CASES, SANCTIONS AND CLAIMS
- This article in Romanian explains the first GDPR fines applied in Romania and their relevance from the point of view of security obligations.
- The French supervisory authority CNIL fines Estate Company 400K on issues of inadequate technical measures (Art. 32 GDPR) and non-compliance with retention periods (Art. 5(1)(e) GDPR).
- The Polish DPA imposed a fine on Morele.net for insufficient organizational and technical safeguards, the amount rising up to 645,000 euros.
- Hungarian Information Safety Authority imposed a fine of €290,000 on a digital communications supplier (Digi Zrt). The authority found a vulnerability within the web site which was not mounted for years and allowed a hacker to enter.
- The European Council has imposed the first sanctions against cyber-attacks.
REPORTS AND ARTICLES FROM OTHER ORGANISATIONS
- FTC: 50 ways to leak your data: An Exploration of Apps’ Circumvention of the Android Permissions System.
- What is state of the art in IT security? See discussion in this article written by Gabriela Zanfir-Fortuna
- IAPP: Privacy threats from inside the organization are analyzed in this article.
- Jones Day: Global Privacy & Cybersecurity Update.
Reuschlaw: IT security in practice: infusing life into Article 32 of the GDPR.
- Diana Kelly: The psychology of social engineering—the “soft” side of cybercrime.
OFFICIAL GUIDELINES, REPORTS AND STATEMENTS
- ENISA: Guidance and gaps analysis for European standardisation on the topic of privacy and the study entitled Towards a framework for policy development in cybersecurity – Security and privacy considerations in autonomous agents.
- European Commission: Recommendation on cybersecurity in the energy sector
- The national cyber security and incident response team from Romania (CERT-RO): set of recommendations for when it comes to web-based apps security. See also the CERT-RO infographic on what to look for when acquiring apps or software systems and the CERT-RO news on online scams.
- Irish DPC: General Portable Storage Device Recommendations.
- Irish DPC: Guidance for Organisations on Phishing and Social Engineering Attacks.
- ENISA: online tool for evaluating the level of risk for a personal data processing operation.
- Saxony DPA: the deployment of a penetration testing requires the conclusion of a data protection agreement with the third party contractor (read here an article in English).
- Irish DPC: Guidance for Controllers on Data Security.
- Spanish DPA: its opinion on DNS security, data protection, and privacy.
- ENISA: Stock taking of security requirements set by different legal frameworks on OES and DSPs.
- European Commission: report providing multidimensional insights into the growth of cybersecurity.
- European Parliament: Proposal for a Cybersecurity Regulation.
- The Council of the European Union is now able to impose sanctions against “persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them.”