Posts Tagged :

ICO

ICO cautions against live facial recognition

960 640 Stuart O'Brien

The ICO has raised concerns about usage of live facial recognition technology (LFR) by the UK law enforcement community, with the current legal framework not fit for purpose.

In a blog post on the ICO website, Information Commissioner Elizabeth Denham stated that the “laws, codes and practices relating to LFR will not drive the ethical and legal approach that’s needed to truly manage the risk that this technology presents.”

The ICO has been investigating trials of LFR by the Metropolitan Police Service (MPS) and South Wales Police (SWP), which it says raise serious concerns about the use of a technology that relies on huge amounts of sensitive personal information.

That investigation has culminated in the ICO making its findings and recommendations public in its the first Commissioner’s Opinion, which makes clear that there are well-defined data protection rules which police forces need to follow before and during deployment of LFR.

“The Opinion recognises the high statutory threshold that must be met to justify the use of LFR, and demonstrate accountability, under the UK’s data protection law,” wrote Denham. “That threshold is appropriate considering the potential invasiveness of this technology. My Opinion also sets out the practical steps police forces must take to demonstrate legal compliance.”

Denham also points out that while public support for the police using facial recognition to catch criminals is high, it is less so when it comes to the private sector operating the technology in a quasi-law enforcement capacity.

“We are separately investigating this use of LFR in the private sector, including where LFR in used in partnership with law enforcement. We will be reporting on those findings in due course,” she added.

Image by Oliver Peters from Pixabay

Most ICO data breach reports ‘late and incomplete’ prior to GDPR

960 640 Stuart O'Brien

A Freedom of Information (FOI) request data from the Information Commissioner’s Office (ICO) made by Redscan has found that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the GDPR’s enactment. 

On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days.

The vast majority (91%) of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates.

The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. 

Redscan analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018 (relating to ‘general businesses’ as well as financial services and legal firms). Key findings include:

  • On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1320 days
  • After identifying a breach, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days
  • More than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported
  • Less than a quarter (45 out of 182) of businesses would be compliant with current GDPR requirements, which demand organisations report a breach within 72 hours of discovery
  • Nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181)
  • Saturday is the most common day for businesses to fall victim to a data breach – over a quarter of incidents were reported on a Saturday
  • Financial and legal firms identified and reported breaches more promptly than general businesses

“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, said Mark Nicholls, Redscan director of cybersecurity.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.” 

Redscan’s FOI request reveals that financial services and legal firms were far better at identifying and reporting breaches than general businesses – likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries.

On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as ‘general business’ took 138 days. 

Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days). 

21% organisations did not report a breach incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information. A further 46/181 (25%) organisations also failed to report a breach discovery date.