Weekly podcast: Police and healthcare breaches, post-Brexit phishing, and Privacy Shield news

This week, we discuss new analysis of police data breach information, the rise of phishing campaigns capitalising on post-referendum uncertainty, data security incidents in the health sector, and (nearly) answer your question on EU-US data transfers.

Hello and welcome to the IT Governance podcast for Friday, 8th July. Here are this week’s stories.

Big Brother Watch has expressed concern about the security of data held by the police. According to its new report, Safe in Police hands?, police staff in the UK have been responsible for “at least 2,315 data breaches” in the four and a half years between June 2011 and December 2015. These included “869 instances of inappropriate or unauthorised access to information”, and “877 instances of inappropriate disclosure to third parties”. Among Big Brother Watch’s five recommendations is the call for the EU General Data Protection Regulation (GDPR) to be adopted – “despite our separation from the European Union.”

The extent to which the GDPR will apply in the UK after we leave the European Union is yet to be determined, but as Baroness Neville-Rolfe, the Minister for Data Protection, said in her speech at the Privacy Laws & Business annual conference on data protection earlier this week: “if the UK remains within the single market, EU rules on data [protection] might continue to apply fully in the UK. […] One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection”. Go to our GDPR resource page for more information on the Regulation.

In other Brexit news, it seems that cyber criminals have, as predicted, started to capitalise on post-referendum uncertainty. I mentioned last week that a recent survey conducted by AlienVault found that 38% of IT professionals believe leaving the EU will make the UK more susceptible to cyber attacks. Now, cyber security firm Digital Shadows has reported “an increase in the use of Brexit-related topics” in phishing emails. A common ploy refers to the dire state of the markets as uncertainty continues to plague business. If you receive an email that talks about the vote causing a “historic market drop”, it’s probably best not to open it. Chances are that malicious attachments or links could install malware. If you’re concerned about your staff’s susceptibility to such attacks, a phishing staff awareness course is a must.

Data published by the Information Commissioner’s Office shows that in Q4 of the 2015/16 financial year, one industry suffered substantially more data security incidents than any other: the health sector. With 184 incidents in January – March 2016, the health sector was way ahead of the next most prevalent industries. (Local government suffered 43 incidents; education and general business 36 incidents each; and the finance, insurance and credit, and legal sectors 25 each.) The ICO is understandably concerned, commenting: “The health sector handles some of the most sensitive personal data. Data security incidents can lead to extensive detriment and high levels of distress for the data subjects affected.”

Another listener question! Madeupname III (no relation) asks how the USA PATRIOT Act affects other countries, and wants to know more about the EU’s new data agreement with the US. I’m going to wait until next week to answer that, if I may. The EU-US Privacy Shield – due to replace the now-defunct Safe Harbor scheme – has not quite been adopted, and many experts, including data protection expert Jan Philipp Albrecht MEP – the European Parliament’s chief negotiator on the GDPR – have expressed concern that it basically offers the same arrangement as Safe Harbor under a different name. The Article 31 Committee is due to vote on the Privacy Shield on 8 July, after which it should be formally adopted by the EU Commission on 11 July and signed by European Commissioner for Justice Vera Jourova on July 12. I’ll report back after that. In the meantime, an updated version of the Privacy Shield has been leaked online if you fancy a bit of light bedtime reading.

Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of. And until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.