Danish initiative to award companies for processing data safely and secure with a seal.

This article is largely my thoughts of the challenges this initiative may face, in regard to data protection (not privacy). Additional Links and Articles is listed below.

THE VISION (briefly)

"A new Danish seal shall make it easier for consumers to see which danish companies are processing their data safely and securely. It is the vision of the government that on Thursday presents a prototype for a new digital labeling scheme.

“My hope is that the new brand can be the one for the confidence in IT and data usage that the eco-label is for food. We want to show the citizens which companies are living up to their corporate social responsibility with a high degree of IT security, ”says Minister of Business Simon Kollerup (S).

THE PURPOSE (briefly)

“Unfortunately, we can see that there are companies that are tempted to use data in an irresponsible way and that skip where the fence is lowest. That's why we roll out the red carpet and award the companies who want to process data responsibly" says Simon Kollerup.

Consumers will be able to see the brand in action already next year, and according to the minister, it is needed in the digital jungle.

THE OBJECTIVE (briefly)

"The brand's finest purpose is to build trust, and that's the only thing you and I as consumers need to focus on when we see the brand. The business community and the consumer organization behind the brand must then be able to accommodate the challenges that are being raised there. It is a difficult exercise for anyone to read, but it must not destroy your and my confidence in the brand, ”says Simon Kollerup.

International ambitions - The Minister hopes that the brand can become the precursor to a common European data brand that will place greater demands on tech giants, among others." (1)

An initiative by the Danish Trade Commission, Danish Industry together with Danish Consumer Council - all private organisations.

TROUBLE AHEAD - here are my initial thoughts

• Trust is something we can earn, but how can we earn trust in the current and future digital landscape?
• Citizens and consumers have certain rights according to GDPR, but only little control.

"At many companies, the responsibility for data management is dispersed among different executives. Data pacesetters build cross-functional data governance teams to understand the data and develop processes for using it ethically. Untrusted data is a liability; trusted data is an essential asset. Data trust pacesetters bring the value creators (from the business side) and value protectors (from the risk, IT, and cybersecurity sides) together to develop data policies and practices that meet the needs of customers, employees, and regulators, as well as the business." PwC Nov 2019

THE SCOPE (as I assess it).

We all want the data of our business/organisation to be safe, and also to have a great renommé.

What does it take to create a labelling scheme for companies that "process data securely and safely"?

To become GDPR compliant, companies are especially responsible for processing consumers and citizens personal and sensitive data (e.g. Article 25 and 32), and also companies have an interest to protect sensitive business data. It is a sum of many competences and processes, involving partners and employees.

But its not that easy

• Every week we learn that emails with sensitive data are send to a wrong mail address, or companies suffer business email compromises (BEC's).
• Every week software flaws and data breaches are identified.
• Every week we have to patch different software.
• Our sms can be bulk read by hackers.
• Man in the middle attack- or businesses are hacked, but we have no clues.
• We thought that WPA3 was safe but then-
• We learned that TLS 1.3 was safe, but then-
• Some browsers are more safe than others, will that be a demand or recommandation - and what about browser plugin's?

WILL 'MINIMISATION of DATA SHARE' BE PART of the labelling scheme?

Companies simply cannot always forsee what is safe and what is not. What we can to a certain extend see, to some extend decide, is whether our data is shared or not, to whoom and how:

• 'Cookie compliance'.
• The new 'open banking' for instance is designed to share our data.
• Security measures in cross channel multi products like Chatbots and Voice assisstants, e.g. Cortana (Microsoft), Alexa, Siri, Bixby (Samsung), Siri (Apple) build in), see ill. (9)
• PSD2 is also designed to verify us by our biometric data, no choice really? "If a data controller has set up a login system (see, Recital 63, 4th sentence of the GDPR), is it appropriate to require data subjects to use only this channel?" (8)
• Microsoft software is GDPR compliant its said, but not designed with Security and Privacy Settings by default, it collects loads of telemetric data of our use. And needs to be updated if not every week, every second week with a serious flaw.
• Most Cloud solutions are not backed up, neither encrypted by default?
• Our mobile phones are not safe, and we need to install expensive TOTAL VIRUS, VPN etc. 3.rd party software, and choose very carefully what software to use. Neither Samsung or iPhone is safe by default, it mostly depends on settings and software. Do we need to have separate devices for work and private use?
• Take (PaaS) Platform as a Service software, how do you assess whether that is safe? Does it depend on your staff's use, the settings, whether your device, your network, their storage solutions, or their employees? Or the 3.rd parties that they use to process your data?
• Separate devices for work and private use; most softwares has access to data that are not relevant for the service. For example, is the software safe when it potentially has access to our camera, video (sound) and SD-card without a reason.
• Not to mention lack of security and privacy within IoT and 5G. "What the researchers found was astounding – 72 of the 81 IoT devices shared data with third parties completely unrelated to the original manufacturer." (10)
• Can a company with the use of websites on a Facebook, Twitter, TikTok or Instagram platform, -be considered 'a company living up to their corporate social responsibility with a high degree of IT security'.

Security Measures You Absolutely Need to Consider - Are your chatbots secure? (9)

INFORMATION MANAGEMENT SYSTEM WITHOUT (PRIVACY) PROFESSIONALS?

Some bussinesses are ISO27001/2 compliant, and even certified, some businesses can show ISO3000 or other certificates for storing data, and there are many other standards. But the very same companies and organisation may not even have secured their website?

Also, most SME's has no chance of spending resources for compliance with the new ISO/IEC 277001 (privacy management within the context of the organization).

Some ISO Standards can be very useful in large enterprises and institutions, but probably not so much in smaller businesses.

A standard contract for storage like the danish D17 V2.0 Contract for IT Operations developed by IT-laywers is a helpful and important instrument for smaller companies and organisations. Read the article below (in danish) 'Har du sikret de data der g?r ud af huset?' about the Contract for IT Operations; a standard contract Template for IT infrastructure services (IT operations)'. (2)

What we need is IT security and privacy professionals, asap.

The intention and scope of this new danish initiative is to create trust, especially in Small and Medium sized enterprises.

Typical challenges in IT security management in SME's:

• Choice of software and hardware
• Lack of knowledge for privacy and security settings
• Lack of updating software
• Unsafe mails
• Insecure log-in
• Phishing and social engeneering, read report! 'Spear Phishing, A Law Enforcement and Cross-Industry Perspective' Europol, Nov. 4th. 2019 (6)
• Unsafe storage
• General lack of awareness
• Lack of knowledge and experience with the Privacy Impact Assessment
• Cloud security is a shared experience
• IoT devices are a target in cybercriminal underground
• Migrating data
• Weak retention practices
• Weak digital asset management and records management practices
• IT support - long distance
• Unsecured wireless network

Lacking knowledge, and staff; the result is often choosing the largest vendors in the world, simply because it seems easy, 'and everybody else does it'.

And so it happended that we are now all depending on a few large US vendors in the world. But, it is no guarentee for secure IT. Cloud security is not always an 'off the shelf solution'. There is much more to it...

How to define security, and does that have any relation to control and privacy?

It is difficult to analyse which data are harvested when we download and use software. But IF we make a real technical effort, we can actually see a lot.

Who has access, how many 3rd parties are involved, it doesn't say when we are asked to grant our consent. A few public examples of access and dependency and lack of control. 1. Secured to what extend? 2. Secured but not anonymised?

Data security and geo-political monopolies.

• The large health platform Sundhedsplatformen using the US vendor EPIC, where technical staff in US has access to danish health data.
• Using the new integrated school platform AULA as example, we are told that data are encrypted and stored with Amazon. It is designed in Drupal, and Mailchimp I believe, both US companies. Are all those data stored with Amazon as well? Who has access to our personal and sometime sensitive data in AULA using DRUPAL for the danish school platform?
• Some of the largest solutions with citizens personal sensitive data are already using storage solutions in some of the eastern EU countries and other parts of the world, -shall these data be 1. encrypted End-to-End and 2. at Rest.

Should dependency of a certain vendor be part of the risk assessment?

• Major vulnerability patched in the EU's eIDAS authentication system just recently. (7)
• Soon Microsoft will only be a cloud solution, Google G-Suite is only a cloud software.
• Software like Adobe just had a databreach of Adobe left 7.5 million Creative Cloud user records exposed online.
• Software like Wordpress has constant malware threat and the largest hacking operation since 2017.

Identity Management vs. Privilege Management

• Will the danish labelling scheme demand Log Files, and what about Access Management? (Standards for 2FA, MFA, PIM vs. PAM vs. IAM) (5)
• Identity and Access Management will in near future be mostly biometric data, allthough it is not safe anyway. How does that leave the danish working group a chance to give a good advice? -How do you define sucure Log-in? Will they guarentee that we users can OPT OUT of biometric ID?
• What about all the CCTV surveillance vendors and companies managing all the video surveillance and some with image recognition? Managed safe and kept safe; how, where and by whom?
• Should Microsoft, Google, Apple ID, Amazon, or Mastercard hold our authetification keys, a safe solution, with inbuild dependencies?
• New risks with Open banking and PSD2 (4)?

Understanding the implications of risks and responsibility on different levels.

After all, it is the company/organisation collecting, utilising, sharing and storing data (often with 3.rd parties) that has the reponsibility according to GDPR:

• Will a Joint Controller responsibility contract, where we as a controller have little control but full dependency be recommended?
• There is a shortage of privacy professionals, allthough, there is also a shortage of privacy jobs, will they recommend DPO's in more companies? Most solutions will depend of the user, the environment, the level of awareness, knowledge and actual settings.
• Commercial and free file-sharing services were exploited to deliver malicious payloads. Will a software like WeShare (send encrypted files) that has had breaches, and has been bypassed, and send files to the wrong recievers be shortlisted? And will alternatives instead be recommended the secure german email provider Whitelabel Tutanota for business use -or the Mozilla file solution Send?

What does it take to certify a company as 'protecting data' for customers, and employees data? Will the seal be based on a promise of Code of Conduct, or actual Audits?

I do hope the labelling scheme will rewarding the following 6 basic principles:

1. Employment of privacy professionals
2. Change management
3. Education in data protection, and awareness activities for relevant staff and partners
4. Security by Design/Default in all software
5. Privacy by Design & by Default in all software, incl. software for Surveys and HR test (PaaS de-Identification the profiling of mentality and personality)
6. Considerations of unnecessary use of IoT

?The labeling scheme is an opportunity for Denmark to take international leadership in IT security and data ethics, and that we can create pressure from below, where consumers will demand that the companies behind the apps and digital services they use assume their responsibility say and process our data in a secure and responsible way" says Simon Kollerup.

On a closing note

"We must not lose consumers if we are to have the whole society involved in digitalization. Therefore, the new labeling scheme from next year (2020) will make it easier to find companies that process data securely and safely." (3) Quote: Lars Frelle-Petersen, Director at Danish Industry.

"The labeling scheme must give companies a recipe for being digitally responsible. It will not be the same for a blacksmith as for a medium-sized computer heavy business. The criteria will follow the company's risk profile, but we only have to look for a single brand." (3)

"At the same time, the labeling scheme will allow partners and customers to quickly select or deselect companies based on digital accountability. Then digital accountability can become a competitive parameter. It will be good for consumers, businesses and Denmark." (3)

HOW TO MITIGATE SOME OF THE RISKS

There is a lot of dangers for all companies in the everchanging cyberspace, so how can we best help SMV's?

We can go a long way by chosing the right software and hardware, and I think data protection professionals have an obligation to know alternatives to the few known global companies. So check-out the document below 'The Privacy Tech Vendor Report 2019'.

Who shall audit the companies and how often? As of now, we are not even enforcing the most basic data protection principles. The project has a budget of 2.4 million Euro, so who is paying for the implementations?

Will there be political will for enforcing GDPR compliance, and to limit the use of IoT solutions in order to process data securely and safely?

INFORMATION, LINKS AND ARTICLES:

Press - by Ministry of Industry, Business and Financial Affairs Oct 31 2019 the terminilogy Certificate is defined as a Seal. https://eng.em.dk/news/2019/oktober/new-seal-for-it-security-and-responsible-data-use-is-in-its-way/

Article - Report: "There is a shortage of privacy professionals" Axios reports there is a shortage of privacy professionals at a time when it is critical for companies to comply with privacy regulations. "Companies around the globe are having trouble finding people," said Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, adding it's important "to realize that every company is a data company — it’s not just big tech." https://iapp.org/news/a/privacy-experts-hard-to-find/

-It is my hope that this new certificate will consider to support some of the european software vendors that are already there, struggling to compete with the 5 global vendors of the world, and that all privacy professionals will spend time to also look for new and more safe software vendors with legal design.

Document - The 2019 PRIVACY TECH VENDOR REPORT by The International Association of Privacy Professionals (IAPP), document, 172 pages with hundreds of softwares categorised for use. https://iapp.org/media/pdf/resource_center/2019TechVendorReport.pdf

Article - 'GDPR COMPLIANCE IN CLOUD PLATFORMS' https://www.dhirubhai.net/pulse/gdpr-compliance-cloud-platforms-using-ai-pia-tesdorf/

Article (4) - "When PSD2 Opens More Doors: The Risks of Open Banking" PSD2 aims to make online banking more secure. To this end, PSD2 mandates two-factor authentication and “Dynamic Linking,” wherein an authentication code for each transaction is specific to the amount and the recipient. This research paper looks into the PSD2-readiness of FinTech companies and banks from a security perspective and the new risks that could emerge when PSD2 comes into effect. Open Banking places customers’ banking information into the hands of more parties, including new FinTech start-ups that may not have the same experience that the traditional banking industry has accumulated through years of addressing fraud. This inevitably implies that an increased attack surface. We found a few issues. https://blog.trendmicro.com/trendlabs-security-intelligence/when-psd2-opens-more-doors-the-risks-of-open-banking/

Article - 'Security by design & Code of Practice for consumer IoT security' https://www.dhirubhai.net/pulse/guidance-code-practice-consumer-iot-security-pia-tesdorf/

Article - 'The Time to Embed Privacy, by Design is Now: Into IoT, AI, and Big Data'. https://www.dhirubhai.net/pulse/time-embed-privacy-design-now-iot-ai-big-data-pia-tesdorf/

Article (5) - PIM vs. PAM vs. IAM 'Some terminology for access management is plain confusing. Like privileged identity management (PIM), privileged access management (PAM) and identity and access management (IAM). Are they the same, or just similar? We created a dictionary to get to the bottom of it right here, right now.' https://thycotic.com/resources/iam-pim-pam-privileged-identity-access-management-terminology/

Article (6) - Steven Wilson, Head of Europol’s European Cybercrime Centre said: “Spear phishing is a major enabler of some of the most serious forms of cybercrime, especially ransomware, and can cause real harm to European citizens and organisations." "At the same time, this report highlights some of the challenges related to information sharing and the investigation of spear phishing attacks, as well as what can be done collectively to improve the situation". "We can only tackle a threat of this scale effectively by working closely with key partners from across industry." 33 pages, Nov. 4th. 2019. https://www.europol.europa.eu/newsroom/news/europol-publishes-law-enforcement-and-industry-report-spear-phishing

Article (7) - eIDAS stands for electronic IDentification, Authentication and trust Services. It is a very complex, cryptographically-secured electronic system for managing electronic transactions and digital signatures between EU member states, citizens, and businesses. The EU created eIDAS in 2014 to allow member state governments, citizens, and businesses to carry out cross-border electronic transactions that can be verified against official databases in any country, regardless of the origin state of the transaction. European authorities have released today a patch for the eIDAS system. The patch fixes two security flaws that could allow an attacker to pose as any EU citizen or business during official transactions. Oct. 29th 2019. https://www.zdnet.com/article/major-vulnerability-patched-in-the-eus-eidas-authentication-system/

Article (8) - "Questions and Recurring Problems from the Participant's Point of View" Nov 4, 2019. 'Data Subject Rights under the GDPR' by Christopher Schmidt https://www.dhirubhai.net/pulse/questions-recurring-problems-from-participants-point-christopher/

ISO standard - ISO/IEC 29134:2017(en) Information technology — Security techniques — Guidelines for privacy impact assessment (PIA). https://www.iso.org/obp/ui/#iso:std:iso-iec:29134:ed-1:v1:en

ISO Standard - ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines. https://www.iso.org/standard/71670.html

Joint ePR Letter signed by Danish Industry, against the latest ePrivacy Regulation "Time to rethink ePrivacy", Brussels, 8 October 2019: "Without a major overhaul of the text, Europe’s digital transformation will be severely hampered as a result of the legal uncertainty and rigidity brought about by the ePrivacy Regulation. Europe’s artificial intelligence ambitions will also be frustrated at a time when specific AI legislation is being considered." https://www.digitaleurope.org/wp/wp-content/uploads/2019/10/Joint-ePR-letter-Oct.-2019-FINAL.pdf

Website - Projects for the Danish Industry Foundation https://www.industriensfond.dk/english/projects

Video - Example of insecure biometric technology "Nu m?jligt att l?sa upp det mesta med fingeravtryck" https://www.tv4play.se/program/nyheterna/12508998

Article - 'Thunder on the Horizon: 4 Security Threats for the Cloud' by David Bisson. With links to relevant surveys. (added) Nov 7 2019. https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/thunder-horizon-4-security-threats-cloud/

Article (9) - 4 Chatbots Security Measures You Absolutely Need to Consider, by Paul Pinard 2019, https://dzone.com/articles/4-chatbots-security-measures-you-absolutely-need-t

Article - The Risks of Chatbot Data Breaches and Privacy Issues Made Clear, Sep 2019 https://thechatbot.net/the-risks-of-chatbot-data-breaches-and-privacy-issues-made-clear/

Article - Artificial Intelligence: Disrupting HR in 2019 https://www.assuranceagency.com/blog-post/artificial-intelligence-disrupting-hr-in-2019

Article - Data trust pacesetters show how to create and protect value from data A small group of companies are leading the way in building trust in data. They offer a guide for others looking to improve their ability to extract value from their data in a secure and ethical way. https://www.pwc.com/us/en/services/consulting/cybersecurity/data-trust-pacesetters.html

Article (10) - Smart Devices Leaking Data To Tech Giants Raises New IoT Privacy Issues Oct 2019, Read the Report 'Information Exposure From Consumer IoT Devices' PDF

-and article in the CPO Magazine https://www.cpomagazine.com/data-privacy/smart-devices-leaking-data-to-tech-giants-raises-new-iot-privacy-issues/

IN DANISH:

Analyse af Digital sikkerhed i danske SMV’er, rapport udarbejdet af Erhvervsstyrelsen, nov 2019

Article (1) - "Hvem behandler dine data sikkert? Nyt m?rke skal give svaret" https://politiken.dk/indland/art7462670/Nyt-m%C3%A6rke-skal-give-svaret

Article (3) - "Nu tager erhvervslivet digitalt ansvar" https://www.danskindustri.dk/brancher/di-digital/nyhedsarkiv/nyheder/2019/10/nu-tager-erhvervslivet-digitalt-ansvar/

Artikel - GDPR: ISO27701 – sammenh?ng mellem sikkerhed og persondatabeskyttelse af Henning Mortensen sep 9, 2019 https://wiredrelations.com/gdpr-iso27701-sammenhaeng-mellem-sikkerhed-og-persondatabeskyttelse/

Document - R?det for Digital Sikkerhed udgiver 10 dataetiske principper

"R?dets formand, Henning Mortensen, p?peger, at: ”For at undg? at blive m?dt med forslag, som un?dvendigt tilsides?tter individets ret til privatlivsbeskyttelse, har RfDS lavet denne tjekliste som beslutningstagere, n?r de overvejer, om de opn?r et givent form?l uden at tilsides?tte individets privatlivsbeskyttelse kan benytte sig af."

-"Tjekliste ved lovforslagog konkrete digitale initiativer mv. R?det for Digital Sikkerhed finder det vigtigt, at borgerne kan have tillid til, at deres oplysninger behandles lovligt, rimeligt og etisk. R?det for Digital Sikkerhed anbefaler derfor, at beslutningstagere, som stiller forslag om ny lovgivning, nye digitale l?sninger eller ?nsker et givent form?l opfyldt med digitale midler, gennemg?r nedenst?ende liste og vurderer, om tiltaget kan opfyldes indenfor disse ti principper".

DATATILSYNETS PODCAST's om databeskyttelse https://www.datatilsynet.dk/generelt-om-databeskyttelse/podcast/

Article - 'EU-US Privacy Shield aftalen' https://www.dhirubhai.net/pulse/eu-us-privacy-shield-aftalen-pia-tesdorf/

Article - 'Kryptering, GDPR og Privacy'. https://www.dhirubhai.net/pulse/gdpr-og-anvendelse-af-kryptering-i-smver-pia-tesdorf/

Article - 'Survey's og Fortrolighedspolitik?' https://www.dhirubhai.net/pulse/surveys-digital-privacy-og-profilering-pia-tesdorf/

Article - 'Hvordan defineres sletning teknisk set'. https://www.dhirubhai.net/pulse/gdpr-hvordan-defineres-sletning-teknisk-set-pia-tesdorf/

Article - 'Transport Layer Security 1.3 er et stort fremskridt der skal tages i anvendelse af os alle'. https://www.dhirubhai.net/pulse/tls-13-published-firefox-pia-tesdorf/

Article (2) - 'Har du sikret de data der g?r ud af huset?' Hvem har ansvaret for hvad? Opdateret D17 v. 2.0 standardkontrakt til it-drift af 'Cloud' l?sninger; hvordan ser en god standardkontrakt ud til en 'Software as a service -levering af it-drift' p? det private marked, i sm? og mellemstore virksomheder? https://www.dhirubhai.net/pulse/ny-standardkontrakt-til-cloud-l%C3%B8sninger-pia-tesdorf/

Article - 'HUA WEI or NOT' https://www.dhirubhai.net/pulse/hua-wei-pia-tesdorf/

.......................................

ABOUT The 2019 PRIVACY TECH VENDOR REPORT by The International Association of Privacy Professionals (IAPP), document: https://iapp.org/media/pdf/resource_center/2019TechVendorReport.pdf

"Updated: October 2019 The privacy tech vendor market continues to mature as more organizations around the world adopt products and services that help automate and streamline necessary functions for the privacy office and enterprise as a whole.

Since the last iteration of the IAPP Privacy Tech Vendor Report at the end of 2018, dozens of new vendors have entered the marketplace. Many of these vendors are startups backed by angel or venture capital funding. Other more established organizations are also getting into the privacy space, as comprehensive laws like the EU General Data Protection Regulation and the California Consumer Privacy Act become an operational reality and catch the attention of corporate leadership."

If you are an European based company, you might want to look for a european vendor as the Cloud Act and EU-US Privacy Shield is not that solid.

• Activity monitoring
• Assessment manager
• Data mapping
• De-identification/Pseudonymity
• Enterprise Communications
• Incident Response
• Privacy Information Manager
• Website Scanning

Example, you can see whether the software is originated and stored in EU:

#InfoSec #Dataprotection #Databeskyttelse #Certificering #SikkerIT #GDPR