Ireland’s data protection regulator is set to announce this week whether Twitter will receive a hefty fine for making some users’ private tweets public.

The result of its investigation into the data breach, which happened two years ago, is to be unveiled by Wednesday, December 17th at the latest.

It comes a week after Facebook said that it has put aside €302m for potential regulatory fines in Europe, arising mostly from investigations by Helen Dixon’s office.

Under GDPR rules, European data regulators can fine companies up to 4% of their annual turnover which, for large tech firms, extends to billions of euros.

However, experts say that is unlikely this Twitter decision will result in a massive fine, given its nature and the company’s voluntary admission of its fault.

Nevertheless, if a fine is announced, it will be the first from the Irish regulator against a big tech company under European GDPR rules.

The Irish Commissioner, Helen Dixon, is Twitter’s lead supervisory authority in the EU. Her office circulated a draft decision to other European data protection authorities in May, but some countries weren’t happy with it. The issue was referred as a “dispute resolution procedure” to the European Data Protection Board. On November 10th, that body said it had made its own determination and that the Irish DPC had a month to finalise and announce the decision.

The move comes ahead of the DPC’s legal showdown against Facebook in the High Court next week. In August, the social media giant took judicial review proceedings against the regulator. Facebook is hoping to quash both an inquiry and a preliminary decision from Helen Dixon’s office on the issue of personal transfers from the EU to the US. The preliminary decision would put a halt to Facebook’s transfers of the personal data of millions of EU users to the US.

Source: Independent.ie

Photo by Brett Jordan on Unsplash

The post Irish Data Protection Commission to announce Twitter fine on December 17th appeared first on GDPR Register | Compliance tool for privacy experts.

The Data Protection Commission (DPC) has handed down a €65,000 fine to Cork University Maternity Hospital (CUMH) after the personal data of 78 of its patients was discovered disposed of in a public recycling facility elsewhere in the county.

The complaint was first raised with the DPC in June 2019 after a member of the public, who had discovered the documents, brought the matter to the HSE’s attention.

The executive then reported the data breach to the DPC.

The breach, an infraction of the hospital’s responsibilities under the EU’s General Data Protection Regulation (GDPR) which is understood to have consisted of a large number of documents, equated to the personal data of 78 people and the special category personal data of six of them.

Special category data under GDPR is the information of a particularly sensitive nature, the exposure of which could be expected to significantly impact the rights and freedoms of data subjects or could be potentially used against them in a discriminatory fashion.

It includes information regarding individuals’ race or ethnicity, religious beliefs, political opinions, biometric (identifiable) data, sexual orientation, and health data.

The breach at CUMH is believed to have comprised sensitive health data of patients, including medical histories and future planned programmes of care.

In its decision, handed down on August 18, the DPC said that the HSE had infringed Articles 5 and 32 of the GDPR by failing to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its use and disposal of hardcopy documents containing patients’ personal data”.

It is unknown whether or not any individual or individuals were held accountable for the breach, or how the documents came to be disposed of in the manner in which they were.

Regardless of what individual disposed of the documents, the hospital, as data controller, would have been deemed responsible.

The DPC said it had applied an administrative fine of €65,000 on the HSE for its infringements. The ruling has not been appealed.

“Cork University Maternity Hospital accepts the findings of the report of the Data Protection Commission in full and are working to implement all recommendations in the report,” said a spokesperson for the hospital.

They said that all patients affected by the breach had been notified of it.

“The HSE takes all breaches of data protection seriously and all such cases are fully investigated to establish how they occurred and preventative measures are put in place to reduce the risk of such breaches happening again,” they said.

“This is in addition to a comprehensive training and development programme for staff in GDPR as well as a range of policies and procedures designed to protect personal data.”

The DPC also ordered the HSE to bring its systems for processing and disposing of patients’ information “into compliance” with GDPR standards and issued the executive with a formal reprimand regarding same.

The decision is just the fifth fine handed down by the DPC since GDPR came into force in May 2018. The other four were delivered to child and family agency Tusla.

Source: Irish Examiner

Photo by Steve Johnson on Unsplash

The post Cork hospital fined €65k after patients’ personal data found in public recycling facility appeared first on GDPR Register | Compliance tool for privacy experts.

Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.

The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number.

The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

Information Commissioner, Elizabeth Denham, said:

”Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.

“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”

The ICO’s investigation traced the cyber-attack back to 2014, but the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

Because the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In July 2019, the ICO issued Marriott with a notice of intent to fine. As part of the regulatory process, the ICO considered representations from Marriott, the steps Marriott took to mitigate the effects of the incident and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

In 2014, an unknown attacker installed a piece of code known as a `web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely.

This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access.

Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.

The ICO acknowledges that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers, and has since instigated a number of measures to improve the security of its systems.

Source: ICO

Photo by ActionVance on Unsplash

The post ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure appeared first on GDPR Register | Compliance tool for privacy experts.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

Details of the cyber attack

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

Failure to prevent the attack

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

• limiting access to applications, data and tools to only that which are required to fulfil a user’s role
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
• protecting employee and third party accounts with multi-factor authentication.

Additional mitigating measures BA could have used are listed in the penalty notice.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.

Since the attack, BA has made considerable improvements to its IT security.

Lack of awareness of the attack

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.

Original article: ICO

The post ICO fines British Airways £20m for data breach affecting more than 400,000 customers appeared first on GDPR Register | Compliance tool for privacy experts.

When Morgan Stanley decommissioned two data centers related to the bank’s wealth management business in 2016, the company did not properly oversee the third-party company responsible for ensuring that all personal data was removed, according to the OCC, which is part of the U.S. Treasury Department.

“In connection with the decommissioning, the bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware, failed to adequately assess the risk of using third-party vendors, including subcontractors, and failed to maintain an appropriate inventory of customer data stored on the devices,” according to an OCC report.

OCC also says Morgan Stanley neglected to exercise proper oversight while retiring certain network devices, such as computer servers, at a local branch in 2019.

A spokesperson for Morgan Stanley says that the company does not believe that any customer data has ever been accessed or misused, and the bank continues to monitor the situation.

“Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information,” the spokesperson says.

Lawsuit Filed as Well

The OCC fine come about a month after attorneys representing Morgan Stanley customers filed a lawsuit against the bank, claiming it failed to properly safeguard personally identifiable information when the company discarded equipment (see: Morgan Stanley Hit With $5 Million Data Breach Suit ).

Morgan Stanley confirmed these incidents in data breach notification letters sent to the California attorney general and other states’ attorneys general in July. The letter notes the data exposed may have included account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data. It says it offered victims two years of prepaid credit monitoring services.

The lawsuit involves complaints from about 100 Morgan Stanley customers who claim they were affected by the company’s practices.

Protecting Data

One reason why the OCC likely fined Morgan Stanely is that the bank failed to properly assess the data it was protecting, says Mark Rasch, an attorney with the law firm of Kohrman, Jackson & Krantz, who is not involved in the case.

“The entities that are the custodians of the data don’t understand the value of the data they are protecting. If this were a bank vault, they would understand,” Rasch tells Information Security Media Group.

Morgan Stanley may not have had a complete checklist in place to help ensure it properly disposed of decommissioned computers, Rasch says.

Richard Santalesa, a technology and data privacy attorney at SmartEdgeLaw Group, a boutique law firm with offices in New York and Connecticut, notes that the size of the fine likely reflects that these similar incidents happened only three years apart and that the OCC wanted to make a point about how large financial institutions need to oversee personally identifiable information, even when it’s left to third parties to handle.

“I’m sure this latest action has made the desks of every CISO and chief privacy officer in the financial ecosphere,” Santalesa says. “I know that if I were sitting in that C-seat, I’d immediately add a ‘data destruction/deletion review’ agenda item to my next department meeting.”

Other Recent OCC Action

The fine that the OCC levied against Morgan Stanley is the second the agency has brought against a major financial intuition following a cyber incident.

In August, the OCC fined Capital One $80 million, citing numerous security shortfalls before the 2019 data breach that exposed the financial and personal information of over 100 million individuals in the U.S. and Canada (see: Capital One Fined $80 Million Over 2019 Breach ).

Original article: BANKINFOSECURITY

The post Morgan Stanley Fined $60 Million for Data Protection Mishaps appeared first on GDPR Register | Compliance tool for privacy experts.

The company, based in Hamburg, operates a service centre in Nuremberg. At least since 2014, some of the employees have had extensive records of private living conditions. Corresponding notes were saved permanently on a network drive. After vacation and illness absences – even short ones – the superiors team leaders held a so-called Welcome Back Talk. After these discussions, not only were specific vacation experiences of the employees recorded, but also symptoms of illness and diagnoses. In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and corridor discussions, which ranged from harmless details to family problems and religious beliefs. The findings were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way were used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship.

The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the content of the network drive to be completely “frozen” and then requested that it be released. The company followed suit and submitted a data set of around 60 gigabytes for analysis. After analyzing the data, the interrogations of numerous witnesses confirmed the documented practices.

The discovery of the significant violations prompted those responsible to take various remedial measures. A comprehensive concept was presented to the HmbBfDI on how data protection is to be implemented at the Nuremberg location from now on. In order to come to terms with past events, the company management not only apologized expressly to those affected. It also follows the suggestion to pay the employees a considerable amount of non-bureaucratic damages. This is an unprecedented commitment to corporate responsibility after a data protection breach. Other components of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates,

Prof. Dr. Johannes Caspar, the Hamburg commissioner for data protection and freedom of information: “The present case documents a serious disregard for employee data protection at the H&M Nuremberg location. The amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.

The efforts of the group management to compensate those affected on-site and to restore trust in the company as an employer are to be rated expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation shows the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company. ”

Original article: Datenschutz-Hamburg

The post H&M gets 35.3M euros fine for records of private living conditions of employees appeared first on GDPR Register | Compliance tool for privacy experts.

According to the complaint, Instagram “has access to a user’s smartphone camera for the limited purpose of allowing users to directly take a photograph or video and then post that content to its platform.” Furthermore, Instagram “claims to only access users’ smartphone cameras with user permission, such as when a user is interacting with the Instagram application’s…camera feature.” According to the complaint, Instagram stated it does not access a user’s camera when the camera feature is not in use. However, the plaintiff proffered that Instagram “does more than it claims.”

Specifically, the plaintiff averred that “Instagram is constantly accessing users’ smartphone camera feature while the app is open and monitors users without permission, i.e., when users are not interacting with Instagram’s camera feature.” Conditi argued that Instagram has broken its promise with users, as it has no reason to access users’ cameras when they are not using the camera feature.

The plaintiff claimed that Instagram is “able to monitor users’ most intimate moments, including those in the privacy of their own homes, in addition to collecting valuable insight and market research on its users.” The plaintiff further alleged that Instagram does this in order “to collect lucrative and valuable data on its users that it would not otherwise have access to,” purportedly so the company could increase its advertising revenue through improved user targeting. For instance, the complaint says Instagram is “able to see in-real time how users respond to advertisements on Instagram, providing extremely valuable information to its advertisers.” This conduct allegedly came to light when Apple updated its operating system, available to the public on July 9, “which provides notice to consumers when third parties are accessing their camera and microphone or collecting their data.” The plaintiff asserted that this conduct violated her and the putative class’s privacy rights.

Additionally, the plaintiff asserted that Instagram does not obtain consent to access users’ smartphones when they are not using the camera feature and it does not disclose in its data policy that it accesses user’s camera while users are not using the Instagram camera feature or obtain consent to perform said conduct. Moreover, according to the complaint, Instagram “has no legitimate purpose for accessing users’ smartphone cameras while they are not using Instagram’s services.” Instead, Instagram purportedly claimed that this was a “mistake” caused by “a bug in iOS 14 Beta that indicates that some people are using the camera when they aren’t.” However, Apple has not stated that it was a bug, according to the complaint. The plaintiff also pointed to Facebook and Instagram’s history of privacy violations.

Conditi claimed that she uses Instagram on a regular basis, including while she is in her bedroom. She alleged that Instagram surreptitiously accessed her camera and monitored her outside of the scope that she agreed to. The class includes: “(a)ll Instagram users whose smartphone cameras were accessed by Instagram without their consent from 2010 through the present.”

Instagram is accused of violating the California Consumer Privacy Act, which requires a business collecting consumer’s personal information to disclose at or before collection regarding the categories of personal information that will be collected and the purpose for said collection. They must also provide additional disclosures in order to collect more information for other purposes. The plaintiff claimed that Instagram users have a reasonable expectation of privacy as provided in the California Constitution.

Read more: Law Street

The post Instagram Sued For Privacy Violations Over Unauthorized Camera Access appeared first on GDPR Register | Compliance tool for privacy experts.

Over €45 million of that came from Italian-owned companies, according to financial experts Finbold, which compiled a top 20 using data collected from the GDPR’s enforcement tracker website.

Europe’s data protection regulation turned two in May, but it seems many businesses are still struggling with compliance as the most common violation was an insufficient legal basis for data processing.

From 1 January to 17 August, Italy came out on top, having been issued with €45.6 million in fines as a result of 13 separate investigations. Sweden came in second, with €7.3 million in fines from 4 cases, while the Netherlands were ranked third with €2.8 million worth of penalties.

Germany has only received one GDPR-related fine since the start of the year, however that particular case, involving health insurance firm Allgemeine Ortskrankekasse (AOK), resulted in a €1.2 million fine in June, placing the country 5th on the list. The firm was sanctioned after it was shown that collected personal data, such as contact details and insurance information, were being improperly used for advertising purposes.

When ordered in terms of total number of cases, Spain currently tops the list with 76 investigations and subsequent penalties, although the majority of these were for relatively minor infractions, racking up just €1.9 million in fines.

The UK is notably absent from the rankings, as the most recent British organisation to receive a GDPR fine was Doorstep Dispensaree Ltd in December 2019. The firm was levied with a €320,000 sanction for failing to protect physical NHS documents by storing these outdoors in cardboard boxes.

There are also a handful of significant fines that have been proposed but not yet levied, many of which could be enforced before the end of the year. These include record-breaking sanctions against British Airways and Marriott International in 2019 of €205 million and €110 million respectively, both of which were issued by the UK’s data watchdog, the Information Commissioner’s Office.

Read more here.

The post Italy tops GDPR penalty list with €46m worth of fines in 2020 appeared first on GDPR Register | Compliance tool for privacy experts.

Mentioned organizations worked closely together and failed to separate the personal data of political subscribers and insurance customers. Leave.EU sent 300,000 political messages to Eldon Insurance customers. Meanwhile, Eldon Insurance sent emails to more than 1 million of Leave.EU subscribers through two illegal marketing campaigns.

ICO will review data protection practices and data processing activities of both companies. Also, the policies and procedures that are in place regarding staff training. Employees and DPOs of both companies will be interviewed. 

Learning TIP: GDPR requires companies to keep the records of data processing activities. It is crucial when providing evidence, that adequate data protection practices are followed. Regular trainings should take place regularly to inform employees about data protection regulations and requirements. 

Read the full article on ICO page.

The post GDPR fines for unlawful marketing messages appeared first on GDPR Register | Compliance tool for privacy experts.

French Data Protection Regulator (“CNIL“) fined US tech giant Google with a 50€ million fine. CNIL claims that Google failed to provide transparency and clarity in the way it informs users about the handling of their personal data. Also, Google failed to obtain specific consent and didn’t have set legal basis for personalised advertising. Read more on How Does GDPR Affect Direct Marketing and Profiling.

It is not the first fine to be issued under the GDPR. However, so far, it is the biggest one to be issued by the European regulator. 

LEARNING TIP:
Privacy by design. It is important to consider data protection and privacy aspects at the initial design stages of the product and services. Therefore, privacy and data protection should be embedded into the design, rather than trying to add it on later.
Records of processing activities: Under the GDPR, the company has an obligation to keep records of the processing activities of personal data under certain conditions and it is important for the company to have a clear understanding of what personal data is being processed and in what way.
Visibility and Transparency: Accountability, compliance and transparency are required for an effective and secure system. Thus, it is important to be clear about your system and the level of security it provides.

Find out more on GDPR fines.

The post Google: US Tech Giant and the Record-High Fine Under the GDPR appeared first on GDPR Register | Compliance tool for privacy experts.