Welcome to ISMG's GDPR Resource Center!

The EU revamped its vaunted data protection and privacy laws with the 2016 passage of the General Data Protection Regulation. GDPR enforcement went into full effect on May 25, 2018, and any organization that stores Europeans’ personal data must comply.

'Right to Be Forgotten' Should Be EU-Only, Adviser Says

Mathew J. Schwartz • January 11, 2019

Europe's "right to be forgotten" should not apply worldwide, but only inside the EU, according to a nonbinding opinion issued to the European Court of Justice by one of its advocate generals regarding a case that arose from a dispute between France's data privacy watchdog and Google.

3rd Party Risk Management

GDPR Compliance: The Role of Vendor Risk Management

Latest

Data Security

Marriott Mega-Breach: Victim Count Drops to 383 Million

Mathew J. Schwartz • January 7, 2019

Marriott International's digital forensic investigation now counts not 500 million but an "upper limit" of 383 million customers affected by the four-year mega-breach of its Starwood reservations system. The hotel giant now says the breach also exposed more than 5 million unencrypted passport numbers.

Cybercrime

Hackers Leak Hundreds of German Politicians' Personal Data

Mathew J. Schwartz • January 4, 2019

Hundreds of members of the German parliament, Chancellor Angela Merkel as well as numerous local celebrities have had their personal details and communications stolen and leaked online as part of what authorities are calling an attack on the country's democracy and institutions.

Incident & Breach Response

Legal Lessons Learned From Breach Investigations

Tom Field • December 27, 2018

What not to do after a breach? Share your incident response plan with your attorney and say, "Don't pay too much attention to it; we don't follow it." Randy Sabett of Cooley LLP discusses this and other lessons learned from breach investigations.

3rd Party Risk Management

Facebook Sued in U.S. Over Cambridge Analytica

Jeremy Kirk • December 20, 2018

Facebook violated consumer protection law by failing to protect personal data that consumers thought they'd locked down, the District of Columbia alleges in a new lawsuit. Plus, Facebook is disputing a New York Times report that it ignored privacy settings and shared data with large companies without consent.

Cybercrime as-a-service

Did China Hack Marriott, Or Is This Fake News?

Nick Holland • December 14, 2018

The latest edition of the ISMG Security Report features an analysis of the validity of reports that China is behind the massive Marriott data breach. Also: Fascinating details in a Congressional report on the Equifax breach, and a clear explanation of "self-sovereign identity."

Standards, Regulations & Compliance

Congratulations: You Get 'Free' Identity Theft Monitoring

Mathew J. Schwartz • December 12, 2018

Is there anything better than being offered one year of "free" identity theft monitoring? Regularly offered with strings attached by organizations that mishandled your personal details, the efficacy and use of such services looks set for a U.S. Government Accountability Office review.

Data Security

Equifax Breach 'Entirely Preventable,' House Report Finds

Mathew J. Schwartz • December 11, 2018

The massive data breach suffered by Equifax in 2017 "was entirely preventable," according to a report released by the House Oversight Committee's Republican majority. Some Democratic lawmakers have slammed the report for failing to advance legislative or oversight changes to help prevent breaches.

Cybercrime

GOP Hacking Incident: What Happened?

Nick Holland • December 7, 2018

An update on the hacking of email accounts of four senior aides within the National Republican Congressional Committee leads the latest edition of the ISMG Security Report. Also featured: An analysis of when the first major fines for violations of the EU's GDPR could be issued.

3rd Party Risk Management

Emails Expose Sensitive Internal Facebook Discussions

Jeremy Kirk • December 6, 2018

A batch of documents meant to be kept under court seal lays bare Facebook's strategic brokering of access to user data to reward partners and punish potential rivals. The material also demonstrates Facebook's views at the time on privacy and the risks of leaking data.

Breach Notification

Marriott's Mega-Breach: Many Concerns, But Few Answers

Jeremy Kirk • December 3, 2018

Marriott's mega-breach underscores the challenges companies face in securing systems that come from acquisitions as well as simply storing too much consumer data for too long, computer security experts say. Meanwhile, the hotel giant has yet to answer many pressing data breach questions.

Fraud Management & Cybercrime

Federal Prosecutors Discuss SamSam Indictments

Nick Holland • November 30, 2018

In the latest edition of the ISMG Security Report, hear prosecutors discuss the indictments of two Iranians in connection with SamSam ransomware attacks. Also: Updates on allegations that Google is violating GDPR and cryptocurrency's impact on crime trends.

Cloud Security

'Data & Leads' Site Disappears After Data Exposure Alert

Mathew J. Schwartz • November 29, 2018

Another day, another "Have I Been Pwned" alert, this time involving 44.3 million individuals' personal details found in unsecured instances of Elasticsearch, which appear to have been left online by Data & Leads, a Toronto-based data aggregation firm.