Photo of Neasa Ni Ghrada

On 1 August 2014, the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC) published the first privacy-specific international standard for the cloud: ISO/IEC 27018 "Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". Early adopters Microsoft announced on 16 February 2015 that it was the first company to receive certification for the standard.


Continue Reading First international privacy-specific cloud standard adopted by Microsoft

On 3 February 2015, the Securities and Exchange Commission (the "SEC") and the Financial Industry Regulatory Authority ("FINRA") both issued cybersecurity reports to the US securities industry. The SEC is the US Federal Government’s securities regulatory agency, while FINRA is a private company that acts as a self-regulatory organisation for US securities firms. The publications highlight the increased US regulatory focus in this area.

SEC: Risk Alert – Cybersecurity Examination Sweep Summary

The Risk Alert summarises the SEC’s findings following its examination of 57 broker-dealers’ and 49 investment advisers’ controls regarding cybersecurity preparedness. Notable statistics from the firms examined include:

       88% of broker-dealers and 74% of investment advisers have experienced cyberattacks either directly or through one of their vendors. The majority of the cyberattacks involved the use of malware and fraudulent emails but no single loss exceeded $75,000;

       93% of broker-dealers and 83% of investment advisers have written information security policies in place, of those, 89% of broker-dealers and 57% of investment advisers periodically audit policy compliance;

       58% of broker-dealers and 21% of investment advisers maintain cybersecurity insurance, however, only one broker-dealer and one investment adviser reported that they had filed claims; and

       Only 15% of broker-dealers and 9% of investment advisers offer security guarantees to protect their clients against cyber related loss.


Continue Reading Two US regulatory bodies simultaneously publish cybersecurity reports

The Department of Education and Skills is currently creating an individualised database of primary school students; the Primary Online Database (POD). The POD will gather personal data and sensitive personal data about pupils, such as information about ethnic and cultural background, religion, medical conditions, students with special needs and students’ Personal Public Service Numbers (PPSN). The POD will be shared with other state bodies, including the Central Statistics Office, the Department of Social Protection, the Department of Public Expenditure and Reform and the Revenue Commissioners.


Continue Reading A permanent record (or at least until you turn 30)

In the wake of its recent win against "screenscraper" website eDreams, Ryanair has claimed another victory following a referral from the Dutch Supreme Court to the Court of Justice of the EU (CJEU) on the Database Directive (96/9/EC).

In brief, the CJEU held that owners of publically available databases, which do not fall under the protection of the Database Directive, are free to restrict the use of the data through contractual terms on their website. The decision in Case C – 30/14 Ryanair v PR Aviation BV marks the CJEU’s first copyright judgment of the year.


Continue Reading Ryanair in another victory against the screenscrapers