TenInsight
Top Ten Updates you may have missed Legislation changes and guidance from partners in the cyber-security, data protection and fraud investigations industry. Here are our top ten updates:
Top Ten Updates | January 2021
#1 EU-UK transition period:
The EU-UK trade agreement was reached on 24th December 2020 and data protection provisions have been temporarily extended for a 6 month period. This means organisations need to consider international transfers of personal data and to plan for minimal interruption to their business.
If you have issues or concerns relating to dataflow, data inventory or third party data sharing please contact us if you need help sorting out data transfers.
Last month, the Government announced that the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK until adequacy decisions have been adopted, for no more than six months. This will enable businesses and public bodies across all sectors to continue to freely receive data from the EU (and EEA), including law enforcement agencies.
As a sensible precaution, we recommend businesses work with the EU and EEA organisations that transfer personal data to them to put in place alternative transfer mechanisms, safeguarding against any interruption to the free flow of EU to UK personal data.
#2 Latest fines by the UK’s ICO (Information Commissioner’s Office):
The ICO fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure. The Marriott group estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc.
The attack, from an unknown source, remained undetected until September 2018, by which time the Starwood Hotels had been acquired by Marriott.
On 29 Oct 2020, the ICO has fined Reliance Advisory Limited (“RAL”)£250,000 for breaking electronic marketing law. The ICO found that over a six month period from the start of 2019, the Bury based company RAL made 15.1million calls in relation to claims management services such as mis-sold PPI.
All of the calls, of which 1.1 million connected, were made to people who had not consented to receive them.
The ICO fined British Airways (“BA”) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
#3 Fraud now accounts for one-in-three crimes in the UK:
A report by ex-Metropolitan Police Deputy Commissioner Sir Craig Mackey, found that fraud now accounts for one-in-three crimes in the UK. It is estimated that 86% of fraud is committed online, permitting fraudsters to operate from anywhere in the world.
London sees the greatest concentration of fraud cases. Throughout 2019, the Metropolitan Police investigated more than 8,000 cases of fraud, compared to the 1,600 by Greater Manchester Police.
#4 Banking Fraud reports:
TSB Bank have reported that in H1 of this year, £582.2m has been lost to bank fraud. Of this figure, £207.8m was a result of “Authorised Push Payment” fraud, where victims are tricked into making large bank transfers to an account posing as a legitimate payee. TSB Bank believes that reporting only stands at 25% and the problem is likely to significantly larger than previously reported. The pandemic has seen an increase in internet banking, which has created more targets for the fraudsters.
#5 Deepfake Fraud:
Additionally, new fraud trends using artificial intelligence have been observed, namely “deepfake” fraud. A deepfake is a video or audio clip where someone’s face or voice has been replaced with another person’s likeness using Artificial Intelligence.
Last year, the CEO of a UK energy firm followed directions given over the phone by the chief executive of the firm’s parent company to transfer €220,000 to one of their suppliers. However, it was not the parent company’s CEO speaking, instead it was a convincing example of voice cloning. According to the victim, the voice was indiscernible from the real thing, and he only caught on due to certain inconsistencies including the phone number being Austrian when it should have been German.
Deepfakes can be used for new account opening fraud or account takeover fraud. Security practices to protect from deepfakes:
- Trust but verify, call back on a number you know to be correct
- Consider the source
- Look for inconsistencies, check the phone number, email, or account the audio or video came from
- Limit access to your voice and images, fraudsters need recordings, images or footage of you to create deepfakes.
#6 The Office of Financial Sanctions Implementation (OFSI)
Since the EU-UK transition period ended on December 31st 2020, the UK will no longer apply EU sanctions regulations and all sanctions regimes will be implemented through UK regulations.
The Sanctions and Anti-Money Laundering Act 2018 (the Sanctions Act) provides the legal framework for the UK to impose, update and lift sanctions autonomously.
The Foreign, Commonwealth and Development Office (FCDO), which determines international sanctions policy in the UK, has already implemented regulations for over 30 sanctions regimes in preparation for the transition.
Organisations should check the new legislation to ensure that their activities are still compliant. A list of the UK regimes, legislation and guidance already made in preparation for the end of the transition period is available on FCDO’s website.
#7 H&M handed GDPR fine of 35M Euro
On 1 October 2020, the German State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M.
The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data and sensitive data. The DPA also expressed concerns over personal data collected in relation to so-called “Welcome Back Talks” which followed an employee’s leave of absence.
The records of these talks included not only the employees’ vacation experiences, but also symptoms of illness and diagnoses. In addition, some supervisors recorded other private information such as family problems and religious beliefs.
#8 Irish Organisations Online Cookie Compliance
Organisations in Ireland had until 5 October to update their online cookie compliance and there are significant penalties for non-compliance under GDPR legislation.
This is the advice of the Association of Compliance Officers Ireland (“ACOI”) who say that implementation of the Data Protection Commission’s (DPC) guidance has significant implications for Irish organisations, particularly those SMEs whose resources may be already fully focused on surviving Covid-19 and preparing for Brexit.
The ACOI advise that all organisations should give high priority to this issue for the remainder of this year.
#9 Egypt introduces new Data Protection Law
After several years of debate, the Egyptian government has introduced the Republic’s first standalone data protection law, which aims to regulate and protect citizens’ data online.
On 15 July 2020, Resolution No. 151 of 2020 (the Law) was published in the Official Gazette. The provisions under the new Law are modelled on GDPR and the Law adopts similar concepts and definitions.
It is hoped that the new Law will help Egypt attract foreign investment by increasing consumer confidence in electronic data processing and setting clear parameters for companies looking to capitalise on the growth of the digital economy.
The Law will enter into force three months from when it was published in the Official Gazette.
#10 Zimbabwe to amend its cyber security and data protection laws
Debates in the Zimbabwean Nation Assembly last week led to amendments in certain clauses of their Cybersecurity and Data Protection Bill. The clauses in question are 13, 17, 23, and 164.
Clause 164 suggests a criminal lawsuit against any person who sends data messages which have the potential to provoke or incite violence and damage to property.
The reprimand would be a monetary fine, or imprisonment of up to 5 years.
Top Ten Updates | October 2020
#1 EU-US Privacy Shield considered “invalid” by EU legislation
Following the recent invalidation of the EU-US Privacy Shield on 16 July 2020 by the Court of Justice of the European Union (“CJEU”), the situation with respect to data transfers is becoming progressively complex.
The EU-US Privacy Shield no longer constitutes a valid basis for the transfer of personal data to the United States and while Standard Contractual Clauses (“SCCs”) remain in force for the time being, constituting an alternative which is in principle legitimate for the US transfer of data, a number of EU Supervisory Authorities have adopted particularly critical positions. However, the UK’s Information Commissioner’s Office (“ICO”) posted the following statement on its website: “We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using the Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the United Kingdom.
The European Data Protection Board (“EDPB”) has recently issued FAQs on the invalidation of the EU-US Privacy Shield and the implications for the SCCs, and this guidance still applies to UK controllers and processors.
Further updates are being considered by the EDPB to provide more guidance on the extra measures you may need to take. In the meantime you should evaluate and consider the international transfers you make and be ready to react promptly as guidance and advice becomes available.
It is therefore recommended that you consider undertaking a risk assessment as to whether SCCs provide enough protection within your local legal framework, whether the transfer is to the US or elsewhere.
#2 Guidance from the ICO on Artificial Intelligence frameworks
On 30 July 2020, the ICO published its final guidance on Artificial Intelligence (“AI”). The Guidance sets out a framework for auditing AI systems for compliance with data protection obligations under the GDPR and the UK Data Protection Act 2018.
The Guidance builds on the ICO’s earlier commitment to enable good data protection practice in AI, and on previous guidance issued on specific issues relating to AI. The ICO also provides advice and recommendations on best practice in applying core GDPR principles to AI and will be topical to those that develop or integrate AI into their products and services.
The ICO suggests adopting a risk-based approach when evaluating AI systems to help identify and mitigate data protection risks, especially in early product development phases.
#3 FCA Conduct Rules extension
On 17 July 2020, the Financial Conduct Authority (FCA) published Consultation Paper 20/10 proposing an extension to the deadline for training staff on the Conduct Rules and reporting “Directory Persons” data to 31 March 2021.
Extending these deadlines will provide extra time for FCA solo-regulated firms that have been impacted by the COVID-19 pandemic. The FCA will continue to publish details of Certified Persons at FCA solo regulated firms on the Financial Services Register from 9 December 2020, as firms submit this data. However, the FCA still encourages firms to submit the data before March 2021, to the extent they are capable of doing so.
#4 National Crime Agency Annual Report published
On 21 July 2020 the National Crime Agency (“NCA”) released its Annual Report outlining financial information and other data, and provides a snapshot of the NCA’s performance and wider enforcement patterns, increased forfeiture and confiscation. The NCA enjoyed a record year for forfeiture and confiscation receipts. It recovered £10,097,000, 41% more than in 2018-19 and 37% more than in its second-highest year, 2016.
The 2019-20 period also saw the NCA demonstrate the effectiveness of Account Freezing and Forfeiture Orders (“AFFOs”). Whereas in 2018-19 the NCA froze £64.2m in assets, in 2019-20 it froze over £145m, with more than £100m of the total frozen through AFFOs.
#5 UK Anti-Corruption Strategy 2017-2022 updated
The RH James Brokenshire endorsed the Government’s strategy, stating that corruption and illicit finance make it easier for criminals to commit and profit from crime. “They undermine our national security and prosperity and corrode trust in institutions. These threats enable serious and organised crime (including drugs, terrorism and fraud), and present threats at our borders. Bribery and weak anti-corruption laws stop British businesses competing on even terms in new markets, potentially undermining our position as an Independent trading nation, now we have left the European Union.”
“Perceptions of corruption and the spotlight being shone on elites playing by a different set of rules undermines trust in our nation.”
The updated report recognized that these threats have been heightened by the Coronavirus pandemic.
#6 The FCA delays deadline for Senior Managers and Certification Regime
In December 2019, the Financial Conduct Authority (“FCA”) replaced the Approved Persons Regime with the Senior Managers and Certification Regime (“SM-CR”) for the majority of solo-regulated firms. The SM-CR applies to regulated firms and employees whose role means it is possible for them to cause significant harm to the firm, its customers or the market more generally. The new SM-CR places the responsibility on firms to assess and certify that the relevant individuals are “fit and proper” to perform their role at least once a year.
The FCA has since published an updated relating to “positive” and “negative” indicators in which it expects firms to assess the fitness and propriety of their Senior Managers and Certified Persons. As a result of this updated guidance, the FCA has agreed to extend the deadline for firms to perform their fit and proper checks from 9 December 2020 to 31 March 2021.
Regulated firms now have an opportunity to ensure they have effective systems and controls to make the best business decisions and to withstand potential scrutiny from the FCA.
#7 Action Fraud reports an increase in Cyber attacks at home
Action Fraud has revealed that a total of £11,316,266 has been reported lost by 2,866 victims of coronavirus-related scams and have received 13,820 reports of coronavirus-related phishing emails.
#8 Fraud Watch Group updates from the UK’s Fraud Advisory Panel
The Fraud Advisory Panel have set up a COVID-19 fraud watch group which is a cross-sector and cross-industry coalition of trusted partners (including the Cabinet Office and City of London Police) who meet to share information on emerging fraud threats and trends affecting business. The fraud watch group aims to act as a conduit to warn the public, private and third sectors about COVID-19 fraud risks and the preventative actions that can be taken.
The group can be found at https://www.fraudadvisorypanel.org/covid-fraud-watch-group/
#9 The National Cyber Security Centre issues Academia Alert
Since August 2020, the National Cyber Security Centre (“NCSC”) has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities.
Due to the prevalence of these attacks, institutions should be sure to follow NCSC’s recently updated mitigating malware and ransomware guidance.
This will help implement strategies to defend against ransomware attacks, as well as planning and rehearsing ransomware scenarios, in the event that your defences are breached. The guidance can be found at https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
#10 Interpol global operation sees a rise in fake medical products related to COVID-19
In March 2020, Interpol launched Operation Pangea XIII, which saw police, customs and health regulatory authorities from over 90 countries take part in collective action against the illicit online sale of medicines and medical products. Counterfeit facemasks, substandard hand sanitizers and unauthorized antiviral medication were all seized under Operation Pangea XIII.
The operation resulted in 121 arrests worldwide and the seizure of potentially dangerous pharmaceuticals worth more than USD$14 million.