After a brief August hiatus, Privacy Monday is back with privacy goofs, gaffes and tidbits to start your week.
Department of Energy Hacked -- Again
Although the grid is supposed to be "critical infrastructure" as part of the Obama Administration's cybersecurity Executive Order, the Department of Energy revealed that the agency's systems had been infiltrated by an attacker recently. This attack compromised the personal information of about 14,000 current and former employees. And worse, it marks the second time this year that the DOE's systems have been hacked.
In a notice emailed to employees, the DOE confirmed a recent “cyber incident” that occurred at the end of July and resulted in the “unauthorized disclosure" of federal employees' personally identifiable information, such as names and social security numbers. The agency said it believed the breach affected the personal information of about 14,000 past and current employees, but that no classified data was targeted or compromised. “The department is strongly committed to protecting the integrity of each employee's PII and takes any cyber incident very seriously,” the memo said. “Once the full nature and extent of this incident is known, the department will implement a full remediation plan.”
EU Questions Viability of US-EU Safe Harbor
The so-called Article 29 Working Party, the European Union's official data protection advisory group, has expressed serious concerns over the future of the US-EU Safe Harbor Program, given recent disclosures regarding the National Security Agency's PRISM Internet surveillance program. The Safe Harbor Program, administered by the U.S. Department of Commerse, allows US companies to transfer personal data from EU member states to the US in a manner consistent with the EU Data Protection Directive (95/46/EC). Under the Safe Harbor Program, US companies self-certify their agreement to abide by the "Safe Harbor Framework," which mirrors the seven privacy principles found in the EU Data Protection Directive and permits the cross-border transfer without running afoul of the Directive.
In a letter to the European Commission, the Article 29 Group expressed "doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception [to the Safe Harbor Principles] strictly limited to the [national security] extent necessary.”
In January 2012, the European Commission proposed new data protection regulation to replace the existing EU Data Protection Directive. Commissioner Reding's office has called on the Article 29 Working Party to push for approval of the new regulation “as soon as possible and at the latest in spring 2014.”
Read more: Letter to Viviane Reding
You Can Get Insurance for That?
We've been writing for some time about cyber insurance policies and the coverage available for data loss prevention. A recent article in CSO outlines that there is indeed a growing awareness of cyber threats, and the increased reporting requirements being imposed by regulators are driving interest in cyber insurance products. A study cited in the article found that concern over cyber threats is so great that 76% of the organizations participating in the study ranked cyber security risks as high or higher than other insurable risks, such as natural disasters, business interruptions, fire, etc. If you are seriously looking at the insurance market for cyber risks, make sure that you undertake your risk assessments before engaging with a broker or underwriter. Premiums will be higher if you are not prepared.
Read more: CSO Online