GDPR News

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week.

Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months.

Fears About Compliance and the Cloud

Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure.

Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they should not be used for hosting police data as there was a risk of snooping. The federal commissioner was particularly concerned about the passing of the Cloud Act in 2018, which could allow federal law enforcement to gain access to data stored by U.S. technology companies.

Many companies in the United States are also wary about using the cloud for storing sensitive data such as protected health information, and the potential for HIPAA violations. As is the case with GDPR, the penalties for data exposure can be severe and, for small healthcare organizations, potentially catastrophic.

Vogels explained that cloud security should not be a concern and storing data on AWS is perfectly secure. His advice to all AWS users is “encrypt everything,” but at a minimum, make sure that all personally identifiable information is encrypted.

By encrypting data, companies can meet the requirements of GDPR, HIPAA, and other federal and state regulations. As for the Cloud Act, if a technology company is issued with a warrant to release data, if the AWS customer has encrypted their data using modern encryption standards, and only they hold the key to decrypt the data, it is perfectly secure. Any conversation about data access is then between law enforcement and the customer. AWS will not be involved.

Vogels also explained that AWS has improved its controls to make it harder for data to be exposed. All customer information is now closed off by default. It takes a deliberate action to remove AWS protections and leave data accessible. Should that happen, major red flags are raised.

Vogels said, “We’re very strong believers that the best way to help our customers protect themselves from whatever bad actors you can imagine is to ensure encryption is as easy to use as any other digital service.” Encryption is offered through AWS to make securing sensitive data as easy as possible.

Voice Technology Has Huge Potential

Vogels also spoke about one potential big area for Amazon. Big even by Amazon’s standards. Vogels said Amazon is not looking to invest in technologies that will add $100 million to the balance sheet. Amazon is looking for billion-dollar plus opportunities. Alexa voice technology is a prime example.

Amazon Alexa is the leading voice technology and has already found uses in healthcare. HIPAA was something of a stumbling block as the regulations covering protected health information are strict, but Amazon has recently solved that problem. Amazon is offering business associate agreements to a select group of companies and has made sure that its voice tech can transfer data securely in a manner compliant with HIPAA Rules. Last week Amazon announced that six new healthcare skills had been launched that could be used in connection with PHI. The company will be collaborating further with healthcare organizations, although by invite only at this stage.

Skills have also been developed by WebMD which allow users to ask questions about their symptoms using voice commands rather then entering information on a website. These skills are just the tip of the iceberg and the potential uses of voice technology in healthcare are huge. Alexa could even be used by people to gain access to healthcare information stored in their EHRs in the not too distant future.

Vogels certainly believes voice technology is the way forward and thinks voice commands will be the main way that people interact with digital systems in the future.

The post AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology appeared first on HIPAA Journal.

59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued

A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).

The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base.

Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures also only included data breaches reported in 21 of the 28 member states.

The data for the DLA Piper report came from breach notifications filed in 23 EU member states and by EEA members. Data breach reports have not been made public in Bulgaria, Croatia, Estonia, Lithuania, and Slovakia.

The number of data breaches reported so far appears higher than before GDPR came into effect. That does not mean there has been an increase in data breaches, only that more companies are reporting breaches and breaches are also being reported more quickly. GDPR requires breach notifications to be issued within 72 hours of the discovery of a breach.

Financial Penalties for GDPR Violations and Data Breaches

DLA Piper has been tracking GDPR fines since the compliance deadline. To date, 91 financial penalties have been issued. Financial penalties can be issued for any violation of GDPR. In addition to data breaches, GDPR supervisory authorities investigate complaints about privacy violations. It was such a complaint that resulted in the largest GDPR violation penalty issued to date: The €50 million ($57 million) fine for Google issued by the French supervisory authority, CNIL.

The supervisory authorities in Germany have been the most active enforcers of GDPR since the May 25, 2018 compliance deadline. 64 of the 91 fines have been issued in Germany. Those fines include the two largest financial penalties for companies that have experienced data breaches.

The chat platform Cuddles was fined €20,000 ($22,700) by the German Data Protection Authority LfDI for storing users’ passwords in clear text. LfDI also issued an €80,000 ($91,000) financial penalty to an organization that published health information on the internet – The second largest GDPR data breach fine to date.

Only a relatively small number of fines have been issued in relation to data breaches; however, many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.

DLA Piper notes that the majority of the fines issued to date have been relatively low; much lower than the maximum penalty of €20 million or 4% of global annual turnover, whichever amount is higher. DLA Piper anticipates there will be several fines of tens or even hundreds of millions of euros issued in 2019 once the supervisory authorities have cleared the backlog of data breach reports and GDPR complaints.

The post 59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Google Hit With €50 Million GDPR Violation Penalty

Google has been hit with a €50 million Euro ($56.8 million) GDPR violation penalty, the largest GDPR violation penalty issued to date.

The French GDPR supervisory authority, the National Data Protection Commission (CSIL), investigated suspected GDPR violations after receiving complaints from two privacy rights groups; La Quadrature du Net and noyb. The first of the complaints was filed on the GDPR compliance deadline, May 25, 2018.

The complaints were related to how Google processes user data for the personalizing ads. It was argued that Google did not have a valid legal basis for processing user information and had not obtained clear consent to do so.

While information about its data processing activities has been made available to users, the information is spread across several documents, so it is unclear to consumers how personal data is being processed. According to CSIL, a consumer would need to take five or six actions in order to find out essential information about Google’s processing activities related to personalized ads and, as such, users would not be able to understand how Google was processing their data.

While consent was obtained, the consent form was pre-checked, requiring users only to click to accept, which is also a violation of GDPR. When obtaining consent, users are required to manually tick check boxes when providing consent. Consent must be clearly provided through an explicit opt-in process.

The lack of transparency about how user data will be processed in relation to serving personalized adverts left consumers in the dark about the “particularly massive and intrusive” data processing that takes place in order to serve personalized ads, according to CSIL.

The extent of the GDPR violations, which are ongoing, warranted a substantial fine. The maximum penalty for serious violations of GDPR is €20 million ($22.73 million) or up to 4% of global annual turnover, whichever is greater. While the €50 million fine is substantial, it falls well short of the maximum possible fine that could have been issued: Around $4.4 billion based on an annual turnover of $110.8 billion in 2017.

The complaints to the CSIL are just two of many that have been filed against Google since the GDPR compliance deadline. Complaints have been submitted by consumer groups in several EU countries over what are viewed as deceptive privacy practices. If those complaints are substantiated, further fines can be expected.

Google has responded to the fine by issuing a statement confirming that it is deeply committed to meeting the high standards of transparency, control, and consent that is required by GDPR and will be studying the decision of CSIL to determine what steps must be taken next.

The substantial GDPR violation penalty sends a message to large technology firms and other entities that collect or process the data of EU residents that compliance with all aspects of GDPR requirements is mandatory and violators will face severe fines for noncompliance.

The post Google Hit With €50 Million GDPR Violation Penalty appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

Data Breach Reports and Complaints Have Increased Significantly Post-GDPR

The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies.

One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery.

Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe.

Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled.

A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that could be attributed to human error, compared to just 292 the previous year.

The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). There were 102 cases of unauthorized accessing of personal information, most commonly due to cyberattacks. The most commonly breached industry was healthcare, accounting for 1,214 of the 2,000 reported incidents.

These figures indicate there has been a major increase in data breaches, since the majority of these breaches were reported prior to the effective date of GDPR, although Kroll suggests the rise is, to a large extent, a result of increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.

Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches, as prior to the implementation of GDPR, the maximum possible fine was £500,000 in the UK. Now that GDPR is in force, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. The risk of a substantial fine on top of the cost of dealing with a breach and repairing reputational damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.

Privacy and data security complaints have similarly increased. ICO figures show data protection complaints from consumers have substantially increased since GDPR came into effect. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.

There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the previous year and in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.

The post Data Breach Reports and Complaints Have Increased Significantly Post-GDPR appeared first on HIPAA Journal.

Steps to Take to Make a Website GDPR Compliant

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018.

The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed.

Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely.

Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option.

How to Make a Website GDPR Compliant

One of the main requirements to make a website GDPR compliant is to tackle the issue of consent. Information cannot be collected and processed unless consent has been obtained.

While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users.

Consent forms should be clear and explain the data that is collected and how it is used in easy-to-understand language. Website visitors must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be explained and if the website uses cookies to achieve that.

Website owners must make a decision about the types of data they collect and whether that information is necessary in order to perform the task for which the information is being collected. Any data collected or processed should be limited to the minimum necessary amount to achieve the purpose for which it is collected. GDPR also requires all personal data to be secured, so data encryption should be considered.

If you use any kind of analytics program on your website, Google Analytics for example, it is your responsibility to ensure it is compliant. Google has taken care of its side, but it is the responsibility of all website owners to ensure analytics programs meet GDPR requirements. If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

In the event that a website visitor chooses to be forgotten, it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing such a task will be time consuming, especially if multiple requests are received.

It is the responsibility of all website owners to familiarize themselves with GDPR Rules and make their websites GDPR compliant. If you own or operate a website, read up on GDPR requirements, check to make sure consent is being obtained before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected and honored, and make sure all personal data is stored securely.

You must also develop policies and procedures to identify and deal with data breaches. If a breach is experienced, the Supervisory Authority must be notified within 72 hours.

The post Steps to Take to Make a Website GDPR Compliant appeared first on HIPAA Journal.

How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.

The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.

For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.

For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.

A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.

The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.

For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).

The post How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority? appeared first on HIPAA Journal.