GDPR Weekly Show Episode 220 :- Interserve, PFS, Bed Bath&Beyond, See Tickets, Bristol Council,...

welcome to the gdpr weekly show one of the top five gdpr podcasts worldwide here is what's coming up in this week's episode welcome to episode 220 of the digital weekly show the number one gdpr podcast worldwide and coming up in this week's episode we have news that intercept have been fined 4.4 million pounds by the Ico for failing to keep data secure we then traveled to the city of London where PFS have announced a data breach and then to the USA where Bed Bath and Beyond have announced the data breach we don't have news of a database globally at Sea tickets and the return to the UK where Bristol city council have had a data breach we then travel to India where Tata power have had a data breach and then to Australia where the Woolworths CEO has apologized after the my deal database which we brought you details of last week here on the Disney primary show with inter about the USA where the drizzly data breach has an unusual twist and in the return to the UK and the high torque claim for data breach damages has been refused and referred back to the small claims procedure and we examine what sort of President this is Now setting we then have news that the liberal party of South Australia I've had a data breach and then to Georgia and USA where Ascension Saint Vincent have had a data breach we then have news from the world of gaming where hoyovers have had their daily breach and then trusted radio again where medley Bank have given an update on their data breach with Avenues with data Beach at Thompson Reuters and then returned to Australia yet again we have news over data breach at Med lab we then traveled to Ireland where gdpr has been a tours of some strong language in the least County Council chamber within children to Hungary where the Hungarian data protection authority has ruled on liability for joint data controllers and then we have news that the eui Digital Services Act is now been approved and is coming into force in early 2024 so we look at the implications of that without news that Microsoft and general authorities are crashing over gdpr and then finally this week we have news that the UK cyber security industry is edging towards creation of a chartered professional standard for Professionals in the cyber security industry certain ways a wide range roster with three this week we hope you find the information in the hospital is useful and informative if you have any feedback for us please do email us at feedback ggplowwickety show.com well now there is GDP Are Made Simple available now on Amazon intercept group has been fined 4.4 million pounds for failing to keep personal information of its staff secure the Ico founder intercept failed to put appropriate security measures in place to prevent the Cyber attack which enabled attackers to access the personal data of up to 113 000 employees through a phishing email it's understood that in May 2020 an intercept employee forwarded a phishing email which was not quarantined or blocked by inter-served systems to another employee who opened it and downloaded its content this resulted in the installation of malware onto the employees workstation the company's antivirus system chromosing to malware and sent an alert but run to the Ico the company failed to thoroughly investigate the suspected activity if he had done so it would have found that the attachments still had access to the company systems the attach yourself to any compromised 283 systems and 16 accounts as well as uninstalling the company's antivirus a system personal days of up to 113 000 Talent reformer employees was encrypted and rendered unavailable the Trump advice data included personal information such as contact details National Insurance numbers and bank account details as a special aggregator including ethnic origin religion detailed learning disabilities sexual orientation and household information the iso investigation found an intercept Affair to follow up on the original alert of a suspicious activity used outdated software systems and protocols and a lot of adequate style training and insufficient missed assessments which ultimately all left it vulnerable to a Cyber attack UK information to wrestler John Edwards said the biggest cyber risk businesses face is not from hackers outside their company but from complacency within their company if your business doesn't readily monitor for specific activity in its systems and failed to act on warnings or doesn't update software and fail to provide training to staff didn't expect a similar fines from my office leaving the door open to cyber taxes is never acceptable especially when doing even people's most sensitive information this database had potentially caused real harm to disturb staff as it left them vulnerable to the possibility of identity theft and financial fraud cyber attacks with label transcend and businesses around the world need to take steps regarding their complacency all of this is very valid and indeed Words which we have often used ourselves it is really really important that not only do you have malware and antivirus software in place but that you actually make sure it's up to date and it's working and also that you keep your staff readily updated with training if you're listening to this and your staff last received gdpr training in 2018 then you really should be contacting us on the contact details that don't come up in a moment because you'll need for refresher training is urgent and as this reading from the Ico shows not keeping yourself up to date with the training could well ended up costing you a substantial sum of money contact us on help desk at gdprweeklyshow.com some budgie news and a personal finance Society the PFS has released the following statement about a data breach this afternoon which after notifying all its membership is as follows the chartered Insurance Institute CII informed the personal finance Society PFS that cii's I.T systems have been accessed by an unauthorized third party which affected some of our members the information commission's office the Ico was informed and a detailed investigation has been launched immediately this investigation is now completed and affected PFS members have been informed we have to take any incident is nature very seriously and I'm engaged with the CII on how they are strengthening their cyber defenses as an urgent privacy although we advise that only a limited amount of personal data was accessed we would always advise PFS members to be especially Vigilant when it comes to their cyber security the PFS leadership advises all members to continue to be cautious in responding to unlisted emails and Associate monitor of any suspicious or unusual activity we've gone back to the PFS to ask them for more detail on this and when we get that we will Sprint to you in the next verbal episode of the GDP weekly show you're listening to the gdpr weekly show with your host to Keith button [Music] to America now and Bed Bath and Beyond said on Friday a third party at this month in property access its data through a phishing scam by accessing the hard drive when certain shared drives with one of its employees the big box retailer said it was reviewing the data that was accessor to determine whether the drives contained any sensitive or personally a identifiable information the hundreds retailer and there's no reason to believe that any sensitive or personally identifiable information was accessed and this cyber security Institute would likely not about the material impact on the company shares the company once into the so-called category killer in home and bath goods were down by about five percent in pre-market trading ticketing service providers see tickets as this loads of data breach informing customers that cyber criminals might have accessed their payment to our details via a steamer on its website dimmers are Snippets of JavaScript code injected on order to checkout pages to steal inputted payment card details from customers in this case people who bought a ticket to a live entertainment event according to a database notification shared with the Montana Attorney General's office sea tickets discovered the reach in April 2021 when they start an investigation with the help of a forensics firm however it wasn't until January 8 2022 that the Melissa's code was fully removed from its site after engaging with forensic experts and Visa Mastercard emotional Express and discover to investigate the incident further see to concluded on September the 12th 2022 the unauthorized parties of may have access customer credit card information the internal investigation said the infection happened on June 25th 2019 so the total duration exposure was just over two and a half years the customer information the hatches might have stolen includes the following full names physical addresses the ZIP code payment card number card expiration date and CVV number either three digits on the back of the chart see it says Social Security numbers state identification numbers or bank account information have not been exposed in this instant as they're not stored on these systems due to the type of data they have to install seating its woman that users should be vigilant against unauthorized credit card transactions and identity thefts threat actors commonly used stolen credit card information to purchase goods from online stores and then sell them to private individuals so carrying out some money laundering the proceding sales are often bounced through money mule networks before they reach the troops to obscure their Trace additionally the notice urgency impacted recipients to remain Vigilant against phishing emails or other answers to communication and monitored credit charge statements for suspicious charges unfortunately sea tickets has not yet offered a free of charge identity Protection Service for the impacted individuals so its most customers were left on their own to deal with the transplants of the surgery breach the number of impacted customers is currently unnamed and C tickets hasn't clarified if stem has infected only the global site or any of the other five domains that operate through Regional audiences in the U.S Canada and Europe we've reached out to see tickets for further information and but at the time of broadcast they've not yet come back to us [Music] available now on Amazon to Bristol in the UK now I'm Bristol city council has apologized after a day to beat relating to Clean Air Zone applications the incident we saw around 100 people's email addresses being disclosed in a mass send out has been referred to the information Commissioner's Office one resident Phil from brislington was one of those people who was dropping into the email last week he said he submitted his application for a grant ages ago in case he was able to get some support towards a new car he said that in the response he'd received from the council saying he was not eligible for a clean air zones financial assistance team Bristol city council has cc'd in 95 other people straight away people started responding in the email chain to say that this was a data breach and later in the day they received an apology from the council I was just a bit annoyed by it he went on they're giving out your personal email as well as an indication of what you earn which is quite personal information I think it is carelessness somebody clearly just made a mistake but you you would think they would have policies and procedures in place to prevent this from happening they're most likely to be handling personal data every day this is bread and butter self it's just frustrating the email changed says the council apologizing related on the afternoon of October the 17th it says the apologies for sharing email addresses in the previous email this was sent in error and should have been sent to the blind copy with now attempted to return this email but please delete this and do not respond to all this will be reported to our data controller as part of our data protection policy a spokesperson for Bristol city council said where wherever breach of gdpr has occurred and we've been in contact with those affected and have apologized this case has been referred to the information Domestic Office the Ico in the language deceptive process for reporting data breaches and we will comply fully with their protocol if we journey further update from Bristol city council we wanted to explain it to you in the next available episode of the gdpr which is so contact us on help desk at gdprweeklyshow.com to India now and the high of ransomware group has claimed an attack on tartar power a leading Indian Energy company and encrypted its system to ransomware Hive claimed to have encrypted the systems of the electric to utility subsidiary group on the 3rd of October around 7pm disclosing the attack on the 24th of October in the post on its leaked site the dump sample files includes employment contracts supplier contracts Master files on those employees documents detailing senior Executives remuneration packages and more this comes after Tata pads it said on the 14th of October in the stock exchange filing then suffered a Cyber attack on its I.T infrastructure impacting some of its I.T systems the company said it attained step to retrieve and restore the systems without revealing what kind of attack it was or who had carried out the attack all crypto operational systems are functioning however as a measure of abundant precaution restricted access and prevented checks have been put in place for employee and customer facing portals and touch points which companies said at the time a number of Tata power customers reported difficulty paying their energy bills on Twitter with some stating they've been disconnected from the service for not being able to complete the payment some also reported they've made the payment but we're still receiving tools that their bill hadn't been paid either is one of the most successful random organizations currently in operation and is running a similarly professional fashion as other high-profile games of past and present such as Revel and lock bit once infected victims are taken to a bespoke portal whether an agent's working for Hive the guide victims through the ransom payment process by a live chat functionality I was known for its addressive and unsympathetic approach to negotiating random payments has been reserved using tactics such as triple extortion and that has become increasingly popular amongst the most well-resourced groups the attack on TaoTao power is the latest in a series of attacks carried out by the menswear organization in September it's aimed an attack on the New York Racing Association the Nyla the my way reported the attack on the 30th of June after learning Society operations website availability and member data had all been compromised a few days before this to group claim responsibility for a data breach that bowed Canada's subsidiary about Technical Solutions BTS the breach is both personally identified information of its Ontario and quebec-based customers and compromising encrypted BTS systems every day any update on this from Tata power we will just bring it to you in the next available episode of the Republican show you're listening to the gdpr weekly show with your host to Keith button [Music] in last week's episode of the GDP weekly show we brought news of the data breach at mydeal.com in Australia and this week Woolworth's chief executive Brad Van Duty says the retailer is doubling down on efforts in cyber security and moved to ensure investors and customers at the supermarket Giants annual meeting that it takes data security seriously the Cyber incident affected 2.2 million my deal customers and he apologized unreservedly for a little considerable concern that this had caused our effective customers Mr bamboosi said that from now on he would ensure that systems met will receive its standards before any future deal was completed will was only tripped control of my deal in September we were weeks away from all the remedial action being done to lift it to the standard we would expect at Woolworths so it wasn't that it was a poor standard but there were things to be done Mr bandushu said but as a major public company we're going to be targeted if we ever found ourselves in this situation again we would make sure that the point of completion it was at our standard not to work with underway to get to our standard so it's been a real lesson for us outgoing chairman Jordan Cairns told shareholders at Woolworth's notice the breach in the CRM system on October the 14th and 24 hours later it was shut down I can also reiterate as Brad said that no passwords no payment details no ID is released as a result of that he added Woolworths has more than 120 Specialists working in cyber security Mr mandusi said this company spent more than 16 million dollars on Cyber in this year's budget and between 10 million and 20 million of capital expenditure there's a big issue with doubling down our efforts he said to America now and the Federal Trade Commission the FTC wants to secure a unique settlement with drizzly over 2020 data breach the unique part is that settlement terms that follow CEO James Tory Welles even if he moves to another company on October 24th the FTC announced it was taking action against the online alcohol Marketplace and its CEO have validations the company security failures led to a data breaches both in the personal information from about two and a half million consumers in 2020 the FTC alleges at Grizzly and rathers to discover security problems two years prior to the breach yet failed to take steps to protect and students data from hackers the ftc's proposed order requires the company to destroy unnecessary data which suits the data that companies can select and retain and binds relics to specific data security requirements for his role in presiding over unlawful business practices in the modern economy corporate zest is frequently moved from company to company notwithstanding blemishes on their track records the FCC said excitement recognizing that reality the commission's proposed order will follow with us even if he leaves drizzly specifically radas will be required to implement the information security program at Future companies if he moved to a business collecting consumer information from more than 25 000 individuals and where he is a majority owner CEO or senior officer with information security responsibilities according to the FTC complaint in 2018 a drizzly employee posted company cloud computing account login information on the software development and hosting platform GitHub as a result of the security breakdown hackers were able to use drizzies for service to mine cryptocurrency until the company changed its login information two years later a hacker reached an employee's account received access to drizzy's corporate GitHub login information hacked into the company's database and installed customer information Grizzly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protection in place the FTC says the FCC elevated by four to now do issue the proposed administrative complaint and to accept the consent agreement with drizzly umbrellas commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Welles as an individual defendant you dream of be subject to public comment for 30 days after which the FTC would decide whether to finalize it to assume it to his personal information may have been affected by the drizzly data breach which compensated last year following a 7.1 million dollar class action settlement I wish there was a simple guide to gdpr well now there is GDP Are Made Simple available now on Amazon several times recently here on the duty Publishers show we've talked about talks in the UK and their view on Awards of Damages where there's no proven material damage following a data breach where we now have news that a case has actually been referred down from the high court back to the county talk to follow the small James track The Taste clearly versus Marston Holdings Limited was ruled to be a low value database case which could be handled by the small claims track business defendants will welcome us decision as it reiterates the dim view the Court's stage against famously proported overstate the complexity of their case clearly versus Marston Holdings demonstrates the talk to you that low value database claims tan and should be dealt with by the small claims tracking the county talk not in the high torque a key to Rory to this is that fixed cost regime the then applies the decision is another example to call out to be managing data breaches to ensure their doubt without proportionate cost other key takeaways from this case are that the breach confidence misuse the private information and breaches the data protection teams are seen as three different ways to characterize the same complaint talks will give short scripts to the same as unnecessary claiming more than one of these than any one action in attempt to overstate the complexity and costs of the claim declarations in media and communication zones are unnecessary and do not justify the same being allocated to the high court Mr Justice nicklin stated in theory that declarations are not usually sought in these types of claims and should not be included unless there's an exceptional justification for it a declaration of these things would provide no more value to assignment than a taught judgment the existence or after they invent insurance policy premiums or famous agreement with its legal advisors as the trusts should not affect the track allocation of a claim if successful claimants can benefit from The Limited cost recovery on the small science track but provided into parties have not actually done reasonably so what happened in this particular case where Mr clearly issued proceedings against master and for an alleged breach of data protection legislation after an employee of Marston mistakenly sent an email to retain the information regarding Mr Cleary to a third party the third party deleted email on the same day the only factual point of dispute was whether the email had been read before it was deleted Mr clearly instructed in solicitors with an after the event the insurance policy and arranged a traditional fee arrangement with them which allowed for a success free the pleaded value of Mr Cleary's claim was three thousand pounds but is cross-budget for the claim total of 46 908 pounds added costs and taste management conference Mr Justice nicholin ordered the claim being transferred to the small claim strap because a there were limited facts being dispute between the parties B there were no issues that were too legally complex for a county court judge to determine C the same for Declaration was unnecessary and indeed the value of the time meant it would be ordinarily allocated to the small claims track Mr Theory says designed to this raise potential issues in respect to the access to Justice they allowed to Mr Terry would not be able to retain legal support without the availability to recover the after the event premiums Mr Justice nitlin rejected the argument he confirmed the ability to recover costs should not affect the sanitation of proceedings he also noted that no ordinary literature was inter-trusted by around 50 000 pounds to pursue a three thousand pound claim so yeah yeah we see this as an example of where courts are now set in clear precedent on what damages should be expected where there is no proven material damage and of course that's really very important legal justification but hopefully it will reduce the number of opportunistic claims for damages following a data breach you're listening to the gdpr weekly show with your host Keith button [Music] to Australia now I'm pleased to investigate an alleged major data breach involving the private details of about 2 000 members of the South Australian Liberal Party detectives of investigate navigations that party officials were impersonated with names addresses phone numbers and other data allegedly stolen in an email to members on Friday the party said they'd recently received a number of seemingly routine requests from a certain membership lists these requests were subsequently determined to be fraudulently undertaken involving an electronic impersonation a liberal party office bearers entitled to receive membership list under our constitution email said Liberal Party South Australia state director Alex May said in a statement the party was disappointed there had been some recent unauthorized access to a number of membership lists the list contained addresses and phone numbers of approximately 2 000 party members she said no Financial details of access affected members might have been informed directly and the expert advice received is that the accessing these contact details is unlikely to create a risk received is harm to individuals as a party we take these masses seriously and have reported the masses of irrelevant authorities including the police police issue their own statement on Friday saying the breach has been reported on Tuesday eastern district criminal investigation branch have recently demenced an investigation into deception offenses which involves the alleged release of detailed members of the collectible party the statement read anyone with information is urged to contact Crime Stoppers our August the 15th this year ascensions and Vincent's Coastal Cardiology in Brunswick Georgia was a listed a healthcare database involving recently acquired ascensions and Vincent's social Cardiology Legacy systems including the electronic medical records no essential Network through systems including the practices current electronic medical records were affected by this incident the breach impact is 71 227 individuals the organization said it immediately secured the Legacy network but some information was encrypted by ransomware since the data was still encrypted ascensions of risen's coastal Cardiology is currently unable to determine what information had been impacted however the Legacy records would have contained individual demographics and house information related to visits the coastal Cardiology prior to October 5th 2021 including name address email address phone number and insurance information as well as social security number through into information and building an insurance information to breach notice stated the sentence it removes access rights to the Legacy system retrained Associates and initiators security risk assessment [Music] GDP Are Made Simple available now on Amazon into the world of gaming now and engine impact developer hogioverse has suffered a massive data breach over the weekend huge batch of information was shared online at a little detailed a new characters quests and events from the version 3.3 until 3.8 hoyo versus dmca strike post to containing information from the databits are there any future updates on the course subjects of change however many games in Impact leaders have since removed their posts from personal use of data from multiple whole universe QA testers was discovered as part of the breach artificial consideration with friends I decided to remove all my tweets from today just to be safe said Lee get you back on Twitter to make it clear I do not condone what other methods in which the data was obtained and I was not involved in obtaining or Distributing new original data it's believed that the amount of religious dumped information equates to around 36 weeks of content for the free-to-play live service game we've contacted tell your investment up there on the situation but at the time of doing the broadcast they've not come back to us contact us on help desk at gdpr weekly last week's episode we brought you news on the data breach at medibank in Australia and this week medibank have confirmed that all of its 3.9 million customers have had their data exposed through a hacker in an update to the Australian stock exchange on Wednesday the company has said that since student announcement all customer data may have been exposed the investigation into the beach has now established to have to add access to all medibank ahm and international student customer's personal data and significant amounts of Health change data the personal information includes name address date of birth some Medicare chart numbers and gender the health information includes the same codes made by customers medibank still can't say definitively how many or which customers are affected beyond the 1000 Metals provided to the insurer by the hacker in the past two weeks it is through this communication with the hacker that medibank has been able to determine its Center to breach so far the beach will also affect former customers with medibank confirming yesterday that state and territory house rental laws require the company to keep data for seven years customers would be provided with a hardship financial support package if they are in the uniquely vulnerable position as a result of the hack and medibank says it will reimburse customers for toss associated with a reissuing of ID documents for those that were compromised in the hack the hack is like the trust the company minimum between 25 million and 35 million dollars medibank said this is due to medibank and I have inside for attack insurance and this estimated cost does not include customer compensation or regulatory or legal costs that may be brought against the company maybe bank is in communication with a hacker who obtains stolen medibank credentials from another hacker on a Russian cyber criminal Forum but the company is designed to say but it would pay any Ransom demands that have been made in the tool we invested on Wednesday medibank's head of technology and operations John Goodall said that the company had deployed monitoring tools on its Network and those sources their Sahara is no longer in the company systems medibank's chief executive David totzer said there was no evidence that credit card information has been compromised but it would not roll it out we have no evidence that credit card data has been removed he said but I would be very clear to say We are continuing to investigate and as soon as it becomes clear to us if that changes we will make it clear he said the information the company has been able to retain about the attack he had been through Communications with the hacker who showed evidence Rebecca was obtained in a statement to the stock exchange stocks I have apologize unreservedly to customers this is a terrible crime this is a crime designed to towards maximum harm to the most vulnerable members of our community he said imagine being announced on Tuesday with delayed premium increases for all customers until the end of January 2023 on Wednesday the company said this would cost around 62 million dollars which would be offset by savings and company made during the top 18 19 pandemic the whole hack is under investigation by the Australian federal police if we receive any further update from medibank or from the Australian federal police we were to explain it to you right here on the deeper which is so you're listening to the gdpr weekly show with your host to Keith button [Music] s and Reuters a multinational media Transformer that's an open database with sensitive customer interpret data including third-party server passwords in plain text format attackers could use the details for a supply chain attack the Cyber News research team founded Thompson Reuters left at least three of each databases accessible for anyone to look at one of the open instances the three terabyte public facing elastic search database contains a troop of sensitive up-to-date information from across the company's platforms the company recognize the issue and fixed it immediately Thompson Reuters provides transmitted products such as the business of Business Media tool voices connect legal research services and database West law the tax automation system One Source online research Suite vegetarian resource materials checkpoint and other business tools the size of the open database that team discovered to respond to the company using elastic search those film is favored by Enterprises dealing with extensive constantly updated run into Data is understood that the media giant with 6.35 billion dollars in Revenue left at least three of its databases open are these three terabytes of sensitive data exposed including times and Reuters plain text passwords to third-party servers the data company selects is a treasure trade for threat actors likely worth millions of dollars on underground criminal forums that company immediately fits the issue and started notifying their customers dumps and Reuters downplay the issues and effects only a small subset of Thomson Reuters global trade customers the data set was open for several days Melissa's box are capable disturbing instances within just a few hours threat actors produced a leak for attacks from social engineering attacks to ransomware Meanwhile Thompson voices claims that out of these three misconfigured servers the team identified and informed the company about two were designed to be publicly accessible the third server was a non-productions over mental application logs from the pre-production implementation environment timestamps on data samples reviewed by the team indicate that the information was logged recently with some pieces of data as recent as October the 26th I joined research is the logs in the open database contain sensitive information and could lead to supply chain attacks if accessed by threat actors another piece of edge sensitive information include SQL structured queries language logs that show what information Thompson Reuters clients were looking for the restaurants also indicate what information the query brought back the team has also discovered that the open database included an internal screening of other platforms such as YouTube Thompson Reuters science access logs and connection streams through other databases the exposure International strains are particularly dangerous because the company's internal Network elements are exposed enabling threat actors lateral movement and pivoting through reuter Thompson's internal systems back to Australia now an Australian technical Labs has disclosed the February 2022 data breach that impacted its Med lab pathology business it's both in the medical records and other sensitive information of 223 000 people Australian Central Labs is an Australian Healthcare company that operates 89 Laboratories and perform six million tests annually offering services to 92 private and public hospitals across Australia while the fan says it's not aware of any misuse of The Sovereign information it is no final impacted clients individually of what data was exposed in the attack a Daily Bridge instant notification published today there's a following some really data 128 608 Medicare numbers along with full names 28 286 credit card numbers 12 of which include the CVV codes the three numbers off the back of the child but of which 55 had already expired 17 539 individual medicine was associated with pathology tests Australian cyber security Center the acsc and the opposite of the information commissioner the oaic have already been notified about the incident earlier in the year with acsc initially warning meds lab the hackers posted their data to the dark web all impact the individuals will also be offered free of charge credit monitoring and Identity Theft Protection Services while ACL will cover the cost of ID document Replacements where needed the ranch maintain that took responsibility for the attack on Med lab pathology is quantum which uploaded all stolen files onto its tour site on June the 14th 2022 the threat has leaked 86 gigabytes of data including patients employee details Financial reports invoices contracts forms subpoenas and other private documents a jointed Quantum ransomware's website the data Elite page for Med lab has been accessed to 130 000 times Med lab have sought to explain the reason for the delay in and releasing the information about the database and they say that they detected unauthorized access to their Network in February 2022 but the firm to inducted a forensic investor Jason which they said they didn't reveal anything worrying in March 2022 acsc contacted ACL after receiving intelligence and incident they had suffered was a ransomware attack in June 2022 the acsc notified Med lab that advantage of my Jane posted to someone data to a data League site so according to the company it took them roughly five months to even realize someone that facilitated files from their systems as for the four months from that point until today's disclosure ACL said the data set was too complicated to quickly determine which Testament had been affected every day any update on this from Med lab we would just bring it to you in a future episode of the disability so wished it was a simple guide to gdpr well now there is GDP Are Made Simple available now on Amazon to Ireland now and gdpr was a tourists with some strong language in the chamber of lease County council at least County councilor is again demanding immediate live stream and Council meetings claiming that it was agreed 16 months ago but has still not been implemented a new microphone system has recently been added to leash County council chambers and three cameras have been installed the count of the reacted way to vulgar cameras for the public to view their public Meetings online cancel that cancel that Aileen Moran has rejected any objection over gdpr as in a heated debate at the October council meeting and said she is paid off Council Moran said to the table to motion 16 months ago requested in live streaming to the publisher of the monthly Council meetings which open to the public to attend in the public gallery that motion had been session did and the council agreed to consider it this October she tapered another motion urging the council to implement the measure 30 days is a reasonable length of time for resolution councilman Iran said she said that she consulted a barrister and sent the section 140 notice to the council that the streaming implemented she asked why that order was rejected she also rolled through at the meeting of councilors to vote on live streaming we put our names will to represent the public in the interest of transparency and accountability if you have nothing to hide you have nothing to fear if forcing other talented councils can do it and you we can't because of tdpr that is councilman said she was asked not to use that sort of language by the chairman councilor Thomasina tunnel a reply to the motion these County Council said the video timers are now installed in the Townsville Chambers but the chancellors have not yet read to live streaming and they will first have tremendous standing orders that's the Toronto said the section 140 was dismissed by the CBG committee made up accountancers we felt it wasn't the appropriate mechanism she said Council of Catherine Fitzgerald proposed to form a subgrimity of six Council representing your political groups to discuss the matter first I don't think the data protection you can force people it was agreed at the last meeting it was proposed to the look of it she said counts the Sheamus McDonald seconded her proposal last December 2021 director of services Doan or Brennan had said substantial protocol would have to be developed before live cameras could be rolled it will first be cleared by the cpg and then the council chamber he said contact us on help desk at gdprweeklyshow.com I'm interested in Reading from Hungary regarding the role of data controllers for joint controllership and the retention of data in 2021 the Hungarian data protection authority is necessary to proceed into dense the bank and its subsidiaries which specializes in providing mortgage loans the approaches of the investigation were the practice that is common in the Hungarian loan Market as the first filter financial institutions often carry out preliminary credits drawing to decide whether a borrower is eligible for an official credits drawing that is based on the submission of authentic documents all the application is to be rejected without further assessment across Banks and processing personal data during this preliminary credits drawing the Hungarian DPA found that it is unlawful to process personal data provided by the data subject during the preliminary credit scoring assessment in case the data services loan application is rejected and therefore no official credit score in valuation occurred more precisely it said no legitimate interest to be found underway with such processing I either keeping the data after the preliminary slow and had been completed to be deemed as lawful another legal basis seems to be appropriate intensive joint controllers control in terms of company law over the Nancy by the other two joint controller is relevant when assessing data protection liability besides a relatively High fine there are 73 000 Euros and eye tax in conclusion in this case is that even if certain group entities are trying to fight as joint controllers their responsibility is not equal and such an neutrality May evolve that one of the joint controllers is fined when the other is not the finding seems to be in line with the practice of the taught just in the European Union it held in the fashion ID case that the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the process in the personal data on the contrary those operations may be involved at different stages of that processing your personal data and to different degrees would result at the level of reliability of each of them must be assessed with regard to the relevant circumstances of a particular case you're listening to the gdpr weekly show with your host to Keith button [Music] the digital services at the dsia was given the jailhead by the EU Council on the 27th October and will enter into Force by early 2024. the DSA uttered a wide range in operation of digital platforms digital platforms increasingly trading personal data in return the user interface is really easy functionality platform to receive personal data and facilitate online advertising the EU is recognizing with the DSA that a transaction happens when we use free online services and that users need protection VSA is part of a suite of new measures including the audio visual Media Services directive which will sit alongside gdpr the DSA complements of gdpr makes due to the concepts in gdpr which already become familiar to businesses and individuals alike the dsa's rules will apply to online platforms search engines and hosting Services all which are broadly defined this will include household online platforms which are familiar such as online marketplaces social media platforms and household name search engines one of the important rules is that there are important new rules but accepting miners from targeted advertising online platforms now is your security and safety of mine is on their platforms of course we've had this here in the UK through the children's Toes or the age-appropriate design code as it's known across the rest of Europe new rules are welcome and provide for a clear ban on presenting advertising to miners which is based on profiling of their personal data this is a test where the online platform is aware or should have a reasonable certainty that a person is indeed a miner separately the use of social category data as referred to an article 9 paragraph one of gcpr is now prohibited for targeted advertising with no exempting legal basis provided for this major example that people should not be targeted by ads with use their vulnerabilities to sell goods and services this should be particularly relevant to us in the case of supplies of supplements for example the DSA Builds on the extensive existing Protections in gdpr online platforms and average price to ensure that recipients of a service of interpreter information on the main parameters of why a specific advert is being presented to them taking a step back this means that the digital platforms must be transparent with its end users where personal profiling is in use users of a service will now also be entitled to have individualized information enabling them to know when and on whose behalf photography that has been presented this information must be provided for every user and this could present a significant operational challenge for online platforms now of course it's important to point out that the DSA does not come into Force until early 2024 so we've got a little bit of a window but we all know how quickly time passes and so it's important if you are involved in behavioral advertising in particular that you start thinking now about how the implementation of the sa is going to affect you Android if you need any help with that please do get in touch with us using the contact details that are coming up right now contact us on help desk at gdprweeklyshow.com GPR has created a conflict between Germany and Microsoft because the latter allegedly violates gdpr rules Microsoft is storing personal data and cloud service off-premise modeling in on-premise local data centers this is towards Germany to outright ban Microsoft 365 in some regions many American multinational companies have been out compliance with ddpr since the introduction of the clarifying lawful overseas use of data trailed act in 2018 the Cloud app states that the US Government Can freely sips through anyone's data intrigued in non-us citizens the U.S cloud Act of 2018 is extremely controversial in the US and the EU due to its violation to the Fourth Amendment which protects citizens from unlawful searches and seizures under this act U.S agencies such as the FBI and the CIA can request access to a user's data without their knowledge many civil rights groups such as Amnesty International have criticized the sale that and Zelda ultimately opens up access to the US government to data on any non-us citizen the Euro and particularly Germany have an informed Microsoft that they believe Microsoft should take to resolve these issues the verses that Microsoft should only be used locally on-premise servers to store personal data they also say to jail that shouldn't have any impact on non-us citizen data and Microsoft should address the issue of failing to protect the data with miners while Microsoft needs to resolve these issues French and German schools have opted for a line that's operating systems this is because Windows and Apple systems collect Telemetry data which file httpr everyone is now putting data up in a travel Decor so if the European company wants to continue using products from American companies they need to find a way that cdpr compliant using an on-premise service of course one option but of course is also the standard contractor Clauses and The Binding corporate rules if we get any update on this one Microsoft a little speech to you in the next level episode of this is probably itself you're listening to the gdpr weekly show with your host to Keith button [Music] I'm finally this week the UK cyber security Council the South legislative body for the UK cyber security profession has announced an officer of pilot scheme for introducing a new childhood professional standard for the sector this game would debut a cyber practice and there's the opportunity to become chartered Professionals for the first time being a cyber in line with other established professions such as accounting engineering and law the pilot has been launched in the specialisms of cyber security and governance and mismanagement as the Dual systems architecture and design with industry bodies ISC and these chartered Institute of information security confirmed its initial partners and number of Security Professionals says chartered standard for its cyber security would benefit the UK industry while the latest cyber security Workforce study regards the global cyber security Workforce shortages now it's 3.4 million people the aim of the pilot is to test the introduction of a university recognized professional standard for three professional titles associate principal and chartered the council stated by doing so the temps range to create a delivery career route map below I was looking down to the cyber security industry address professionals already working in the sector it also aims to address the fact that several cyber security qualifications certifications and degrees currently exist without any uniform equivalency or defined Pathways linking them together the council added at this initial stage ISC and CII SEC will be responsible for assessing applications from the membership base against the new standard which seeks to present those working in the profession with an independent civil approval and Readiness of their competence Professor Simon Hepburn CEO of the UK cyber security Council said the towns was permitted to working with stakeholders from across the industry would aim of creating a world-class cyber sector in the UK the key to achieving this is establishment of a framework to an align Professional Standards across the industry's disciplines he said we will also need a better understanding of skill sets and experience and a way of demonstrating the endurance through industry best practice and ethical standards the pilot program is significant step in the right direction Hepburn said and be crucial to the terms of objectives were drafted a new framework for a clear and robust professional standard in the sector contact us on help desk at gdpr weekly we hope that you've enjoyed this week's episode of the EPL weekly show and that you found the information useful and informative we do really appreciate your feedback so please do email us at feedback at gmail.com with any comments you might have about the Articles we've raised this week or indeed any suggestions you might have improvements to the show the gdpr weekly show is a Insurance in production please be advised that any advice given during the show is General in nature and should not be taken as specifically to advice you should always seek leader advice according to your own specific circumstances until next time bye bye