Compliance and Privacy News

What does the British Computer Society think of Phorm?

Tue, 23 Sep 2008 20:14:37 GMT

Phorm, Webwise, OIX and the BCS Security Forum

Phorm over function? Perhaps that's the challenge in relation to marketing desires clashing with privacy hopes. But given the starting point of the Phorm furore, in the Spring of 2008, we are now in the Autumn of 2008 and its been nothing but data breach after user faux pas exposing countless millions of individuals' personally identifiable information that has focussed the spotlight firmly upon the need to apply "privacy by design" principles from the outset - something that the ICO will be taking a very serious view of in the coming months. The BCS Security Forum is equally involved in keeping a watching brief.

Are you storing customer data properly? The challenges of PCI DSS compliance

Thu, 11 Sep 2008 12:22:33 GMT

Data security breaches are hitting the headlines with alarming frequency. While the most recent breaches have involved the public sector and financial services industries, retailers are not immune from the rise of data losses. Cotton Traders, the UK leisurewear and casual clothes brand, for example, recently conceded that thousands of customer details had been stolen from the company's website. Last year saw perhaps one of the most publicised cases involving retail giant, TJ Maxx, which found that hackers had accessed internal systems used to process and store customer transaction data, including credit card, debit card, cheque and return transactions. The incident cost TJ Maxx $256 million1 and the company is now offering to pay Visa card issuers a further $40.9 million2 to compensate for costs connected to the data breach. With data security cases rising in number and severity, the various industries affected are pulling together in an attempt to reduce the risk of fraud. The Payment Card Industry Data Security Standard (PCI DSS ) is one such example which aims to crack down on fraud associated with credit and debit cards. However, the implementation of PCI DSS is not without its challenges and these must be overcome if the standard is to be used as an effective weapon in the fight against card fraud.

PCI DSS aims to prevent any information that could be used to make a counterfeit card or a fraudulent online transaction from falling into the wrong hands. The standard applies to every acquiring bank, merchant and third party that accepts or processes payment cards. It is now mandatory for businesses with over 100,000 transactions a year to either be PCI DSS compliant or be able to demonstrate plans to become so. However, there is one element of the standard which is proving to be a particular stumbling block – requirement 3: protecting the stored cardholder data. In fact, 79 per cent of PCI DSS audit failures are due to companies not implementing requirement 3 properly.

Data Vendor Sends SPAM about The Dangers of Prospecting Databases

Fri, 05 Sep 2008 08:47:38 GMT

ComplianceAndPrivacy.Com received an email that appears to be from Harris Infosource, a D&B Company. Not a lot wrong with that, you may say. The email is a cold unsolicited email, or SPAM, What makes this amusing is that the SPAM has this subject line:

"Why Using Cheap Prospect Lists Can Cost You Big!"

Harris Inforsource, it seems, are the purveyors of fine prospect lists.

Harris addressed their SPAM to Milton Bennett at our domain. If Milton existed, if Milton had ever existed, if we had ever created, used, publicised an address for Milton, who is not now and never has been a member of our staff, then this would have been something we could pass off as "just one of those things". But we have never heard of Milton Bennett. He is a figment of Harris Infosource's database. We wonder if they are selling him as a part of their very fine data.

But this is SPAM with a cloned email address.

Bank Customer Personal Data Sold on eBay for £35

Tue, 26 Aug 2008 11:21:34 GMT

An investigation is under way into how a computer containing bank customers' personal data was sold on an internet auction site.

The PC, which was reportedly sold for £35 on eBay, had sensitive information on the hard drive.

The Royal Bank of Scotland (RBS) and its subsidiary, Natwest, have confirmed their customers' details were involved.

RBS says an archiving firm told it the PC had apparently been "inappropriately sold on via a third party".

It said historical information relating to credit card applications for their bank and others had been on the machine.

The information is said to include account details and in some cases customers' signatures, mobile phone numbers and mothers' maiden names.

Best Western Denies Report of Massive Data Breach

Tue, 26 Aug 2008 07:25:31 GMT

A Scottish newspaper Friday ran a story that claimed to uncover a massive theft of data from Best Western's customer database, including personal information on all 8 million customers at the chain's 1,300 hotels in the past year.

After initially thanking the newspaper and doing its own investigation, however, the hotel chain now says The Sunday Herald's report of a massive breach at Best Western is "grossly unsubstantiated."

In its report, The Sunday Herald stated that "a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel Group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia." The newspaper called the attack "the greatest cyber-heist in world history," alleging that it "scooped up the personal details of every single customer that has booked into one of Best Western's 1,312 continental hotels since 2007."

The newspaper stated that Best Western officials thanked it for discovering the breach and immediately closed the security hole by Friday afternoon. "Best Western took immediate action to disable the compromised login account in question," a hotel spokesman told the paper on Friday. "We continue to investigate the root cause of the issue, including, but not limited to, the third-party Website that has allegedly facilitated this illegal exchange of information."

Last night, however, Best Western stated that its own investigation indicates that only about 13 customers are at risk, not 8 million.

Best Western Data Loss - Indian hacker alleged brain behind biggest cyber-heist

Mon, 25 Aug 2008 16:52:25 GMT

An unknown Indian hacker is being 'charged' with the greatest cyber-heist in history for allegedly helping a criminal gang steal identities of an estimated eight million people in a hacking raid that could ultimately net more than 2.8 billion pounds in illegal funds.

An investigation by Scotland's Sunday Herald newspaper has discovered that late on Thursday night a previously unknown Indian hacker successfully breached the IT defences of UK's Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

There are no details yet on how the hacker was identified to be an Indian and if a probe is on to identify the person. It is also not known if the hotel chain has alerted the police about the heist.

Vietnam introduces heavy fines for spammers

Mon, 25 Aug 2008 08:37:25 GMT

Organisations and individuals who send spam mail and text messages or trade in e-mail addresses may be fined up to VND80 million (US$5,000), according to the newly-issued Decree on Anti-spam mail.

The decree bans organi-sations and individuals from using electronic means to deliver spam messages, exchange or trade e-mail addresses or deliver software products that collect e-mail addresses, according to the Ministry of Information and Communications.

Republic of the Phillipines can’t do without policy on data privacy, security

Mon, 25 Aug 2008 08:35:30 GMT

Under no circumstances can the Philippines compete, let alone thrive, in the lucrative outsourcing market and the global marketplace without a fool-proof policy on data protection and security.

This was the clear message sent out by participants in a recent conference dubbed "Mapping the Future of Information Security Forum" organized by the Information Systems Security Society of the Philippines (ISSSP) at a hotel in Makati City.

Anthony Tuason, a director at consultancy firm PriceWaterhouseCoopers, said during his presentation that IT companies, most especially those in the BPO sector, cannot possibly institute "IT governance" — the process of using technology as to management tool to run an organization — in the workplace if security is being disregarded.

"Innovation, value, and performance can be derived from IT governance (and) data privacy and security is one area that helps organizations achieve their IT governance objectives," Tuason said.

National Gateway Security Survey 2008 Shows Interesting Changes in Threat Landscape

Thu, 21 Aug 2008 13:54:06 GMT

The National Gateway Security Survey 2008, carried out for value added distributor and security specialist Wick Hill and sponsored by WatchGuard Technologies, leaders in unified threat management systems, has highlighted the increasing move toward remote and mobile use, as well as the concerns users have about this shift. In a survey of 341 of the top UK companies, by employee number and turnover, 48% had over 150 remote users and a further 11% had 50 to 100 remote users. 61% said that the number of remote users on their network was increasing. 45% reported that the number of VPNs was increasing and 43% that the number of SSL users was increasing.

Unified Threat Management (UTM) - Watchguard Technologies

Wed, 13 Aug 2008 15:06:39 GMT

Unified threat management (UTM) spawned a new era of IT security. The promise of these integrated security appliances proved to be an exceptional and efficient way of securing commercial networks. However, businesses today face an inflection point, dictated by changing market trends and new technologies that demand more of today’s UTM. Hence the need is for eXtensible threat management (XTM) solutions, the next generation of UTM appliances. XTM is predicated upon the substantive expansion of three elements: more security, greater networking capabilities, and more management flexibility. This paper provides an overview of these issues and the WatchGuard Technologies perspective on “extensibility” and XTM.

Transatlantic Events - Data Privacy Conference

Tue, 22 Jul 2008 12:09:20 GMT

As a grand special offer to readers of ComplianceAndPrivacy.Com, Transatlantic Events has slashed the ticket price to £200 per day. Reach the special Compliance and Privacy booking page directly from here:

Special ComplianceAndPrivacy.Com Delegate Booking Page.

This event is a Must See for those planning cross Atlantic or International operations which involve passing data from location to location

Special Privacy Event Offer

Tue, 15 Jul 2008 13:54:02 GMT

EXCLUSIVE READERS OFFER:

Dear Readers of Compliance and Privacy,
It's our pleasure to announce and invite you as a VIP Delegate to:
The 5th Annual Privacy & Data Protection UK 2008
3rd & 4th of September 2008
at The Law Society, 113 Chancery Lane, London, United Kingdom The event is broken up into two separate days & two separate events:

"Data Protection: Global Compliance Management" 3rd of September 2008

"Data Protection: CRM, Privacy 2.0 & Social Networking " 4th of September 2008

This is a major Privacy & Data Protection event with more than 20 internationally renowned speakers. If there is one Privacy & Data Protection event to attend this year, this is it!

The full conference agenda for The 5th Annual Privacy & Data Protection UK 2008 is available at:
WWW.TRANSATLANTIC - EVENTS.COM Please note: All VIP Delegates who attend are entitled to a special VIP discount: VIP Delegates are able to attend this event for only £250.00 (either day) or £450.00 for both days. This invite is open to you and/or any colleague(s) you would like to recommend to this event. The VIP Delegate Registration portal is:
WWW.TRANSATLANTIC-EVENTS.COM/ PDP2008UKVIP.html

VIP Delegate places are limited, and sold on a "first come, first served" basis. So be sure to reserve your place(s) ASAP before they are all allocated.

WHO SHOULD ATTEND?
You will have the opportunity to meet players in the industry and discuss the latest issues with:
Chief Executives, Chief Operating Officers, Managing Directors, Heads of Human Resources, Information Security and Risk Management Specialists/Consultants, Strategy Directors, Commercial Directors, Communications Directors, Sales and Marketing Directors, Heads of e- Commerce, Information Assurance Specialists/Consultants, Heads of Business Development, Heads of Compliance, Regulatory and Legal Affairs, Consultants and Advisors, Heads of IT & Database Management, Privacy Officers and ... anyone concerned with Privacy & Data Protection.

The 2008 Expert Speaker Faculty
Chairman (Day One):
Alastair Gorrie, Partner, Orrick, Herrington & Sutcliffe, UK
Co-Chairman (Day One):
James Leaton Gray, Head of Information Policy & Compliance, BBC UK
Chairman (Day Two) :
Francis Aldhouse, Consultant, Bird & Bird, UK
Co-Chairman (Day Two):
Nigel Roberts, Director and CTO, Island Networks, UK Internationally Renowned Speaker Faculty:
Bridget Treacy, Partner, Hunton & Williams LLP, UK
Monika Kuschewsky, Senior Associate, Van Bael & Bellis, Brussels
Rosemary Jay, Partner, Pinsent Masons LLP, UK
Mark E. Schreiber, Partner, Edwards Angell Palmer & Dodge LLP, USA
Robert Bond, Partner, Speechly Bircham LLP, UK
Renzo Marchini, Dechert LLP, UK
Vinod Bange, Associate, Eversheds LLP, UK
Anne Coles, Senior Partner, AMC Law, UK
Philip Nolan, Partner, Mason Hayes + Curran, Ireland
Lynda K. Marshall, Partner, Hogan & Hartson LLP, USA
Karen A. Morris, Chief Innovation Officer, AIG, USA
Tim Beadle, Director, Marketing Improvement, UK
Peter G. Wray, Chairman & Founder loyaltymatters.com and cm4p.com
Gareth Wong, Founder of CXO Europe, GamBond, and Gambit, UK
Dr. Mark Watts, Partner, Bristows, UK
Nicola McKilligan, The European Privacy Partnership, UK
Andy Thomas, Director, Garlik, UK
Edna Kusitor, Global Data Privacy Compliance Coordinator, Accenture, UK
Graham Sadd, Chairman & CEO, PAOGA Limited, UK
Winston Maxwell, Partner, Hogan & Hartson MNP, France
Tim Trent, Consultant, Marketing Improvement, Managing Editor ComplianceAndPriovacy.Com

UK Delegate places are limited, so reserve your delegate place TODAY!!! For more information, visit:
WWW.TRANSATLANTIC - EVENTS.COM Event Organisers:
Transatlantic Events
Production Office
Epsom, Surrey, United Kingdom
email: info@transatlantic-events.com
phone: +44 (0) 208 658 6568

Trust is not about SSL. It's about domains

Tue, 24 Jun 2008 09:30:24 GMT

At ComplianceAndPrivacy we've been running a study on domains to trust. We don't mean "trustmydomain.com", we mean the domain suffic; the little thing that you choose when buying "myfabulousdomain".

Do you choose .com, or do you think, incorrectly "That is for the USA"? Do you choose .biz? Is .org for you? What about .info?

So we asked, on a pretty normal website, this question: "Some domains seem to feel more trustworthy than others. This survey is about the .com .biz .info .org and other domain suffixes and which put you most at ease. OK, there are iffy nations, but we are lumping all national style ones under one entry. Tick all that say to you 'Trust this domain'"

We expected nothing significant. After all it was a website for Joe Q Public, and this is what we got:

How Centralised Unified Threat Management (UTM) Can Help Companies Control Security At Remote Offices, Simplify Administration And Cut Costs

Wed, 21 May 2008 11:48:36 GMT

In today's modern, distributed computing network, where companies and organisations need to secure IT not just for the head office, but for remote locations as well, the ability to control security for multiple sites from one single location is becoming increasingly important.

With some security systems, the tasks of configuration, updating, rebooting, etc. for remote sites might all have to be done separately and repeated for each location. Administrators could be faced with managing remote security appliances individually, possibly having to send someone out to a remote site to carry out certain tasks, such as configuration or establishing VPN tunnels. This can be difficult, time consuming, costly and complex and, in some cases, it is practically or financially impossible

It can be further complicated if there are multiple appliances, delivering multiple levels of security, such as firewall, VPN, spam blocking, gateway anti-virus, web content management and intrusion detection/prevention.

Mobile and Remote Working - Is it secure?

Tue, 18 Mar 2008 14:58:01 GMT

Unstoppable move towards remote and mobile working
Mobile working is not adequately secured.
Organisations are concerned about security for mobile and remote workers and how to enforce company security policies outside the gateway.
Companies want to protect against data leakage and data loss from such problems as stolen laptops.
There is no one solution to securing remote working.
The range of solutions includes strong authentication, end point security, remote unified threat management (UTM) systems, low-cost encryption and VPNs.

Olubi Adejobi and Robert Bentley, bothh Solicitors, fined for Data Protection Offences

Fri, 22 Feb 2008 13:45:05 GMT

GrierOlubi and Bentleys - Individual solicitiors convicted for data protection offences

The Information Commissioner’s Office (ICO) has today successfully prosecuted two London solicitors for offences under the Data Protection Act. Olubi Adejobi of Grier Olubi Solicitors and Robert Bentley of Bentley’s Solicitors, both based in London, were each fined £300 and ordered to pay costs of £500 plus a victims’ surcharge of £15 at Stratford Magistrates’ Court. Each solicitor must pay a total of £815 in fines and costs.

Today’s prosecution follows the failure of both Mr Adejobi and Mr Bentley to notify as data controllers despite repeated reminders from the ICO of their obligations under the Data Protection Act.

Under the Act, organisations that process individuals’ personal information may be required to notify with the Information Commissioner at a nominal cost of £35 per year. Despite being told to notify, both Mr Adejobi and Mr Bentley have failed to respond to any of the ICO’s correspondence and have still not notified.

ADC Organisation Prosecuted by UK Information Commissioner for Data Protection law breaches

Fri, 22 Feb 2008 13:32:32 GMT

ADC Organisation prosecuted for data protection offences

ICO prosecutes debt company for breaching marketing rules

A Manchester debt recovery company has been successfully prosecuted by the Information Commissioner’s Office (ICO) for bombarding individuals and businesses with unwanted faxes. The action follows thousands of complaints from individuals and businesses to the ICO and the Fax Preference Service (FPS).

ADC Organisation Ltd (ADC) pleaded guilty to six charges under the Privacy and Electronic Communications Regulations and has been fined £600 (£100 per charge). The organisation was also ordered to pay £1,926.25 in costs. ADC must pay a total of £2,526.25 in fines and costs.

UK Information Commissionr takes enforcement action against Marks & Spencer

Fri, 25 Jan 2008 12:40:19 GMT

M&S ordered to encrypt all hard drives by April 2008

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.

Mick Gorrill, Assistant Commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.

Bereaved man sickened by marketing 'breach'

Fri, 25 Jan 2008 11:58:08 GMT

A consultant in data privacy has slammed a crematorium for its "tasteless" posting of marketing material, claiming that it broke the law.

Tim Trent, 55, cremated his mum Connie at North East Surrey Crematorium last November and thought that would be the end of the matter.

But three days later, he was stunned to find a glossy brochure on his doormat, advertising memorials, plaques, flowers and other services offered by the crematorium.

Mr Trent said: "It hit me in the face like a sledgehammer. We had a really good send-off for my mother, and thought that chapter of our life was closed. I didn't expect this at all, so it was gloriously distasteful."

European Data Protection Supervisor condemns data protection legislation

Wed, 16 Jan 2008 12:16:54 GMT

The European Data Protection Supervisor (EDPS) has condemned the inability of existing legislation to protect citizens against practices and proposals that amount to the creation of a state-sponsored surveillance society.

EDPS Peter Hustin called on the European Parliament to pass primary legislation to define and protect personal data. He also asked for specific laws to protect such data from abuse under new data collection and exchange proposals from law enforcement agencies.

He said agencies that collect, process and store the data should provide information that would allow individuals to modify their behaviour to avoid being "profiled" and to obtain redress for errors and abuses.

The recommendations were part of three opinions that the EDPS issued in December. The opinions are his response to practices and proposals related to the fight against terrorism and organised crime. Many of them have arisen since 9/11.

FBI eyes British identity data

Wed, 16 Jan 2008 12:14:12 GMT

The US Federal Bureau of Investigation is seeking British co-operation in setting up an internationally accessible biometric database of known and suspected criminals and terrorists.

Dam Data Leakage at Source - a Wick Hill view

Fri, 09 Nov 2007 08:12:40 GMT

Computer networks have become increasingly open and accessible by more and more users. Huge growth in the use of mobile, wireless and remote computing
These changes in computer networks have left confidential data at risk of being seen by those unauthorised to view it.
Those wanting to view data without permission include employees and those outside an organisation. The motive may be non-malicious, or malicious, or criminal.
Laptops are particularly vulnerable to data loss or theft, with laptop losses reported ever more frequently.
Losing data damages a company's reputation, puts them in breach of the Data Protection Act and may by very costly, including the possibility of being fined.
If sensitive information, such as financial details, is lost, it may leave customers or staff exposed to identify theft.
Currently, the protection of data is mainly inadequate. Because of the rapidly changing structure of computer networks, companies should review the way they protect the security of data.
The highest risk areas for losing data are through email, through remote access and through laptop use.
Encryption is the best way to secure data. It is now both easy-to-use and low cost.
Encryption technology is now moving towards Unified Encryption Management (UEM), which means that encryption is centrally managed throughout an organisation, including for office based systems, mobile and remote access.

UK Information Commissioner does not regulate BlueSpam after all!

Fri, 12 Oct 2007 17:25:22 GMT

Following discussions with the Department of Business, Enterprise and Regulatory Reform and others the Information Commissioner’s Office has amended its guidance on the Privacy and Electronic Communications Regulations 2003. The guidance previously stated that marketing messages sent using Bluetooth technology would be subject to PECR rules relating to the sending of unsolicited marketing.

IPv6 - Risks & Ramifications of a Potential Disruptor - Book your Webcast place

Thu, 11 Oct 2007 11:31:13 GMT

While the various modifications and improvements to IPv4 have served the Internet well, these stop gaps can only go so far. Fortunately, IPv6 is finally maturing and provides some much needed functionality that will undoubtedly facilitate growth and innovation. Now that more products include IPv6 functionality, the technology is slowly becoming a reality. While this is a slow process, it will be moved along with the US Government's mandate that organizations implement IPv6 by 2008; the mandate even includes organizations that do not have external factors forcing an upgrade.

While delaying deployment may lead to missed opportunities, completely disregarding the technology can have serious security ramifications. Most networks are partially IPv6-capable whether or not network managers are aware of it, and IPv4 networks left unprepared are vulnerable to attackers. So, for those considering upgrading to IPv6, there are a number of issues to consider before taking the plunge. Organizations must remember that platform upgrades of this scale will cause disruptions. In addition, an upgrade could cause confusion, resulting in security holes that attackers will certainly try to exploit. These are just some of the issues network managers and implementation specialists must consider, which makes it imperative they have a solid understanding of this new protocol. From a strategic standpoint, IPv6 facilitates a paradigm shift toward increasingly distributed, end-to-end communications, changing the threat landscape and requiring similarly distributed security. This report provides an overview of IPv6 and discusses the risks associated with its implementation.

Predicting Disruptive Technologies over the next 5 years - Webcast replay

Thu, 11 Oct 2007 11:30:00 GMT

Disruptors, understood as radical shifts in technological or behavioral trend-line trajectories, are considered "disruptive" largely because they are unforeseeable or else, if somewhat foreseeable, cannot be modeled precisely enough to facilitate control over the process. With this in mind this report analyses numerous and varied potential disruptors, some of which may never come to fruition. Thus, each section explicitly acknowledges the level of confidence with which analysts estimate each disruptor's potential impact; some will be almost sure to occur, others less likely and still others of uncertain likelihood. In this way, decision makers can allocate resources according not only to the potential impact, but also considering the likelihood of its occurrence.

Uncovering Online Fraud Rings: The Russian Business Network - Webcast Replay

Thu, 11 Oct 2007 11:28:51 GMT

The Russian Business Network (RBN) developed into its current incarnation as "the baddest of the bad" Internet service provider (ISP) in June 2006. Before then, much of the malicious code currently hosted on RBN servers was located on the IP block of another St. Petersburg ISP, the now-defunct ValueDot. Like ValueDot before it, but unlike many ISPs that host predominately legitimate items, RBN is entirely illegal. VeriSign iDefense research identified phishing, malicious code, botnet command-and-control (C&C), and denial of service (DoS) attacks on every single server owned and operated by RBN.

Motives, Methods and Mitigation of Insider Threats - Webcast Replay

Thu, 11 Oct 2007 11:28:09 GMT

Although security plans are usually designed to look outward to mitigate threats and attacks from the Internet, they often fail to address the more likely attack vector - the malicious insider. This report examines the anatomy of the insider threat - what makes the malicious insider tick, how they often hit and what organizations can do to prevent damage or loss. A heavy focus upon the impact to financial and retail organizations is included in this research.

Flash mobs - the next online threat

Fri, 05 Oct 2007 09:01:34 GMT

Estonia has one of the most technologically advanced populations in Europe. Events in the last few months, though, have perhaps given the rest of Europe a taste of what might be the next real threat on the internet, flash mobbing.

Flash mobbing is where a group of people meet online to coordinate attacks on an organisation either by their physical presence (such as everyone turning up at one furniture shop) or online. Common attacks include sending emails to the same website at the same time or using the website for mass queries with the aim of taking the server down.

Flash mobbing has been headline news in Estonia as its government uses technology extensively, for example allowing widespread use of e-voting in the last elections. The government's servers were attacked in the summer by a flash mob thought to have had connections with neighbouring Russia.

Thales's Mobile VPN Solution Secures the Use of Public Wireless Networks

Thu, 04 Oct 2007 09:40:37 GMT

Thales, a leading supplier of IT security products and solutions for all critical infrastructures , today (4 October 2007) announced a new version of its SafeMove Mobile VPN solution incorporating an innovative Hotspot Login Assistant. The enhancement makes untrusted public networks easier and much safer for users who require remote access to corporate networks. The Hotspot Login Assistant feature makes Thales's SafeMove the leading remote access solution, truly addressing all security dimensions, including critical human factor issues.

According to the latest figures from the Office of National Statistics, the number of people in the UK who work mainly from home doubled between 1997 and 2005 to 2.4 million workers. Supporting the desire for increasing levels of flexibility, the number of workers using multiple locations experienced the strongest growth, accounting for 6 per cent of all workers in 2005. These statistics reflect a worldwide trend that supports the need for advanced security solutions, such as SafeMove, to safeguard the information of companies and individuals wishing to access private data and applications from a variety of locations.

Full archive of Privacy Laws and Business UK Newsletters

Wed, 03 Oct 2007 14:14:18 GMT

By kind permission of Privacy Laws and Business, ComplianceAndPrivacy.com is able to bring you the United Kingdom Newsletter Archive, up to the end of June 2007. New items will be announced individually

Full archive of Privacy Laws and Business International Newsletters

Wed, 03 Oct 2007 14:13:58 GMT

By kind permission of Privacy Laws and Business, ComplianceAndPrivacy.com is able to bring you the International Newsletter Archive, up to the end of June 2007. New items will be announced individually

PL&B International E-news, Issue 57

Wed, 03 Oct 2007 14:11:31 GMT

The Art. 29 Data Protection Working Party discusses SWIFT, search engines' retention policies and the definition of "personal data"
Argentina appoints a new Data Protection Commissioner

PL&B UK E-news, Issue 60

Wed, 03 Oct 2007 14:10:12 GMT

Orange and Littlewoods found in breach of DP Act
The ICO is getting tougher. The Information Commissioner, Richard Thomas will be launched his consultation on his "New strategy and new priorities for Data Protection and Freedom of Informationâ" at the PL&B Cambridge Conference on Monday, 2nd July
ICO publishes guidance on bankruptcy

Thales SafeSign packages revolutionise delivery of identity management and authentication pilot schemes

Mon, 01 Oct 2007 11:20:00 GMT

Thales offers its award-winning end-to-end strong authentication solution, SafeSign, in a range of pilot packages for enhanced ease of installation and configuration

Thales today (1 October 2007) announces that it is launching individually packaged pilot versions of its market-leading identity management and authentication solution, SafeSign. This innovation enables enterprises such as banks and government agencies to assess the value of a solution against their specific business needs in a faster and more cost-effective manner. By using a SafeSign pilot package, organisations can have the solution operational in under 20 minutes, revolutionising the pilot phase and saving valuable project time.

As technology continues to evolve at an exponential rate, banks and enterprises face a huge investment of time, money and resource to pilot hardware and software projects to remain competitive. Thales 's innovative offering enables organisations to easily implement a tailored strong authentication package that they can integrate with internal applications and run a proof-of-concept programme before committing to full-scale deployment.

Compliance and Privacy Feed now to your WAP phone

Sun, 16 Sep 2007 22:29:20 GMT

We've started to experiment with WAP technology as a service to our readers. So we're working with the service from Feedm8 to see if this is beneficial

will get the service to your mobile.

UK Information Commissioner serves enforcement notice on Fax marketers

Wed, 12 Sep 2007 10:52:35 GMT

The Information Commissioner’s Office (ICO) has ordered two debt recovery companies to stop sending unwanted faxes to individuals and businesses. This action has been brought under the Privacy and Electronic Communication Regulations (PECR) following hundreds of complaints from individuals and businesses to the ICO and the Fax Preference Service.

Failure to comply with the Enforcement Notices is a criminal offence and is likely to result in the ICO taking further action against Clear Debt Solutions Ltd and ADC Organisation Ltd.

Dechert: Bluespam - Is It Legal?

Wed, 29 Aug 2007 17:22:37 GMT

"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.

Off Network Security; A Crisis at Hand - Ponemon Institute and Redemtech

Wed, 22 Aug 2007 14:48:19 GMT

Ponemon Institute Examines Security Risk Posed by Off-Network, Data-Bearing Equipment

Study Finds Vast Majority of Data Breaches Involve Unprotected Confidential Information on Off-Network Devices

On August 7, financial services firm Merrill Lynch reported the theft of a laptop computer from its New Jersey corporate office – a computer containing sensitive personal and financial information, including Social Security numbers, for 33,000 of its employees. Such breaches of confidential information have become routine news for one simple reason: though sparing no expense to guard the security of their networks, corporations often fail to protect data on devices that are disconnected from the network.

According to a new study by the Ponemon Institute, 73 percent of corporations experienced the loss or theft of a data-bearing asset in the last 24 months, yet those same organizations report limited efforts to manage this vulnerability. The new Ponemon report, National Survey: The Insecurity of Off-Network Security, will be discussed in detail today [22 August 2007] by study author Dr. Larry Ponemon, founder and chairman, Ponemon Institute, and study sponsor, Robert Houghton, president, Redemtech, during the Privacy Symposium at Harvard University .

Romanian Scammers hit TradeMe Milestone

Tue, 21 Aug 2007 08:30:59 GMT

The criminal group responsible for numerous phishing scams on TradeMe hit a milestone on Saturday August 18th, 2007. Internet watchdog group ScamBusters reports that the number of hijacked TradeMe accounts used by a Romanian gang to place fraudulent listings on the site in the past eighteen months has now reached a total of one thousand.

"That's a lot of compromised accounts" says spokesman Alf West. "And they're only the ones that we've recorded. These criminals have many more accounts waiting in the wings, ready to use."

ScamBuster Peter Andersen has been collating the hijacked accounts and auctions. "The thousand TradeMe user accounts identified as being hacked in the past eighteen months have been used to run 3,391 fraudulent auctions" he says, "all for non-existent items."

The scammers post auctions for high value items like laptops, cellphones and even expensive motor vehicles, and they inevitably include an email address. "We need to make the point that these people are not running auctions at all" says Andersen. "They're using TradeMe to gain email contact with potential victims." He claims that while TradeMe eventually remove the fraudulent listings, the scammer's email address is visible for up to 24 hours at a time.

MiFID - Outsourcing continues to be an issue

Fri, 17 Aug 2007 10:29:43 GMT

A recent survey by City law firm Field Fisher Waterhouse has indicated that a significant percentage of outsourcing agreements signed by MiFID-impacted firms still fail to comply with the basic requirements of the directive. Whereas other regulations such as Basel II and Sarbox impact outsourcing by extrapolation of their rulings, MiFID is different in that is specifically refers to outsourcing and makes demands on outsourcing contracts, requires actions of supervisors and differentiates according to where the outsourcing service is located.

The overall impact will be to require substantial re-writing of existing outsourcing contracts and potentially brings the outsourcing vendors into the supervision of national regulators. This was recognised by the UK’s Financial Services Authority who released specific guidance in May, see Chase Cooper News of 17th May.