- Data breach
- Security Breach
- Democrats step up calls that Russian hack was act of war
Posted by: Margaret Rouse
Personal Health Information, Personally Identifiable Information, Trade Secrets, Intellectual Property
The most common concept of a data breach is an attacker hacking into a corporate network to steal sensitive data. However, not all data breaches are so dramatic. If an unauthorized hospital employee views a patient’s health information on a computer screen over the shoulder of an authorized employee, that also constitutes a data breach.A number of industry guidelines and government compliance regulations mandate strict governance of sensitive or personal data to avoid data breaches. Within a corporate environment, for example, the Payment Card Industry Data Security Standard (PCI DSS) dictates who may handle and use sensitive PII such as credit card numbers, PINs and bank account numbers in conjunction with names and addresses. Within a healthcare environment, the Health Insurance Portability and Accountability Act (HIPAA) regulates who may see and use PHI such as name, date of birth, Social Security number and health history information.
If anyone who is not specifically authorized to do so views such information, the corporation or healthcare organization charged with protecting that information is said to have suffered a data breach. If a data breach results in identity theft and/or a violation of government or industry compliance mandates, the offending organization may face fines or other civil or criminal prosecution.
Service providers are required to notify the ICO if a ‘personal data breach’ occurs. They must also notify customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.
What is a ‘personal data breach’?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.
A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.
What must we do if there is a breach?
Service providers (eg telecoms providers or internet service providers) have certain obligations if a personal data breach occurs. These are set out in regulation 5A.
If you are a service provider, you must:
- notify the ICO;
- consider whether to notify your customers; and
- record details in your own breach log.
When and how do we notify the ICO?
You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification must include at least:
- your name and contact details;
- the date and time of the breach (or an estimate);
- the date and time you detected it;
- basic information about the type of breach; and
- basic information about the personal data concerned.
If possible, you should also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, you must provide them as soon as possible. You must submit a second notification form to us within three days, either including these details, or telling us how long it will take you to get them.
Failure to submit breach notifications can incur a £1,000 fine.
When and how do we notify our customers?
If the breach is likely to adversely affect the personal data or privacy of your subscribers or users, you need to notify them of the breach without unnecessary delay. You need to tell them:
- your name and contact details;
- the estimated date of the breach;
- a summary of the incident;
- the nature and content of the personal data;
- the likely effect on the individual;
- any measures you have taken to address the breach; and
- how they can mitigate any possible adverse impact.
You do not need to tell your subscribers about a breach if you can demonstrate that the data was encrypted (or made unintelligible by a similar security measure).
If you do not tell your customers, the ICO can require you to do so if we consider the breach is likely to adversely affect them.
What do we need to record in our breach log?
You must also keep your own record of all personal data breaches in an inventory or log. It must contain:
- the facts surrounding the breach;
- the effects of the breach; and
- remedial action taken.
For more information, see our detailed guidance for service providers on notification of PECR security breaches.
Source: ICO Org
Democrats step up calls that Russian hack was act of war
Democratic lawmakers are publicly calling out Russia for engaging in war by meddling in the U.S. presidential election.
The Democrats have been particularly bullish in the wake of FBI Director James Comey’s disclosure that the bureau is investigating whether there was coordination between President Trump’s associates and Russia in the influence campaign, which involved leaking hacked personal emails from Democratic operatives to damage candidate Hillary Clinton.
The warfare accusations fit into a larger narrative pushed by Democrats that casts President Trump as weak on Russia and plays up the damage done by Moscow through the electoral interference.
The rhetoric also puts Republicans — who often characterize themselves as more hawkish on Russia and defense — in a bind as they try to defend to the new administration’s strategy on Russia.
“I think this attack that we’ve experienced is a form of war, a form of war on our fundamental democratic principles,” Coleman said during a hearing this week at the House Homeland Security Committee.
She lambasted Trump for his praise of Russian President Vladimir Putin, asking a panel of experts and former officials what message Trump’s “borderline dismissive attitude” toward Moscow’s cyberattack sends to the Kremlin and other nations.
Two other Democrats made similar charges at the House Intelligence Committee hearing where Comey testified.
An Act of Hybrid Warfare
“I actually think that their engagement was an act of war, an act of hybrid warfare, and I think that’s why the American people should be concerned about it,” said Rep. Jackie Speier (D-Calif.).
“This past election, our country was attacked. We were attacked by Russia,” said Rep. Eric Swalwell (D-Calif.). “I see this as an opportunity for everyone on this committee, Republicans and Democrats, to not look in the rearview window but to look forward and do everything we can to make sure that our country never again allows a foreign adversary to attack us.”
Sen. Ben Cardin (D-Md.), the Senate Foreign Relations Committee’s ranking member, has similarly described the election meddling as an “attack” and likened it to the United States’ “political Pearl Harbor.”
Doug Heye, a former communications operative for former House Majority Leader Eric Cantor (R-Va.), described the rhetoric as “alarmist” and indicative of partisan politics.
He said some lawmakers have raised good questions about potential ties between Trump associates and Russia, but that Democrats are largely trying to delegitimize Trump’s victory.
“The Democrats either still don’t believe or don’t want to send the message that they lost the election,” he said.
Michael Schmitt, an international law professor at the University of Exeter in Britain, told The Hill that public officials need to choose their words carefully to “control escalation.”
“I find that sort of talk dangerous,” said Schmitt, who led the team of legal experts that formulated the Tallinn Manual 2.0, a comprehensive analysis of how international law applies to cyberspace.
The Army’s top officer, Mark Milley, also cautioned individuals about using the term “war” to refer to the cyberattacks, saying at a conference on Tuesday, “If it’s an act of war, then you’ve got to start thinking of your response to that sort of thing.”
Democrats don’t appear to be calling for a military response to what they say was an act of war.
They’ve instead called for tightening sanctions on Moscow or creating an independent commission similar to the one that investigated the September 11, 2001, terror attacks.
“I’ll tell you what our next step should not be,” Swalwell told Fox News’s Tucker Carlson on Monday when pressed on what a “counterattack” should look like. “It should not be a warmer embrace of Russia, as the president clearly has intimated he wants to do. The sanctions should get tougher. We should expand NATO’s role, not contract it, and we should talk tough with Russia.”
The Trump administration has shown no signs of increasing sanctions or retaliating against Moscow by other means for the hacks.
Intelligence committees in both chambers of Congress are probing Russian interference in the presidential election. However, those investigations have been complicated by Trump’s unsubstantiated allegations that the Obama administration “wire tapped” Trump Tower and leaks to the press about investigations into contacts between Trump associates and Russian officials.
While Republicans have been less inclined to accuse Russia of warfare, one GOP Trump critic has said the hacking during the election amounted to an act of war.
Sen. John McCain (R-Ariz.) came out early with the charge in December, even before the U.S. intelligence community released its unclassified report on the election meddling.
“When you attack a country, it’s an act of war,” McCain, chairman of the Senate Armed Services Committee, said during an appearance on Ukrainian television. “And so we have to make sure that there is a price to pay so that we can perhaps persuade Russians to stop this kind of attacks on our very fundamentals of democracy.”
Congress does not yet have a clear handle on what defines war in cyberspace and has through annual defense policy legislation directed the new administration to spell out what actions in cyberspace may warrant a military response.
Schmitt assesses that the hacking campaign was not an act of war but rather a violation of two prohibitions: one on violating another state’s sovereignty and another on intervention into another state’s affairs.
“Without a scintilla of a doubt, it is not an act of war,” Schmitt said.
Thanks TechTarget, ICO Org, TheHill and for reading Data Breach Hack
IMAGE: Melissa Anges “Your Guide for Data Breach Crisis Communication”