1 November 2018

News round-up 1 November 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up:

Make no mistake, bad security and privacy outcomes are increasingly bad for business. This week’s news brought us the largest share price fall in decades, hefty legal settlements and maximum fines … as government figures also considered a stronger, even more proactive approach to ensuring critical industries have the right protections in place.

Key articles:

Cathay Pacific data breach hits 9.4 million people

Summary: The airline revealed the breach – first discovered in March – involved the compromise of data for 9.4 million customers, including their names, nationalities, birth dates, phone numbers, addresses, passport and identity card numbers and expired credit card numbers.

Key risk takeaway: The stock market’s reaction to this event emphasised the financial cost of security incidents, with Cathay Pacific’s stocks reportedly hitting their lowest level in a decade after it revealed the breach. The airline’s decision to notify the public only six months after it discovered the breach (apparently to avoid creating panic) attracted strong criticism from commentators and has prompted closer scrutiny of the incident by government authorities – another strong reminder that companies are judged not only on the breach but the quality of their response to it. The delay has also been characterised as failing to give customers a chance to protect themselves from harm.

Tags: #databreach #breachresponse

Yahoo Agrees to $50 Million Settlement for Those Affected by the 2013 Data Breach

Summary: Yahoo agreed to pay a $50 million settlement to 200 million people affected by data breaches in 2013 and 2014.

Key risk takeaway: Share price impacts, fines and – in this case – legal settlements as a result of privacy and security incidents have arguably become more pronounced in recent years. Yahoo’s legal settlement announced this week follows a $148 million settlement reached by Uber last month for a 2016 breach. Like Uber, and Cathay Pacific in the previous story, Yahoo faced intense anger for being too slow to disclose the breach. The resulting taint adversely impacted the value paid by Verizon in its acquisition of the search giant.

Tags: #databreach #breachresponse

Facebook gets fined £500,000 by U.K. for Cambridge Analytica ordeal

Summary: The UK’s Information Commissioner’s Office announced it will fine Facebook £500,000 in relation to its inability to keep user data from political research firm Cambridge Analytica.

Key risk takeaway: The financial hits keep coming this week. On the back of the previous two stories, Facebook has been hit with the maximum penalty allowable under UK law for the Cambridge Analytica scandal. It would have been even higher had the incident occurred after May this year, when the European Union’s General Data Protection Regulation (GDPR) took effect. European regulators in particular have been relentless of late in enforcing data protection standards – the European Parliament’s call this week for a full audit of Facebook is a further example of this.

Tags: #regulations #GDPR #databreach

Banks need mandatory cyber security tests says RBA, EU Central Bank

Summary: Banks could face penetration tests instigated by regulators and be subject to the equivalent of an annual cyber-roadworthy certificate, under reforms being considered by central banks.

Key risk takeaway: It appears increasingly the case that regulators aren’t satisfied that market forces and voluntary efforts will always deliver necessary data protection outcomes. The ideas floated by central banks in this piece are in line with the general trend observed of regulators more proactively seeking assurance around the existence of a minimum baseline of security controls, particularly in key industries like financial services. For organisation’s looking to take positive steps towards security maturity, a number of standards and frameworks, such as NIST’s cyber security framework, can be useful as a guide.

Tags: #regulation #compliance #standards #NISTmaturity

Former Facebook security chief calls out Apple for privacy hypocrisy

Summary: A strident and provocative call by Apple CEO Tim Cook for an improved approach to privacy from the tech industry was labelled hypocritical by some.

Key risk takeaway: Savvy businesses are aware of the growing importance of privacy, but winning hearts and minds in this space is a complex art that challenges even the largest, savviest businesses. Apple clearly sees privacy as a positive differentiator and has sought to carve out a position as a staunch defender of user privacy rights, through battles with the FBI and keynote speeches such as the one in this article. But it wasn’t all peaches for Apple, with Facebook’s former security chief responding by highlighting Apple’s questionable concessions on privacy in order to do business in China. We also learned this week that the phone maker (and Google) is allowing tracking tools on its platform that allows app makers to target users that had deleted their app.

Tags: #privacy #reputation #publicrelations