Author

Paul Glass

Browsing

The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures.  Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals.  The Guidelines are currently open for public consultation. The Guidelines…

Brian Hengesbaugh and Partner Paul Glass dissect the recent guidance issued by the ICO in response to the SoldWinds cyber attack. Listen to hear: an overview of what the guidance sayswhy the ICO decided to release guidance in regards to this incidenthow companies should best approach the 72-hour notification rule https://open.spotify.com/episode/5ufO2qYMt4rPOQiVOKHo4n?si=ZMqpxKVpRvKsT8G7jo6o-A

On Christmas Eve the UK and the EU concluded a Trade and Cooperation Agreement in principle.We’ve set out the key points from a data protection perspective below.The key take away is that transfers of personal data from the EEA to the UK can continue without safeguards for a period of up to six months from the end of the transition period while the European Commission considers whether to adopt an adequacy decision in respect of the…

The ICO has issued a statement confirming that organisations should immediately check to see whether they are potentially a victim of the cyber-attack carried out through the SolarWinds Orion IT management platform (see ICO statement). Initial technical research indicates that while the majority of potentially compromised users of Orion are based in the United States of America, there are significant numbers of users in the United Kingdom and EU. The versions of the software that…

The UK data protection regulator, the Information Commissioner’s office, has issued three significant monetary penalties over recent months focusing on cyber security issues. The most recent enforcement was a monetary penalty of £1.25 million on Ticketmaster in connection with an incident which occurred during February 2018 and June 2018 (although the enforcement only relates to the period after 25 May 2018 when the GDPR came into force). In the ICO’s view there was a failure…

The UK data protection regulator, the Information Commissioner’s Office, has issued a monetary penalty to £20m on British Airways in connection with a cyber-attack which took place in 2018. In the ICO’s view there was a failure to process personal data in a manner that ensured appropriate security, as required under Articles 5(1)(f) and Articles 32 of the GDPR. The incident commenced with a “supply chain attack” where BA’s network was accessed by an attacker…