Latest news with #dataProtection
Finextra
a day ago
- Business
- Finextra
Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection
0 This content is contributed or sourced from third parties but has been subject to Finextra editorial review. A clear and present danger In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches. For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime. As reported by Finextra on 15 May, NatWest's head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month. That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information. Rules are rules Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures. Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers. Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached. Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001. Get it in writing The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies. Contract standards Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Detailed security provisions, including compliance with the customer's own information and systems security policies Warranties of compliance with any information provided by the supplier pre-contract as part of the customer's due diligence process. Early warning requirements related to suspected cyber incidents or data breaches. Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA. Compliance with specific industry standards including PCIDSS and ISO27001 Regular conduct of security testing and the provision of results to the customer (this can be a source of debate - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier's own internal or third party testing may be the best which can be achieved). An obligation to rectify any detected weaknesses after testing. Restrictions against use of sub-contractors and/or AI systems without the customer's consent. Requirement to use at least 'industry – standard' cybersecurity measures such as firewalls, malware blockers etc. requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Rights and remedies Making sure that the supplier's liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of 'indirect or consequential' liability. Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have 'supercaps' for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines). Indemnities for issues such as security or data breach Audit rights for the customer (and also its regulators) - which would extend to the supplier's sub-contractors. Definite termination rights in the event of a cyber or data related breach A right to remove supplier personnel or sub-contractors or the service if there are any concerns. Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers. However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.
Al Jazeera
2 days ago
- General
- Al Jazeera
Video shows SpaceX Starship explode at test site
907 We and ourpartners store and access personal data, like browsing data or unique identifiers, on your device. Selecting Allow all enables tracking technologies to support the purposes shown under we and our partners process data to provide. Selecting Reject all or withdrawing your consent will disable them. If trackers are disabled, some content and ads you see may not be as relevant to you. You can resurface this menu to change your choices or withdraw consent at any time by clicking the Manage preferences link on the bottom of the webpage . Your choices will have effect within our Website. For more details, refer to our Privacy Policy. To learn more, please view our Cookie Policy.
Yahoo
3 days ago
- Automotive
- Yahoo
FTC reminds car dealers to protect customer data
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Dive Brief: The Federal Trade Commission on Monday warned auto dealers that recently updated regulations require them to protect customer data. The FTC modernized the Safeguards Rule twice in the past five years, and now it wants car dealers to understand their responsibilities. The guidance reflects the commission's continued interest in protecting driver privacy, despite the change in political leadership following President Donald Trump's election in 2024. Dive Insight: The Safeguards Rule, mandated in a 1999 law, is one of the FTC's core cybersecurity regulations. The commission updated the regulation in 2021 to require more specific security precautions from covered companies, and in 2023, it broadened those requirements to include notifications within 30 days of data breaches affecting at least 500 people. Among the covered industries: car dealers that offer financing to customers. In a Frequently Asked Questions document, the commission explained how car dealers should comply with the rule's requirements to 'develop, implement, and maintain a comprehensive written information security program that is sufficient to protect customer information.' The document describes 10 elements of a compliant program, including written risk assessments, regular evaluations of protective measures, employee training, third-party vendor oversight and incident-response plans. The document explains the difference between compliance with the Safeguards Rule and the Privacy Rule, answers questions about potential dealership practices and describes how dealers must ensure that their third-party service providers comply with the law. The security and privacy of car customers' data — especially the reams of sensitive information collected by cars themselves — has become a pressing issue as vehicles incorporate more internet-connected technology. Tesla's car privacy issues have garnered significant attention, but other carmakers have also faced scrutiny, including General Motors, whose customers sued it in August 2024 for selling their driving data without notice. The FTC has pursued cybersecurity and privacy cases more vigorously under Democratic leadership, but Republicans have grown increasingly willing to hold companies accountable for mishandling data. The Texas attorney general's office has been scrutinizing car companies' sale of driving data to third parties, including insurance companies. In January, the office sued the insurer Allstate as part of that investigation.
CTV News
3 days ago
- Politics
- CTV News
Lack of appropriate safeguards led to 23andMe data breach, joint investigation finds
Federal privacy commissioner Philippe Dufresne, left, and U.K. information commissioner John Edwards hold a press conference at the National Press Theatre in Ottawa on Tuesday, June 17, 2025. THE CANADIAN PRESS/Sean Kilpatrick
Phone Arena
3 days ago
- Business
- Phone Arena
TikTok gets to live another day as Trump prepares to sign another executive order
–White House press secretary Karoline Leavitt, June 2025. Receive the latest Apps news By subscribing you agree to our terms and conditions and privacy policy Grab Surfshark VPN now at more than 50% off and with 3 extra months for free! Secure your connection now at a bargain price! We may earn a commission if you make a purchase Check Out The Offer Remember when TikTok's potential shutdown was many people's biggest concern? This stressful prospect won't be coming back anytime soon – at least not in the next three because President Trump is about to give TikTok another chance by signing yet another, additional executive order to keep the lights on what is some 170 million Americans' favorite June 19 deadline (signed previously by Trump) is upon us, but the ByteDance-owned app hasn't been sold to a US-based party so far, so the administration hopes this will happen until mid-September.A spokesperson for President Trump said the administration does not intend for TikTok to be shut down. The next three months would be used to ensure a sale is finalized, allowing the platform to remain available in the US with potentially stronger data who previously credited TikTok for helping him connect with younger voters during the 2024 election, indicated in May that he would extend the June 19 deadline for the app's sale. Speaking to reporters aboard Air Force One, he said he expected another extension, adding that the deal would likely require approval from Chinese authorities and expressing confidence that President Xi would ultimately the law signed by Biden last year , TikTok was required to cease operations in the US by January 19 unless its Chinese parent company, ByteDance, completed a sale or showed meaningful progress toward divesting its US operations. Trump, who began his second term on January 20, chose not to enforce the deadline, instead extending it: first to April and then, a second time, to June March, Trump signaled openness to lowering tariffs on Chinese imports to facilitate a deal with ByteDance. A proposal was in progress earlier this year that would spin off TikTok's US operations into a new company owned and operated by US investors. However, the talks stalled after China responded negatively to Trump's announcement of higher tariffs on Chinese products. Meanwhile, Democratic lawmakers argue that Trump lacks the legal authority to extend the deadline and claim the proposed transaction does not comply with existing legal standards.
