Standard Post with Image

Cybersecurity requirements for financial services companies law to come into force on September 3, 2018

On September 3 all financial service companies operating in the State of New York must face the deadline to ensure their compliance with the New York State Cybersecurity Requirements for Financial Services Companies law (23 NYCRR Part 500) which came into effect on March 1, 2017. The requirements of its various sections are designed to promote the protection of customer information as well as the information technology systems of regulated entities. Under 23 NYCRR Part 500, the most consequential duty for financial services companies is that “each Covered Entity shall implement controls, including encryption, to protect Non-public Information held or transmitted by the Covered Entity both in transit over external networks and at rest.” “Non-public information” is defined as sensitive information such as identifying information and/or financial information such as account numbers, security codes or passwords. “Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes,” and therefore “a regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”

Link to “23 nycrr 500 - Cybersecurity requirements for financial services companies”
Standard Post with Image

Dutch data protection authority investigate on GDPR compliance progress of government bodies

The Dutch data protection authority (AP) reported on a press release that from the initial list of 400 public sector organizations, 4% of them had not yet appointed a Data Protection Officer (DPO) by the deadline of June 1, 2018, noting that “almost all audited public sector organizations have already notified a DPO to the AP.” The 400 hundred institutional bodies audited included municipalities, provinces, water boards, ministries and a number of independent administrative bodies. The AP is supervising the progress made since the introduction of the General Data Protection Regulation (GDPR) in May 2018. Under the GDPR, all authorities and public organizations must appoint an independent DPO to guaranty compliance with the privacy legislation. The AP also announced it will broaden its audit to the private sector and begin verifying whether companies such as health insurers and hospitals have appointed DPOs or are keeping a register of processing activities, as required by the GDPR.

Link to the press release of the Dutch Autoriteit Persongegevens (AP) (Dutch language)
Standard Post with Image

Personal data for sale in China

In late August, Reuters published an article stating that "personal data has become widely available in China" for insurance companies, banks, and scammers alike. The report warns of the ease of acquiring such information through illegal means, stating that companies can purchase information illegally from the department of motor vehicles, car licensing authorities, car sellers, or even police stations.

Even though China issued in May 2018 more stringent data privacy laws, there still exists a large market for selling and buying personal information. According to local experts interviewed, there remains an imbalance between the economic benefits of the trade compared to the relatively low sanctions for violating relevant laws.

Read the Reuters’ full report here
Standard Post with Image

Lazarus cybercriminals targeted the MacOS platform

The North Korean cybercrime group, Lazarus, appeared lately with a new campaign, coined “AppleJeus” by the Kaspersky Lab, whose aim may have been to not only infiltrate a cryptocurrency exchange but also to inject malware into the MacOS platform. The Kaspersky Lab’s Global Research and Analysis Team discovered that the cybercrime group used a Trojanized cryptocurrency trading software to target the MacOS platform, among others. This is the first case in which Kaspersky Lab researchers have observed the Lazarus group distributing malware targeting the MacOS software and its users, and cautioned all users. The team's concern is that MacOS machines and users may be less prepared to deal with malware stating, “This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website[s], nor solid company profile nor the digital certificates guarantee the absence of backdoors.”

Find the Kaspersky expert's related blogpost here
Standard Post with Image

Facebook continues to struggle to protect customer data

Facebook is still striving to control the companies that use its data, even after the recent Cambridge Analytica scandal. The social media giant announced in late August that myPersonality, an app active primarily pre-2012, has been banned by Facebook for sharing data in a manner that inadequately protected users’ rights to privacy. Facebook stated that it would inform the roughly 4 million affected users that their data may have been misused. Since the beginning of its investigation in March 2018, Facebook has detected and suspended more than 400 apps for similar reasons.

Find the Facebook announcement here