BUPA fined £175,000 by UK’s DPA for lack of security measures

Bupa Insurance Services Limited (Bupa) has been fined £175,000 by the Information Commissioner’s Office (ICO) for failing to have effective security measures in place to protect customers’ personal information.
Between 6 January and 11 March 2017, a Bupa employee was able to extract the personal information of 547,000 Bupa Global customers and offer it for sale on the dark web.

GDPR France: in 4 months 33 million cases of personal data breach

In 4 months, the French Data Protection Authority Cnil has received 742 notifications of personal data breaches, affecting 33.7 million people in France and abroad.

Since the start on the 25th of May the European Data Protection Regulation (GDPR) requires companies to notify CNIL within 72 hours of any violation of personal data held by them, if this breach entails a risk to the customer, the rights and freedoms of the persons concerned. CNIL adopts a repressive approach in case of non-compliance with the notification obligation within 72 hours.

A breach liable to a fine of € 10 million or 2% of turnover. On the other hand, it favors accompaniment when receiving notifications on time. CNIL received 742 notifications of data breaches (between May 25 and October 1). In an overwhelming majority of cases (695), reported violations are breaches of data privacy. But they can also be violations of data availability (71) or integrity (50). In 65% of cases, these notifications were related to a malicious act from outside. In 15%, it was an internal human error.

For more information on this topic visit: http://leparisien.fr/societe/en-quatre-mois-la-cnil-a-recense-33-millions-de-cas-de-violation-de-donnees-personnelles-16-10-2018-7920435.php

Do hardware and software security solutions comply to EU’s GDPR?

According to Dr Kuan Hon, director at law firm Fieldfisher, GDPR obligations almost certainly extend to hardware choices, and maintaining up-to-date firmware in a secure state. What does not get much attention as it should is that the GDPR obligation on data controllers regarding ‘data protection by design and by default’ should include ‘security by design and by default’.

This includes choosing and maintaining secure firmware (and software) for devices used to process personal data. Not checking if hardware is secure before procuring it, not configuring it securely (for example, not changing bad default passwords) and not expeditiously patching vulnerabilities in firmware (and other software) used to process personal data. ID Control the European Piracy and Cybersecurity company has chosen firmware and software which is made and carefully selected and made in Europe with a full source code check.