Data Security Technology 101 for Compliance Professionals – Live from SCCE’s European Compliance & Ethics Institute



1ca85fbby Kortney Nordrum, Esq., CHC, CCEP

Presentation by Dr. Jessica Barker, Jonathan Armstrong, David Longford, Freaky Clown aka FC

“…in 2005 Facebook didn’t exist for most people, “twitter” was still a sound, the cloud was something in the sky, 3G was a parking space, applications were what you sent to colleges, and “Skype” was a typo.” –Thomas Friedman

According to James Comey of the FBI, there are two kinds of businesses – those who have been hacked, and those who don’t know they’ve been hacked.

EU Data Protection Law is principles based, with local laws varying along with enforcement. Below are some examples of enforcement actions.

Example: Deutsche Bahn

  • Monitoring employees as anti-corruption measure (about 173,000 employees affected)
  • Reconciliation of employee data with data on 80,000 suppliers
  • Collection of bank data of employees and
  • Interception of email traffic
  • Overall fines of €1.1 million

Example: UK ICO fine for Ministry of Justice

  • Visitor to prison received email with inmate’s details
  • Investigation revealed 2 other occasions when this happened
  • One clerk responsible who had accidentally pasted the file into the emails

Dark Hotel attacks.

Hacking outlook calendars of corporate executives. You then know where the executives will be and when. Set up a false wifi box, label it with the same name as the hotel wifi. Take advantage of everyone’s proclivity to connect to the internet as soon as possible. Hackers can intercept the traffic between the computer and the security portal – leaving all VPN, Citrix, etc. security ineffective.

New EU Data Rules

  • Distinction between processor and controller eliminated
  • Suppliers outside EU in scope
  • Right to be Forgotten
  • More SARs & removal of the SARs fee
  • Fines 2% of global turnover
  • Toughened enforcement bodies
  • Breach reporting in 24 hours
  • Reduced ability to do background checks

The people who protect computers don’t understand the users they’re protecting. They are protecting they think are themselves. This is a core problem in the data security industry. Technology experts focus on technology, not humans.




Comments are closed.