Belgian DPA recommends taking 13 steps now

The Belgian DPA (hereafter referred as CPP, to reflect its official name, Commission for the Protection of Privacy) has issued GDPR-preparation recommendations in the form of 13 guidelines for companies processing personal data. The English-language summary below is taken from a law-firm website (link) (the originals were issued in French (link) and Dutch (link) only).

The good news is that the CPP has now set some priorities, giving data controllers and processors an idea of what the auditors will be looking for in the early days after the GDPR’s effective date. The bad news, at least as I see it, is not only is the guidance mostly vague, but also that there seems to be an embedded assumption that all of this is feasible within a short time frame. Continue reading “Belgian DPA recommends taking 13 steps now”

Is it possible to connect a breach to specific harm?

The fallout from the Equifax case has already begun. Those of you who may be affected by this breach should read this article to guard against some of the scams that are already being thrown at data subjects:

Beware – the Equifax Scams Are Coming

For those not affected, the article is worth reading to get small sample of the variety of attacks that follow leaked data.

In other news, we find that a lawsuit against the U.S. government over a leak of some 22 million employees’ records has been dismissed (link) on the grounds that the aggrieved data subjects (here represented by their labor unions) have not proven that they were harmed by the breach.

In a normal case of injury or damage, proof of cause and effect is a normal requirement. But how could the plaintiffs possible prove that damaging effects are caused by this particular breach? After all, the government could point out that a given harm was possibly caused by the Equifax breach, or some other. In other words, the traditional rules of evidence and inference are of little use in the age of internet crime.

Stolen data is completely anonymous. When you are attacked, you have no idea where the attacker obtained his data; even the attacker himself may not know the seller’s identity. The data in question might even have been legally obtained; many businesses (such as Equifax) are in the business of collecting and selling data.

Unlike money, data does not need to be laundered; it’s already untraceable. Unlike money, it can be copied and distributed without limit. Exposing one’s personal data on the internet is like exposing one’s body to radiation: the effects are cumulative, and for life.

At the moment the technical, legal, political, and other capabilities are not in place to stop this trend, nor even to slow it down by very much. Our technology is running ahead of our ability to deal with its consequences.



Equifax breach, part 2: is this our future?

The Equifax data breach continues to reverberate in the media, raising various issues that pertain to data security and privacy.

Asymmetry between errors and consequences

These issues present an asymmetry, what risk theorist Nassim Taleb refers to as ‘convexity’ (link), between the degree of negligence on the part of the data owner and the extent of the damage. In options theory, a convex payoff means that, in exchange for a small, defined loss, you obtain the possibility of an unbounded gain. The usual example is an exchange-traded option to buy or sell a financial asset. (Many people also think of lotteries in this context, but the analogy doesn’t apply, since lotteries are artificial, arranged as games of chance with known probabilities and a maximum payout.) Continue reading “Equifax breach, part 2: is this our future?”

Considering an end-to-end GDPR solution: Oracle

In this post I will discuss an Oracle presentation on how its product line provides the technical means for GDPR compliance (link). Although I am impressed with the presentation, my main reason for introducing it here is to be able to refer to it when discussing different stages of GDPR measures. Simply reading through this document will give you an idea of the range of technical measures necessary for good compliance at the database level.

In particular, I like the 3-page Appendix at the end of the document, which lists various GDPR articles and the Oracle feature that helps you to comply with each one. If you’re considering a packaged solution, your vendor should be able to present a similar mapping of GDPR requirements to product features. Continue reading “Considering an end-to-end GDPR solution: Oracle”

Unrestricted email plus full PII access: recipe for trouble

Storage giant Seagate suffered exposure of the withholding-tax records of some 12,000 employees following a phishing attack.


At the time Seagate noted that there was no evidence that the information had been misused, also known as the absence-of-evidence defense.

Fast-forward a year or so, and the evidence has appeared.


As is usual in these cases, we have a combination of failures, such as: Continue reading “Unrestricted email plus full PII access: recipe for trouble”

Cloud apps and outsourcing bring new breaches

Given the apparent proliferation of data breaches (or at least their coming to light), I doubt that I can keep up, and so in future will comment only on those cases that illustrate some aspect of the GDPR.

That aspect today is the rampant push to get sensitive PII into the hands of cloud vendors and external (outsourced) developers and testers. I just came across some recent cases: Continue reading “Cloud apps and outsourcing bring new breaches”

Sweden’s data breach: a cautionary tale

Another week, another data incident. The GDPR is arriving none too soon. Let’s hope that it can slow the tide that is washing our personal data out into the internet data-ocean.

This time the victims are the citizens of Sweden, or at least those who have a vehicle registered, are in the police or military, or who are protected witnesses. In other words,  a nightmare scenario, which clearly would be a violation of the GDPR (that is, when it comes into force some ten months from now). Continue reading “Sweden’s data breach: a cautionary tale”

BUPA suffers an incident

News stories reinforce the reality of privacy incidents. Today I plan to discuss a story from The Register, one of my favorite tech sites. The article is short and well worth reading. Don’t miss the comments, which raise interesting points.

Bupa: Rogue staffer stole health insurance holders’ personal deets

BUPA, a UK health insurance company, suffered a leak of more than 100,000 customer records, including phone numbers and email addresses, due to the actions of an employee. Continue reading “BUPA suffers an incident”