You’ve heard about the GDPR, right?

As I’ve spoken with people (security people and “civilians”), I’ve found many who had no idea that the GDPR was a thing.  I know Americans tend to have a very US-centric view of the world, but the GDPR is critical for any business with a presence, customers, or clients in or from the EU.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC with an effective date of 25 May 2018 (so about a year to get ready).

The GDPR clearly expresses the central difference between the views of American and EU.  The GDPR “[p]rotects [the] fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.”

In the US, personal data is typically seen as the property of the holder of the data.  The EU expressly views personal data as the property of the person.  This difference makes the GDPR distinct from US data breach notification laws.

There are a number of key items to review in the GDPR:

  • Increases extra-territorial applicability
  • Conditions for consent strengthened
  • Privacy policies may “no longer be able to use long illegible terms and conditions full of legalese . . . the request for consent must be given in an intelligible and easily accessible form. . .”
  • Breach notification must be made within 72 hours

The GDPR guarantees the Data Subjects’ Right to Access.  The Data Subject may:

  • “Obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. . .
  • Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.”

The GDPR also formalizes the “Right to be Forgotten”

“Data Subjects have the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Non EU companies that do business in the EU or have customers that are citizens of the EU or live in the EU will have to comply with these regulations for their EU data subject.  Any non-compliant organizations will face heavy fines.

So, get ready folks.  You don’t have much time to explore and internalize the GDPR.

Apple increases encryption of iOS devices

As reported by The Register, Apple released iOS 10.3 today.  Included in the update is a new file system designed specifically for iOS devices.  The Apple File System (APFS) is designed for macOS, iOS, tvOS, and watchOS.

APFS brings strong “full-disk encryption” to protect files and metadata from exposure.  The interesting part is that APFS uses a multi-key encryption.  One key protects the data and a separate key protects metadata.  Separating these keys makes the attacker’s job more difficult.

Last year there was a very public debate around the role of encryption and backdoors for law enforcement investigations.  Apple fought FBI requests to decrypt an iPhone used by terrorists in California.  The FBI eventually found a way to decrypt the phone without Apple’s aid.

Doubling down on encryption, Apple is now making the process to gain access to iOS devices even more difficult.  It seems that relevant XKCD is even more relevant for Apple devices.

85th Legislative Session

The 85th regular Texas legislative session begins next week (January 10th.) For those outside of The Great State of Texas the Texas legislature meets for 140 days every 2 years. In those few days things move pretty quickly; a budget must be drafted and passed, any new bills must be submitted, reviewed and adopted, state agencies face scrutiny. All-in-all it can be a whirlwind.

In the interim between sessions, legislative committees will dive deep into issues, researching topics and delivering reports to the Speaker of the House and Lt. Governor (who oversees the Senate).

So what is in store for information security or cybersecurity in the 85th?  If the interim tells us anything it is that “cyber” is on the mind of many in both houses.  Over the interim there were six House committees charged with identifying and making recommendations regarding cybersecurity policies.

  • House Committee on Business & Industry
  • House Committee on County Affairs
  • House Committee on Government Transparency & Operation
  • House Committee on House Administration
  • House Committee on Investments & Financial Services
  • House Committee on Urban Affairs

Several of these committees had hearings on the issue, at which I either testified or was used as a resource.

On the Senate side only the Business and Commerce committee was explicitly charged with reviewing cybersecurity.  The Inter-Governmental Relations committee had a charge regarding disaster preparedness planning and coordination, which has technology implications.

So, that is a long way of saying that there seems to be a concern with protection of information assets within the state.  There are already a handful of bills submitted, with more expected in the coming weeks.  The Texas Legislature Online site provides the capability to search for bills, but that can be a monotonous process to do each day.  One the Texas Legislation page, I’m tracking bills that are related to information security, cybersecurity, and privacy.

I also wrote a really bad script to search the TLO website for keywords.  It works, but it is U, L, G, Y, Ugly.  Feel free to grab it off github.  I’ll try to make it more pretty as the session goes.