of the ICO’s largest fines issued to date, Information Commissioner Elizabeth Denham said,

A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.”

The investigation revealed attackers gained access via an outdated WordPress software login, leading Denham to call the systemic failures “rudimentary, commonplace measures.”

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/01/carphone-warehouse-fined-400-000-after-serious-failures-placed-customer-and-employee-data-at-risk/

UK DPA on security vulerabilities’ impacts and data controllers

In a blogpost for the U.K. Information Commissioner’s Office, Nigel Houlden, head of technology policy, wrote about the impact serious security flaws will have for data controllers.

Drawing upon Google’s Project Zero blog post detailing the security flaws posed by Meltdown and Spectre, Houlden said the ICO “strongly recommend[s] that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency.

Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”

In the post, Houlden said implementing a privacy-by-design approach would help mitigate potential attacks.

https://iconewsblog.org.uk/2018/01/05/meltdown-and-spectre/