Have You Forgotten About the ‘Cookie Law’?

You’ve all heard of the Cookie Law, right?

If the answer is no, and your business has a website that uses cookies (or other ‘online identifiers’), I would suggest you do a little homework. The upcoming EU ePrivacy Regulation not only expands significantly on that law (which is actually a Directive), it includes a fine structure on par with the GDPR.

The Cookie Law is actually the EU ePrivacy Directive  and was responsible for the incredibly irritating banners that pop-up on almost every website in the EU. About the only good news for some organisations is that the banners will likely go away under the new Regulation.

Even for those who are aware of the ePrivacy Regulation (perhaps have even read it), there is still a great deal of confusion. Not just related to the contents of it, but as to whether or not it’s even relevant with the GDPR already covering ‘privacy issues’.

Just 15 minutes of research reveals the following:

  1. The ePrivacy Regulation “particularises and complements” the GDPR – In other words, ePrivacy is an expansion on a single aspect of the GDPR. In this case ‘electronic communications’ (e.g. the ‘online identifiers’ referred to in Recital 30);
  2. ePrivacy covers Article 7 of the Charter of Fundamental Rights of the European Union (“the Charter”), the GDPR covers Article 8;
  3. It’s not just about cookies, it covers EVERY aspect of electronic communication. Including; “…calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.“, and all ‘metadata’ relevant to the communication channels themselves;
  4. Unlike the GDPR, it does not just apply to ‘natural persons’, but to ‘legal persons’ as well. i.e. business-to-business; and
  5. It has the most significant impacts in the area of marketing.

So, if your business has a website, performs marketing, or communicates with clients over ‘electronic channels’, you are in scope.

So why isn’t there anywhere near the kind of panic and hype over this Regulation as there is GDPR? If anything, I’d say this one has greater impact on most business, with a far greater degree of negative impact on how you are currently conducting your business. Just ask an online publisher what they think of it and brace yourself for the answer.

Imagine, for example, you provide online content free of charge. Your revenue is driven by online advertising which is in turn personalised to the viewer by cookies. Under ePrivacy you could no longer rely on pop-up banners to force acceptance of cookies, instead you have to rely on the viewer accepting cookies by default in THEIR web browser. Not only that, the Regulation is basically saying that all browsers should be ‘block all cookies by default’, then, in plain language, walk every EU citizen through changing the defaults to more ‘merchant-friendly’ settings.

However, here are a few bloody BRILLIANT outcomes:

  1. Unsolicited marketing phone calls should use a prefix on their numbers so you know what it is before answering! And no, they cannot get around this by blocking the caller ID;
  2. Inclusion of your personal data in ‘publicly available directories‘ (a.k.a. marketing lists) must be done with consent; and
  3. Any kind of “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing” of your personal data is strictly forbidden (the usual deprecations apply, e.g. ‘pubic interest’)

Not surprising that during the ‘Stakeholder Consultation’ conducted from 12 April to 5 July 2016 that 83.4% of citizens were for it, but 63.4% of businesses were against it. The lobbying that has taken place to soften the wording, while fruitless so far, has had the likely impact of delaying the enforcement of the regulation beyond the proposed data of 25 May, 2018 (yep, same date as GDPR, that’s how closely they are linked).

So I frankly have no idea why GDPR is such a big deal and ePrivacy is so obscure, but you just know it’s because only one of these is easily monetised by snake-oil merchants. GDPR attracted cybersecurity “professionals” because it’s about ‘data protection’, and lawyers because of the ‘lawful bases for processing’ and the requirement for DPO.

ePrivacy on the other hand provides no easy remedies, but you know they’re coming.

The bottom line here is that if you’re not familiar with it, get familiar, it WILL impact you. Once again, for those in the UK the ICO has lots of material on its website, but look for Privacy and Electronic Communications Regulations (PECR)¹ instead. Like how the DPA is the UK’s implementation of GDPR, PECR is ePrivacy.

Happy reading.

[If you liked this article, please share! Want more like it, subscribe!]

¹ (Hopefully the acronym will be pronounced/known as the ‘Pecker Law’ which should give our American friends a good laugh).

GDPR in Plain English

Free Resource: The GDPR in Plain English

So here we are, it’s 2018 and the GDPR will be enforced THIS year. I suspect that both marketing budgets and the corresponding hype will now grow exponentially until everyone is sick to death of it. I know I am, and judging by the majority of questions on LinkedIn, I’m one of the seemingly few who have actually read the damned thing. Really read it.

And that’s the point of this blog. As a privacy novice I have made a significant effort to truly understand the GDPR. I have, quite literally, spent months poring over it in an effort to fully grasp its intent in order to provide appropriate guidance to my clients, and to more junior cybersecurity professionals. But just as importantly, I read it because the GDPR is about MY personal data, MY privacy, MY fundamental human right.

More often than not my guidance to others has been; “Talk to a privacy expert/lawyer.”, but I am now in a position to provide something a little more useful. In partnership with Angela Boswell (Lawyer / DPO / GDPR implementer), we have drafted a ‘GDPR in Plain English‘ resource designed to allow anyone to get a significantly better understanding of its meaning without having to either be a lawyer, or go through months of soul-destroying tedium.

The resource consists of 3 spreadsheet tabs:


  1. ‘Recitals’ – All 173 Recitals with 3 additional columns:o
    1. Recital Title‘ – Very brief summary of the Recital’s main theme, similar to those provided for the Articles;
    2. Plain English‘ – Angela’s and my attempt at turning legal-ese into plain language; and
    3. References‘ – Links to every Article or external document for more convenient access to relevant context
  2. ‘Articles (Reference)’ – The Articles contain a significant number of references to other Articles, Recitals, and external documentation. They are all provided here for convenience. ‘In-cell’ comments provide titles and, where appropriate, relevant content
  3. ‘Articles (Operations)’ – Work in progress, but we intend to provide implementation and operationalisation guidance as and when available. This will include the excellent guidance so far produced by the likes of the UK’s ICO, the WP29, and numerous law firms happy to share their knowledge for free (most notably Bird & Bird from whom I have plagiarised shamelessly).
    We have broken this tab into 7 distinct columns.

    1. Regulation‘ – A significant portion of the Articles relate to the ‘administration’ of the regulation itself and require no specific action on behalf of the controllers or processors. These cannot be ignored, but you should probably spend more time on the other stuff;
    2. Principles‘ – The foundational principles of the GDPR and should be fully understood by everyone. Again, no specific action is required other than to read and understand them, because these underpin everything that the GDPR is about;
    3. Process‘ – These are the things that will eventually need to be operationalised in some fashion. Documentation, record keeping, technology, security etc. all fall within this category;
    4. Legal/Compliance‘ – Things that will require legal expertise to handle. While this does not have to be a privacy lawyer, or any lawyer for that matter, if these things are not handled by subject matter experts you’re leaving yourself wide open;
      …and eventually;
    5. People Requirements‘ – The implementation and ongoing maintenance of GDPR is the definitive team effort. This is not an IT problem, or a legal one, it is a business challenge. This section will provide guidance, examples/samples, links and hopefully, in time, some real-world input from generous contributors;
    6. Process Requirements‘ – From policies and procedures, to privacy notices, to contractual language, at some point you are going to have to DO something. This section will provide guidance and sanitised samples of what others have done to meet a requirement; and
    7. Technology Requirements‘ – Technology can never fix a broken process, it can only make a good process better. This is as true for security as it is for the GDPR. Technology will be required to support/enable your ongoing operational efforts, and this section will provide guidance on technologies to consider, and to avoid. We will only care about function, not brand.

Hopefully this resource will be of some benefit to you, and you’re welcome to do with it as you wish. We only ask 2 things:

  1. Credit both Angela and myself if you do end up using this for commercial benefit; and
  2. Add to it! This resource has been the work of only 2 people who have nowhere near the experience or skill-sets to make it universally relevant. There will be translation gaps, naive assumptions, and things that we didn’t know we didn’t know. Help us!

Finally, I would just like to reiterate that the GDPR is not just a burden placed on businesses, it is a fundamental shift in how YOUR personal data is used. This is a significant enhancement to one of your fundamental human rights. Everyone should read this regulation, so please do your part to get this out to every ‘data subject’ and ‘natural person’ who needs it.

Download the Excel spreadsheet here: GDPR in Plain English

Please provide any feedback to david@coreconceptsecurity.com

We thank you in advance.

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Brexit

Brexit and GDPR? The Answer is in the Regulation

Is there anyone out there who still believes that Brexit will negate UK businesses from having to comply with the GDPR? Well, as long as there are also Flat Earthers and Young Earth Creationists I’d say that there’s enough ignorance out there to ensure that there are plenty of them.

The Brexit vote debacle itself showed just how pervasive ignorance is in the UK for example, as evidenced by the number of people who Googled “What is the EU?” the day after the vote. Stupidity I can forgive, it’s not a choice, ignorance is. Or as Harlan Ellison puts it so perfectly:

“You are not entitled to your opinion. You are entitled to your informed opinion. No one is entitled to be ignorant.”

And when a weapons-grade plum (thank you @sueperkins) like Donald Trump is in favour of a decision, you know you’ve f&%$ed up.

But enough judgement, the answer to whether or not UK businesses will need to comply with the GDPR is written in the Regulation itself. Anyone who has actually read it probably has the words “third country” floating around in their heads right about now. Why? Because post-Brexit that’s exactly what the UK will be to the EU; a third country.

Every country in the EU has signed up to adopt the GDPR into their individual national laws in order to enforce it in the exact same way. From the creation of supervisory authorities with identical tasks and powers, to approved codes of conduct, to the imposition of penalties, every EU country ‘trusts’ every other EU country by default. Further, if for any reason two countries disagree on something, the Board can step in and sort it out per Articles 63 (Consistency mechanism) and 65 (Dispute resolution by the Board).

None of this will apply to third countries, who will need to demonstrate what the GDPR calls an “adequate level of data protection” in order to enjoy the freedoms of data processing and movement that EU countries will receive automatically. This is spelled out very clearly in Recital 103:

The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

In other words, the Commission can, as long as the third country has met certain criteria, give blanket approval for that country to do business as usual within the EU.

Simple logic therefore dictates, that the criteria must fully comply with the GDPR, and every business must meet the GDPR baselines in their entirety.

The criteria are broken out in Article 45(2) [edited for length]:

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral [edited]

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject [edited]

(c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

In other words, as long as ALL of the laws, judicial systems, supervisory authorities, contractual obligations etc. are at or above the levels mandated by the GDPR, that third country is good to go.

Here in the UK this will hopefully not be an issue. The ICO is the supervisory authority and the upcoming amendments to the Data Protection Act should more than cover the GDPR adequacy requirement. So as long as UK businesses comply fully with the DPA, they should not have to provide any further evidence of compliance to EU countries.

However, there are many who believe that the because of things like the Investigatory Powers Act 2016 (a.k.a. Snooper’s Charter), that the UK is at serious risk of not qualifying for the adequacy decision. We’ll have to see how it goes.

Bottom line here is that if you are sitting on your arse waiting for the ICO to tell you what to do, you are setting yourself for some very unnecessary pain. The initial preparations for GDPR/DPA are as simple as they are obvious, and well within the reach of every organisation out there. Whether or not your country receives an adequacy decision, your organisation will need to comply. Nothing has changed.

You do not need to understand your legal basis for processing in order to perform either a data discovery exercise or a business process mapping, both of which you should be doing already. I’d get on with it if I were you.

It’s not doing the wrong thing unintentionally that will piss the supervisory authorities off the most, it’s doing nothing at all.

[If you liked this article, please share! Want more like it, subscribe!]

OWASP Top 10 2017: Logging & Monitoring Makes the Hall of Shame

Fact #1: There is no effective incident response without logging and monitoring;

Fact #2: There is no effective disaster recovery without incident response; and

Fact #3: There is no effective business continuity without disaster recovery.

Therefore logging and monitoring should be a fundamental aspect of every security program, regardless of organisation size. So why is it performed so universally poorly? Don’t organisations want to stay in business?!

It’s not like EVERY STANDARD ON THE PLANET has it as a prerequisite! Well, except for these obscure ones:

  • ISO 27001 – A.12.4 Logging and monitoring
  • COBIT – F.10 Monitoring and Alert Services for Security-related Events
  • NIST – Anomalies and Events (DE.AE)
  • PCI DSS – Requirement 10: Track and monitor all access to network resources and cardholder data
  • …and so on

So you can imagine my surprise and delight when OWASP – more commonly known for coding vulnerabilities – singled this out as one of their Top 10 for 2017. Yes, it barely snuck in at number 10, but there it is, finally in the light of day.

Unfortunately, OWASP isn’t exactly up there with the NISTs of the world, so the importance of this is probably lost on most. I mean, the DSS uses [loosely] the OWASP Top 10 as one of its “industry accepted best practice” providers, which is actually why a lot of people have even heard of OWASP in the first place.

So now what? What difference is this going to make?

Well, very little probably, if you don’t understand now just how important centralised logging and monitoring is, you probably never will. If you’re in a position where this makes a difference (you’re in technology or cybersecurity) then the only time your organisation will care is when your business suffers a loss. Then I’m sure you’ll start to care as you’re updating your CV/resume.

Honestly, I really don’t know where I’m going with blog. It was either write about this or the bloody GDPR again. But it’s really the privacy regulations that are beginning to drive things like this forward. Record keeping, data breach notifications, accountability and so on all have an enormous impact in how we will be running our businesses and logging is intrinsic to them all.

In my consulting practice I very rarely use the word ‘recommend’, and I try never to mention the names of security control vendors except as examples. So while the due diligence is yours in terms of finding the right logging solution for your organisation’s needs, I HIGHLY recommend that you start looking.

I’m sure there’s some out there, but I’ve yet to see one argument for not performing logging and monitoring, and I’m willing to bet there are no valid ones. The problem, like most things in security these days is that the name is just not sexy enough. Perhaps if we include in a brand new acronym like ‘Episode Reply & Adversity Restoration (ERAR)’ as I did in Froud on Fraud’s Top 10 Cybersecurity Technologies to Implement in 2017 it would get more attention?

Whatever it takes…

[If you liked this article, please share! Want more like it, subscribe!]

Administrative Fines

GDPR: Administrative Fines for Data Breach, 4% or 2%?

As we all know, and as we are all sick to death of hearing, the final version of the GDPR dated 27th of April 2016 has, in Article 83, provision for the “imposition of administrative fines”. Having read through that Article (General conditions for imposing administrative fines) about a 1,000 times I came to the conclusion that the:

  1. 4% / €20M fines were going to be reserved for infringements of processing (data subject rights, legal basis for processing etc.); and
  2. 2% / €10M fines would cover data breaches

From that point forward I was on a mission to embarrass any cybersecurity organisation using the GDPR fine structure as a launchpad into a bulls*** sales pitch. Because they always, I mean ALWAYS, used 4% /€20M as their benchmark.

But why am I so convinced that it’s 2% not 4%? First, you have to take a very close look at the Articles to which the individual fine structures refer.

Article 83(4) (2% / €10M) refers to (sorry, this a long list):

  • Article 8 – Conditions applicable to child’s consent in relation to information society services
  • Article 11 – Processing which does not require identification
  • Article 25 – Data protection by design and by default
  • Article 26 – Joint controllers
  • Article 27 – Representatives of controllers or processors not established in the Union
  • Article 28 – Processor
  • Article 29 – Processing under the authority of the controller or processor
  • Article 30 – Records of processing activities
  • Article 31 – Cooperation with the supervisory authority
  • Article 32 – Security of processing
  • Article 33 – Notification of a personal data breach to the supervisory authority
  • Article 34 – Communication of a personal data breach to the data subject
  • Article 35 – Data protection impact assessment
  • Article 36 – Prior consultation
  • Article 37 – Designation of the data protection officer
  • Article 38 – Position of the data protection officer
  • Article 39 – Tasks of the data protection officer
  • Article 41(4) – Monitoring of approved codes of conduct
  • Article 42 – Certification
  • Article 43 – Certification bodies

It’s clear that the vast majority of these are related to the ‘administration’ of an organisation’s GDPR compliance, and the ONLY 3 Articles related directly to either data security or breach notification are contained here in full. In other words; take the RUNNING of your compliance program seriously, including the confidentiality, integrity and availability of the data itself.

Article 83(5) (4% / €20M) refers to (sorry again, another long list):

  • Article 5 – Principles relating to processing of personal data
  • Article 6 – Lawfulness of processing
  • Article 7 – Conditions for consent
  • Article 9 – Processing of special categories of personal data
  • Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
  • Article 13 – Information to be provided where personal data are collected from the data subject 1.
  • Article 14 – Information to be provided where personal data have not been obtained from the data subject
  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (‘right to be forgotten’)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 44 – General principle for transfers
  • Article 45 – Transfers on the basis of an adequacy decision
  • Article 46 – Transfers subject to appropriate safeguards
  • Article 47 – Binding corporate rules
  • Article 48 – Transfers or disclosures not authorised by Union law
  • Article 49 – Derogations for specific situations
  • Article 58(1) – Powers
  • Article 58(2) – Powers

This contains just about everything in the GDPR related to the Principles of privacy itself and Rights of the data subject. In other words, PROCESS the data correctly.

The only link to data security in the whole of Article 83(5) is the reference to Article 5(1)(f) which states; “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

So you tell me, if you lose data, which fines do you think will apply? Seriously, tell me, I’ve not seen any guidance on it and there are many people out there who know this stuff a damned sight better than me.

I work in cybersecurity, I WISH it was 4% /€20M fines, but like I keep saying, data security does NOT equal privacy. The GDPR is about privacy, so which infringements should attract the biggest punishment?

In the end, if you think GDPR is about fines and penalties, you’ve completely missed the point. Don’t believe me? Then take it from Elizabeth Denham, the UK’s Information Commissioner herself, who wrote this excellent blog; GDPR – sorting the fact from the fiction.

And yes, I totally stole her featured image.

[If you liked this article, please share! Want more like it, subscribe!]