Friday, April 28, 2006

UK Data Protection Authority Takes Surprisingly Flexible Approach to Sale of Consumer Data

Upholding its reputation as one of the most flexible EU data protection authorities (DPAs), the Office of the UK Information Commissioner recently released Good Practice Note taking a surprisingly flexible approach to sale of databases containing consumers' personal data. To the initial question "Can databases be sold?," the Information Commissioner gave a qualified "Yes." The first circumstance in which the Information Commissioner notes that consumer databases may be sold is where the consumers included in the database have given their consent. The second, and more controversial, circumstance is the Information Commissioner's statement that if a business is insolvent, bankrupt, going out of business, or being sold, the "[UK Data Protection] Act will not prevent the sale of a database containing the details of individual customers, providing certain requirements are met." The "requirements" relate mainly to using the information for the "same or similar" purposes to those for which the information was gathered, and providing notice to consumers in the database of the sale. But nowhere does the Information Commissioner say that consumers must be given the chance to object to further use of their information upon a sale, and the authorization of "similar" use is quite flexible. Such guidance will certainly raise a few eyebrows at other EU DPAs.

© Copyright 2006 Steptoe & Johnson LLP

IT Security: Hacking law updates are overdue

It's taken some time for MPs to decide how to update the UK's laws against hackers. Nevertheless, the proposals in the new Police and Justice Bill don't look too shabby.

Apple argues that blogger can't protect source

A US appeals court has been hearing arguments in a case that tests the right of a blogger to protect his sources. Apple Computer wants to know who leaked details of a product called 'Asteroid' and expects bloggers to reveal the names.

Wednesday, April 26, 2006

IT Security: What's the Inside Attacker Profile?

What's the Inside Attacker Profile?
The United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center published an insider threats study report in 2005 which offered critical insights into the mind and motivation of the "inside attacker." According to the statistics gathered, the inside attacker is usually:

  • Male
  • 17-60 years old
  • Holds a technical position (86 percent chance)
  • May or may not be married (50/50 chance)
  • Racially and ethnic diverse

Sufficiently broad pool? Absolutely. Here are some additional statistics, again from the same CERT study:

  • In 92 percent of the incidents investigated, revenge was the primary motivator.
  • Sixty-two percent of the attacks were planned in advance.
  • Fifty-seven percent of the attackers surveyed would consider themselves "disgruntled."
  • Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack.
  • Only 43 percent had authorized access (by policy, not necessarily via system control).
  • Sixty-four percent used remote access to carry out the attack.
  • Most incidents required little technical sophistication.

Worker can't be fired for Web surfing

A New York City employee cannot be fired for surfing the Web from work, an administrative law judge has ruled.

Tuesday, April 25, 2006

High costs hamper domain resolution

The Department of Communications expects progress to be made on the development of an alternative domain name dispute resolution process within the next three months. The absence of an alternative dispute resolution process (ADRP) has led to high costs for businesses, say industry players...

Tuesday, April 18, 2006

ICANN mulls .tel domain for contact info

Reaching out and touching someone used to be as simple as dialing a string of numbers.

But now there are home, cell and work phone numbers from which to choose, and sometimes work extensions to remember. There are also e-mail addresses -- at home and at work -- and instant messaging handles, perhaps separate ones for the various services, some of which now do voice and video besides text.

Some people even have Web pages -- through their employer or Internet service provider, or perhaps a profile or two on MySpace.

To help people manage all their contact information online, the Internet's key oversight agency is considering a ``.tel'' domain name. If approved, the domain could be available this year.

Wireless TV all-clear

Is this something that we will see in South Africa when it comes to the braodcasting of TV over wireless devices or over the internet?

See what was said in Canada:
Cellphone TV services started with hockey clips and news but now the broadcasting regulator has given wireless carriers carte blanche to move beyond traditional television.
Mobile TV services from Telus Corp., Bell Mobility Inc. and Rogers Wireless Communications Inc. are delivered over the Internet and aren't subject to the same rules as those provided by cable operators and broadcasters, the Canadian Radio-television and Telecommunications Commission said Wednesday....

See Canadian Radio-television and Telecommunications Commission's Public Notice on Regulatory framework for mobile television broadcasting services - click here


Thursday, April 13, 2006

Court rules that an email address is not a signature

A High Court judge has ruled that the presence of a sender's email address in the header of an email does not amount to a signature – although a typed name would have sufficed to form a binding contract.

Monday, April 10, 2006

Corporate blogs are a liability

EDITORIAL: Many bloggers wear suits, not pyjamas. A recent proliferation of corporate blogs has given numerous workers a new platform for self-expression. But while employers hope to see business benefits, lawyers will see nothing but trouble.

ID thect and fraud - The weakest link - uneffective policy implementation!!!

There's some good news and some bad news to report concerning the fight against identity theft and cyber fraud. The good news is that financial institutions and other companies continue to batten down their information security with high-end tecnological measures such as two-stage identification and multifactor authentication. The bad news is that even the most advanced information security systems often have an Achilles heel -- usually in inadequate, or unenforced, policies covering employees and contractors. The recent spate of thefts of employee or contractor laptops thefts, resulting in the loss of sensitive information, is a perfect example. No matter how much money a company spends on fancy data security measures, these less sexy links in its security chain will continue to be vulnerable to exploitation by clever fraudsters. This doesn’t mean companies should give up on the high-end technological measures. Rather, it means companies need to pay as much attention to the more mundane, less glamorous aspects of security, like establishing and enforcing rules on the handling of sensitive data, and regularly using encryption.

© Copyright 2006 Steptoe & Johnson LLP. Steptoe & Johnson LLP