Richard van Schaik and Róbin de Wit write: The Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) revealed that almost 5500 data breaches have been notified since the legislation on mandatory data breach notification duties entered into force on 1 January 2016. Pursuant to this legislation, it is mandatory for all types of data controllers…
Category: Commentaries and Analyses
GRIZZLY STEPPE – Russian Malicious Cyber Activity
Joint Analysis Report Reference Number: JAR-16-20296 December 29, 2016 Summary This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence…
The Worst Health Data Breaches in 2016
It’s relatively easy to identify which were the biggest breaches involving health data that were disclosed in 2016, but which of the hundreds of breaches disclosed were the worst ones if you look beyond the numbers? As in past years, we learned of devices with sensitive unencrypted health information being stolen from vehicles, paper records were found where they…
Clever Facebook Hack Reveals Private Email Address of Any User
Tom Spring reports: Christmas came early for Facebook bug bounty hunter Tommy DeVoss who was paid $5,000 this week for discovering a security vulnerability that allowed him to view the private email addresses of any Facebook user. “The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss…
NY financial regulator to delay cyber security rules
Suzanne Barlynne reports: New York’s financial regulator will delay an anticipated Jan. 1 deadline for banks and insurers doing business in the state to comply with controversial cyber security rules, a person familiar with the matter said. The regulator, the New York State Department of Financial Services, will publish a revamped version of its cyber…
What Can Be Learned From 2016 Security Incidents?
Craig Hoffman raises some valid points about lessons that can be learned following a security incident. Here are just a few of his points: Acknowledging that trust but verify is important (e.g., if someone says a network is segmented, check the ACLs and firewall rules to confirm this). Knowing that you can have great security…