Ireland’s Data Protection Commission has published guidance on data security.

Key Takeaways

  • The most effective means of mitigating the risk of lost or stolen personal data is not to hold the data in the first place.
  • A data controller should always know what personal data they hold, where it is held and how it flows through the organization.
  • Data processors are subject to the same security obligations as data controllers.

Access Controls

  • A data controller has a duty to limit access to personal data on a “need to know” basis and regularly review access controls.
  • Multiple independent levels of authentication may be appropriate where administrators have advanced or extra access to personal data or where they have access or control of other’s account or security data.
  • There should be strict controls on the ability to download personal data from an organization’s systems.


Continue Reading Irish DPC Issues New Guidance for Data Controllers on Data Security

“Company executives would face possible jail time for lying to the Federal Trade Commission about privacy and data security matters, under a new bill by U.S. Sen. Ron Wyden, a
Continue Reading Proposal Would Hold Executives Personally Responsible for Lying to the FTC About Privacy and Data Security

In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy
Continue Reading Customer Data Is a Strategic Enterprise Asset: So Treat It That Way

Businesses that relied previously on the EU’s Safe Harbor exception to transfer data from Israel to the United States have had that authorization revoked by the Israeli Law, Information and
Continue Reading EU Safe Harbor Invalidation Leads Israel to Rescind U.S. Data Transfer Authorization

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 6 of 6)

This blog post is the third installment of a seven-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 3 of 6)

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s
Continue Reading FTC and EU Are Critical of the White House’s Consumer Privacy Bill of Rights