Happy Data Privacy Day, 2019!

Citizen-consumer personal, private data whizzes across the internet at lightening speed in 2019. Housed in countless servers across the globe, our data is, well, constantly at risk of falling into the wrong hands. Each year, we spotlight the importance of safeguarding personal data with Data Privacy Day.

Started in Europe in 2006, now 30 countries celebrate Data Privacy Day every year. So what happened over the last year to improve the safety of private data? Check out this summary of data privacy law highlights from 2018.

EU Tax Man Cometh for Apple

The EU tax man is catching up with Apple. On Friday Apple put $1.76 billion into a tax escrow to comply with the 2016 EU order that Ireland reclaim back taxes  from Apple. Two years ago the EU Commission ruled that Ireland’s tax arrangements with Apple amounted to state aid, violating EU competition law.  While Apple and Dublin are challenging the ruling, they were forced to establish and start funding an escrow account for the $16 billion in back taxes and interest.

Over the years many EU countries — prominently Ireland, the Netherlands and Luxembourg  — have encouraged US companies to set up offshoots in their countries with very favorable tax incentives.  In Europe, these tax schemes were dubbed “double Irish” or “Dutch sandwich” in the 1980s. The tax strategies were a way for some EU countries to grow their economies and employment ranks with local big foreign brand operations. Today, Apple employs around 5,000 people in its Cork facility.

Under similar EU rulings Starbucks paid back taxes to the Netherlands, while Amazon and Fiat paid Luxembourg tax authorities.

In recent years, Margrethe Vestager, EU Competition Commissioner, has stepped up investigations of behemoth US tech companies for various competition transgressions.  EU countries who now rely on US and other international companies for significant employment and tax revenues worry about the ramifications of the zealous commissioner. Other EU nations applaud the actions they see as long overdue.Margrethe Vestager

Marketers Shift Away from Campaign-based Thinking

“What has been interesting for us has been to see the gradual change amongst marketers who are only now starting to recognize the need to shift away from campaign-based thinking to a more comprehensive mindset for content and customer engagement,” says Jamie Posnanski of Accenture. Read more on 2018 content marketing trends here .  Chimp Tools
Is your marketing strategy evolving towards content and customer engagement?

What’s all this talk about digital transformation?

Digital transformation: Some organizations see it as a scary idea, wreaking revolutionary, unsettling changes. Others are curious — just what does this buzzword mean and what are we transforming into? Regardless of your viewpoint, your enterprise seriously needs to understand and chart its course to becoming a digital ninja. Like it or not, your success depends on how quickly your organization captures, absorbs and uses digital information. Read moretwitter_digitaltransformation.png

 

North Korean WannaCry Ignites Government-Industry Collective Defense

 

North-korea-wannacry-hacking-attack-805227

In a Monday Wall Street Journal op-ed Thomas P. Bossert, Trump’s homeland security adviser, declared “[t]he [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible.” The findings are based on evidence says Bossert, and he is backed up by UK and Microsoft.

A Washington Post Bossert quote ratchets up the call for closer government-industry cyberdefenses. “[S]ome say that defending cyberspace is impossible and that hackers are inevitable. I disagree. . . . Government and industry must work together, now more than ever, if we are serious.”

Today, US and UK officials suggested it was highly likely the Lazarus Group was backed by the North Korean government. Facebook deleted accounts associated with Lazarus last week “to make it harder for them to conduct their activities,” reports The Guardian,  Facebook announced it acted with Microsoft “and other members of the security community” to disrupt the group’s activities.

A few hours ago Axious reports that the Department of Homeland Security (DHS) plans on intervening in U.S. company cybersecurity issues when necessary.

“The Department of Homeland Security is now calling on all companies to commit to U.S. collective defense, per Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at DHS. But Bossert wouldn’t go so far as to say that an attack on a U.S. company constitutes an attack on the country.

DHS plans to move beyond offering voluntary assistance on cybersecurity issues and instead plans on intervening directly when necessary, per Manfra.”

Watch for much closer public-private actions to combat state-actor cyberattacks. 

Public Sector Brings New Cybersecurity Tech to Market

Hacker image
Here’s follow-up on a recent blog on emerging public and private sector roles in protecting against state-actor corporate cyberattacks.

Did you hear about the Department of Homeland Security Science and Technology Directorate’s commercialization of another Transition to Practice program technology?

The new industrial control systems cybersecurity solution — called SerialTap — passively taps serial-line communication data for use with enterprise cybersecurity incident and event management systems to improve situational awareness during an event. SerialTap integrates with legacy IT enterprise security solutions and industrial control systems used by critical infrastructure sectors.

The SerialTap announcement came during Critical Infrastructure Security and Resilience Month, which aimed at building awareness of the importance of critical infrastructure, and reaffirming “the nationwide commitment to keep our critical infrastructure and our communities safe and secure.”

Good to see the public sector sharing new technology to improve cybersecurity incident response.

#writmarketing

Whose Job is it to Protect Corporate Data Stores from State Actor Cyberattacks?

6-cybersecurity-730x260

It’s hard not to notice, that constant breach of data under corporate care has become our new normal. Headlines seem almost redundant — another data breach revealed, some very tardy.  In this barrage of breach announcements, we hear more about state-actors originating cyberattacks on corporate data stores. So, whose job is it to protect against foreign state attacks on corporate data stores?

“As we all have witnessed: no company, individual or even government agency is immune from these [cyber] threats.” So said Marisa Mayer, former Yahoo CEO, during her November Senate testimony on the Yahoo breach. Despite years of heading off may cyberintrusions and leveraging white hackers to test their defenses, Mayer says Yahoo still does not know exactly how “Russian agents intruded on our systems and stole our users’ data.”

Last year, North Korean hackers almost succeeded in stealing $1 billion from the New York Federal Reserve, after hacking into the Bangladesh Central Bank. The misspelling of “foundation” as “fandation” is the only thing that stopped the heist.  Let’s not forget,  Pyongyang Sony Pictures hack to stop release of an unflattering movie.

In 2011, North Korea’s leader Kim Jong-un started investing beyond cyberattack prowess for warfare, with a new focus on training hackers for theft, harassment and political-score settling. Researchers believe that 1/5th of Pyonyang cyberattacks originate from their hackers stationed in India, while other attacks are routed through Malaysia, Nepal, New Zealand and other countries.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” said Senator Nelson during the Yahoo hearing. The Senate committee chairman, added that the patchwork of state regulations on breach notifications must be replaced with a federal law.

On another front, the SEC plans to update its cybersecurity guidance for publicly traded companies, after the Equifax fiasco. Equifax discovered the attack in July but waited until September to inform shareholders. During that window, Equifax executives sold company stock. A company investigation exonerated them. A senior SEC regulator wants  faster cyber intrusion notices to investors, and revision of post-breach insider trading policies.

Is federal cyber-regulation of the private sector the answer?

In a Friday the 13th London speech, DOJ’s Rod Rosenstein said law enforcement’s  goal is to disrupt and deter future attacks, and punish cybercriminals. The Deputy Attorney General observed that “foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace.” Rosenstein recommends corporations immediately tell law enforcement when they discover a breach, in part so the company can gain access to sophisticated government tools.

What is law enforcement doing to head off these attacks before they happen?
Is Homeland Security doing enough to help corporations protect data from cyberattacks?

Ransomware attacks sure got corporate security folks’ attention this summer. WannaCry and NotPetya wreaked havoc on companies from FedEx to Merck.

SC Magazine places heaps of blame on the National Security Agency (NSA) for the  these  attacks. The NSA originally discovered the Microsoft security vulnerabilities, didn’t tell anyone and let their own hacking tools for the flaws get stolen by cybercriminals.

If the NSA can be hacked, how can corporations fend off nation-state and sophisticated hackers?

Then there’s the ultimate economic cyberattack —  where a nation-state aims to shut down the power supply or scramble bank records with a cyberattack. The NotPetya  attack gripped Ukraine’s power grid this summer. Ukraine claims Russia was behind this cyberwarfare.

Wired reports that the NotPetya October follow-on, “Black Rabbit attack” — locked hundreds of machines and hampered critical infrastructure in Russia, Ukraine, Germany and Turkey — may raise doubts about Russian involvement in NotPetya. Though one of the cybersecurity firms commenting on the situation is under F.B.I. investigation for links to  Russian intelligence.

Is this a spy novel or what?

These massive destructive attacks on critical infrastructure and data manipulation worry the head of the US National Security Agency (NSA), Admiral Michael Rogers. Let’s remember that a vast swath of US critical infrastructure is run by the private sector.

How will we protect corporate data stores from nation-state and rogue cyberwarfare, let alone run-of-the-mill profit-seeking hackers?

Isn’t the private sector’s job commerce and innovation? Yet in the digital economy, corporations must also be extremely sophisticated data security companies. After all, they leverage our personal data for profit, right?

The European Union’s  GDPR is about to usher in massive corporate liability for data privacy.  Though “cybersecurity,” a major data breach threat, is not mentioned in the regulation.

Does the government need to take a wider role in combating state-actor cyber attacks on corporate data? What new public-private models are needed to protect corporate data stores? Whose job is it to protect against state-actor cyberattacks on the private sector?

Food for thought.

 

Breaking News – Supreme Court to Rule on Microsoft EU Emails

A significant battle between Microsoft and law enforcement has made its way to the US Supreme Court. The DC Court of Appeals struck down lower courts’ decisions that Microsoft must give US law enforcement client emails  stored in Ireland in a drug trafficking case. The  upcoming Supreme Court ruling on this case will have far-reaching impact in our digital economy where data crisscrosses the global internet, coming to rest on a server in a particular country.

global internet

How far do US laws extend to data stored in foreign countries?

If Microsoft is forced to hand over the emails from their Ireland data center, how will EU data protection authorities react?  Especially, given that the General Data Protection Regulations, an overhaul of EU data privacy laws, massive financial penalties for non-compliance take effect in May 2018.

If Microsoft does not have to hand over the emails, will criminals hide their communications and data overseas so US law enforcement cannot access it?

Be sure to follow this case and watch for the Supreme Court ruling.