Hackers, Digital Economy Risks and Opportunities
On Tuesday, 9 August 2016, the Latvian Chamber of Commerce and Industry (LCCI) hosted a seminar titled "Hackers, Digital Economy Risks and Opportunities". Although the use of the word "hacker" in the seminar title proved somewhat misleading, the speakers' presentations were pervaded by the idea that as technology enters our daily lives, the risks of who uses the data collected and how - as well as the natural desire of bad actors to access it - are growing.
Technology creates fantastic opportunities, but the risks must also be understood!
J. Endziņš, LCCI Board Chairman
The role of online information is currently growing. Through various comments, which are mostly anonymous, the most contradictory ideas and opinions are expressed, which practically blocks the perception of objective facts
J. Rozenvalds, University of Latvia Faculty of Social Sciences professor
Egils Stūrmanis (cert.lv) shared his vision in his presentation about the development of technology and the potential (mostly theoretical) threats it may create. He pointed to several examples related to social engineering and how bad actors can obtain access passwords. Risks should also not be overestimated, as hackers are also only interested in obtaining data they can use for their own purposes. If you are a publicly known person, these are data you would not want to end up in the public eye, but overall hacker attacks on a private individual's data are mainly associated with accessing their wallet (bank, PayPal, etc.) and extortion (ransomware).
Stūrmanis pointed out various malware nuances - for example, why Pokémon Go should not be installed from outside the Google Play or Apple App Store. For instance, malware with access to SMS sending could send messages to premium rate numbers, in such quantities and amounts that they would be unnoticeable on a monthly bill.
How objectively can a user track small transactions? This is also an important nuance with regard to a near-future development - contactless bank cards and their security.
Zane Beļavska (Ministry of Defence) introduced those present to the ministry's legislative initiative, the so-called "Ethical Hacker Regulation". The idea is that if ethical hackers (or researchers) report a found "hole" to cert.lv in a timely manner, and only speak publicly about it once the "hole" has been patched, the institution could refrain from invoking the criminal law provision on unauthorised access to an IT system. Following such a report, the institution responsible for the vulnerable resource would be obliged to remedy it within 90 days (with the option to extend by a further 90 days).
From what was presented, it remained unclear how and whether claims could be brought, for example, by third parties who have suffered a data breach. Undeniably some form of regulation is needed to protect "whistleblowers"; what raises scepticism is the time allocated during which the institution will "patch" the "hole", which in total amounts to half a year.
Data protection specialists and lawyers (Ivars Krievs and Agnese Boboviča) spoke about the new EU data protection directive 2016/679 [1], which enters into force on 25 May 2018. The directive, while introducing nothing conceptually new, strengthens several things with regard to data processing. Key points:
- Also applies to processing of EU citizens' data outside the EU.
- Active consent action (tick a box to agree, not to remove a pre-ticked one if you disagree).
- Control over one's own data, including withdrawal. I.e. a person will be entitled to request what data is stored in a system, to correct and/or withdraw it if it has lost its purpose (e.g. contract terminated).
- Minimisation of data processed. Goal: to eliminate "we store everything, it might come in handy". Only data necessary for achieving the purpose may be stored.
- Purpose limitation. The data controller will need not only to formulate the purpose for which data is collected, but also to present it to the data subject in an understandable way.
- Reporting on data-related incidents. The data controller must notify the supervisory authority (Data State Inspectorate) within 72 hours, and must also notify the data subject.
- And of course, penalties. The data controller (owner of the data) will always be held liable, but the processor and other involved parties can also be fined. Maximum penalty up to 20 million EUR or 4% of the previous year's turnover (whichever is greater).
Arnis Puksts and Artūrs Filatovs, whose presentation, while looking more like a business pitch, introduced the general principles and internationally accepted practices for protecting data.
The Datamed case [2] was also explained - it had recently attracted public attention. Datamed processed medical data supplied by medical laboratories. In this case the laboratories are considered the data controllers, while Datamed was the data processing operator with whom an outsourcing agreement had been concluded. So far everything was lawful. The problem began when Datamed, for a small but fair fee, allowed data subjects to view their own data. From being an operator, the company became a data controller; the purpose of data processing changed. In any case, a data controller is entitled to engage a third party to carry out data processing, and the size of the company or its share capital is of no relevance.
Sources:
[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - http://eur-lex.europa.eu/legal-content/LV/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN
[2] Investigation launched into "Datamed" personal data processing compliance - http://nra.lv/latvija/179316-sakta-parbaude-par-datamed-personas-datu-apstrades-atbilstibu-likumam.htm
comments