14 October 2018

Data Protection – cyber attacks, health data and a deal with Japan…

In this issue, Japan is working with Europe on a new data protection agreement, and the UK government issues guidance for the use of AI in healthcare.

Newegg the newest cyber attack victim

The online retailer Newegg has fallen victim to cybercrime, as hackers stole bank card details from customers for over a month late this summer.

It was announced that between August 16th and September 18th, customer card details were copied from the site’s checkout page and sent to the fraudulent website, which was set up by the hackers and was even certified by Comodo. The Magecart software used by the hackers is the same toolset that was used to hack the websites of Ticketmaster and British Airways earlier this year. Of considerable concern is the fact that the Newegg hackers were able to reduce the code required for such a hack from the 22 lines used against BA to a mere eight, making it more likely the code might go unnoticed.

Presently, it is unclear whether Newegg reached out to the Information Commissioner’s Office (ICO) and all affected users within 72 hours of uncovering the breach, as mandated by the 2018 Data Protection Act. Such instances should serve as a reminder for companies to regularly inspect their online payment systems and, if a breach is uncovered, to inform the relevant authorities and affected individuals immediately.

Equifax fined £500,000 for data breach

The UK ICO has issued a £500,000 fine to the American consumer credit reporting agency Equifax after the data of 15 million Brits was hacked from their databases in 2017.

The hack, which took place prior to the implementation of the GDPR and 2018 Data Protection Act, also resulted in the personal information of 150 million Americans being compromised. The data taken included customers’ names, emails, dates of birth, phone numbers and driver’s license numbers. The breach occurred between May 13th and July 20th 2017, several months after Equifax had been warned by the US Department of Homeland Security of a remotely exploitable weakness in their IT security system.

Failing to fix the hole allowed the hackers to access Equifax’s databases. Ironically, the hacked data was taken from ‘standard daily fraud’ reports, which were created to assist Equifax’s fraud investigations team during credit card fraud investigations.

Equifax’s US arm became aware of the hack on July 29th 2017, but only realised in late August that British customer data was also compromised. UK-based Equifax Ltd. was made aware on September 7th and reported the breach a day later. They initially reported that only 400,000 Brits had been affected, but eventually revised this number upwards to 1.5 million.

The ICO issued the maximum fine available under the 1990 DPA; under the GDPR and DPA 2018 the max fine could have been in the region of £100 million.

Japanese data protection to align with GDPR

On July 17th 2018, the EU and Japan agreed to acknowledge one another’s data protection laws as providing adequate personal data protection, and the European Commission (EC) adoption procedure for this adequacy decision was launched on September 5th.

Under Article 45 of the GDPR, the EC has the power to determine whether a country outside the EU offers an adequate level of data protection, either through domestic law or international commitments entered into by the country. Such a designation recognises countries as having adequate data protection safeguards in place, meaning specific transfer agreements with entities within designated countries (such as the EU-US Privacy Shield) may no longer be necessary. Whilst the EU has made several adequacy decisions to date, the agreement with Japan represents the first instance of the EU and a third country agreeing on reciprocal recognition. This may suggest a new path forward for other third countries seeking an EU adequacy designation.

The agreement requires Japan to adopt additional data protection safeguards in order to align with EU standards, particularly related to limitations on sensitive data use and the retransfer of data originally transferred from the EU to a third country company. Japan will also introduce a mechanism by which EU residents can complain to Japanese data protection regulators, if they believe that Japanese public authorities have unlawfully processed their data.

On September 7th 2018, Japan’s data protection authority, the Personal Information Protection Commission (PPC), announced supplementary rules regarding EU personal data which will come into effect upon the EC’s formal adoption of Japanese data protection adequacy. These rules involve five major changes to Japan’s current regulations, but will only apply to personal data transferred from the EU under the new agreement.

A formal decision from the EC regarding Japanese data protection adequacy is expected later this fall. The EUJapanese agreement sets an interesting precedent regarding adequacy determinations under the GDPR, and the reciprocal recognition approach used may act as a template for third countries seeking a determination of adequacy in the future.

Government launches Code of Conduct for data-driven technology in healthcare

The Department of Health and Social Care has recently issued a draft version of a Code of Conduct for Artificial Intelligence (AI) and data-driven technologies in healthcare, with the aim of providing clear guidance on how personal data is protected whilst at the same time promoting innovation and the introduction of technologies into the healthcare system.

AI and data-driven technologies and algorithms have great potential and are increasingly being deployed across the healthcare system. The Code, which is in an initial consultation phase, is intended to encourage companies to meet what the government describes as “a gold-standard set of principles that will protect patient data and make sure only the best technologies are used by the NHS, to bring real benefits to patients.” The key privacy principles reflect those mandated by the General Data Protection Regulation (GDPR) which came into force in May 2018, and the Data Protection Act 2018, which should both be considered alongside the Code.

The Code also sets out the government’s commitments to companies working in the sector. These include: simplifying the regulatory and funding landscape and creating an environment that enables experimentation and innovation but does not risk patient safety; encouraging the adoption of innovation; improving interoperability, and listening to users.

An updated Code is to be published later in December 2018, taking into account both the review of the regulatory framework and feedback of the Code received from innovators and healthcare professionals. In the more long term, the government is considering how to best develop the Code and is considering the introduction of a partnership support service and ‘Kitemark’ scheme, underpinned by a robust application and evaluation process. More information about the Code of Conduct can be viewed here.

ICO issues £60,000 fines for unsolicited emails

Marketing agency Everything DM (EDM) was fined £60,000 by the ICO due to its direct marketing system sending 1.42 million emails to prospective customers between May 2016 and 2017.

The company, which was paid by clients to send mailers to prospective customers, failed to show that recipients had agreed to receive the communications, either from EDM or its clients. The ICO found that EDM had relied on third party consent, but failed to ensure the use of customer data complied with the Privacy and Electronic Communications Regulations (PECR). The PECR prohibits organisations from sending unsolicited communications to consumers for direct marketing purposes by email, unless the person has given prior consent to that effect.

The ICO stated that ‘firms providing marketing services to other organisations need to double-check whether they have valid consent from people to send marketing emails’ and that ‘informing individuals that their details will be shared with unspecified third parties, is neither freely given nor specific, and does not amount to a positive indication of consent.’

Companies engaging in direct marketing should remember that, unless PECR-compliant consent is given by recipients, such campaigns may result in fines from the ICO.

Uber settles with 50 state attorneys over 2016 data breach

On September 26th 2018, Uber agreed to a settlement with 50 state attorneys general in relation to a data breach that occurred in 2016 which affected the personal data of 600,000 drivers and 57 million consumers.

After learning of the November 2016 breach, Uber allegedly opted to pay the hackers a $100,000 ransom to delete the data, and failed to notify affected individuals promptly (as required under numerous state laws), waiting nearly a year to do so. The settlement, which is pending court approval, requires Uber to pay $148 million to be divided among the 50 states. Furthermore, they will undertake various security measures, including implementing enhanced data protection policies, engaging third-party security experts on an ongoing basis, and submitting regular reports on security incidents to regulators.

Facebook to face investigation over serious data breach

On September 28th 2018, Facebook acknowledged that due to faulty code between 50 and 90 million user accounts were exposed to hackers over the previous 14 months.

Guy Rosen, Facebook’s VP of product management, posted a note stating that a security hole allowed hackers to steal user’s account access tokens, which were used to log into the associated accounts without using passwords. The tokens allowed the hackers to download the private information, photos and videos of users, and to log into websites and apps connected to those user’s accounts, which allowed further information to be stolen.

The security failing, which has since been fixed, related to the “View As” option, which allows users to see their profile as it appears to others, in order to ensure that private and public posts are represented accordingly. Despite every Facebook account being accessible to the hackers, Facebook estimates that only 50 million were “directly affected” while another 40 million had their accounts looked up.

The announcement comes at a difficult time for Facebook, as it was recently reported that Facebook was using users’ mobile phone numbers, which are provided for two-factor verification, for targeted advertising, despite the numbers only being provided for security reasons.

The Irish Data Protection Commissioner is preparing to launch a formal investigation into the security breach. Under the GDPR, Facebook could be subject to a fine of more than £1 billion.

We will be keeping an eye on this situation as it develops, as it represents one of the largest and most serious data breaches to occur under the GDPR, and could be the first instance of regulators applying their considerable new fining powers.

Conservative Party conference app in attendee data breach

Only hours before the start of the annual Conservative Party Conference this year, it was the party’s mobile conference app making all the headlines, and for all the wrong reasons. A flaw temporarily allowed anyone who had downloaded the app to login and view the personal details of other participants using the app, including the details of several high profile ministers with security clearance.

The technical flaw was first identified by a newspaper journalist who discovered that it was possible to enter a participant’s email address in the login field and view not only their name, but also their phone number, job title and photo. It appears that the app did not require the use of any authentication mechanisms, such as passwords or one-time email codes sent by email. As many participants had registered with their standard form government e-mail addresses, it was possible to guess many email addresses in order to view personal data.

Although the breach is thought to have affected only a small number of attendees, and was rectified within 30 minutes of being identified, it is embarrassing for the Conservative Party as the technical glitch also meant that miscreants were able to change official photos on the app and alter job titles.

It is understood that both the Conservative Party and the creator of the app, the Australian company CrowdComms, reported the breach to the Information Commissioner’s Office (ICO) within the 72 hours required by the GDPR.

This incident also provides a timely reminder of the risks involved in outsourcing the development of technology that makes use of personal data. When things do go wrong, not only is the outsourcer liable to ICO fines, but there is also the risk of serious reputational damage. All too often organisations overlook data protection as a significant legal obligation and risk management issue when devising their outsourcing strategy. Data protection and privacy are key considerations in any outsourcing arrangement and it is essential that they feature in the initial vendor due diligence so that sufficient and appropriate contractual protections can be put into place.